Chapter 11 - Trojans & Other Attacks

Question 1

Overt Channesl vs Covert Channels

Answer 1

Overt - legitimate communication channels used by programs. Covert Channels - Used to transport data in unintended ways.

Question 2

Wrappers

Answer 2

Programs that allow you to bind an executable to an innocent file

Question 3

Crypters

Answer 3

Use a combination of encryption and code manipulation to render malware undetectable to security programs.

Question 4

Packers

Answer 4

Use compression to pack the executable which helps evade signature based detection.

Question 5

Infinity

Answer 5

Exploit Kit

Question 6

Bleeding Life

Answer 6

Exploit Kit

Question 7

Crimepack

Answer 7

Exploit Kit

Question 8

Blackhole

Answer 8

Exploit Kit

Question 9

What is an exploit kit?

Answer 9

Helps deliver exploits and payloads.

Question 10

Proxy Server Trojan

Answer 10

Allows attacker to use the target system as a proxy.’

Question 11

Chebacca

Answer 11

Botnet Trojan

Question 12

Skynet

Answer 12

Botnet Trojan

Question 13

Botnet Trojan

Answer 13

Turns the computer into bot

Question 14

RAT

Answer 14

Remote access Trojan

Question 15

MoSucker

Answer 15

Remote Access Trojan

Question 16

Optix Pro

Answer 16

Remote Access Trojan

Question 17

Blackhole

Answer 17

Remote access trojan

Question 18

Zeus

Answer 18

E-Banking Trojans

Question 19

Spyeye

Answer 19

E-Banking Trojans

Question 20

Command Shell Trojan

Answer 20

Provides a backdoor to connect to through command-line access

Question 21

Netcat

Answer 21

With malicious intent, can be considered as a trojan

Question 22

Trojan - Death

Answer 22

Port 2

Question 23

Trojan - Senna Spy

Answer 23

Port 20

Question 24

Trojan - Hacker’s Paradise

Answer 24

Port 31, 456

Question 25

Trojan - TCP Wrappers

Answer 25

Port 421

Question 26

Trojan - Doom, Satanz Backdoor

Answer 26

Port 666

Question 27

Trojan - Silencer, WebEx

Answer 27

Port 1001

Question 28

Trojan - RAT

Answer 28

Port 1095-98

Question 29

Trojan - SubSeven

Answer 29

Port 1243

Question 30

Trojan - Shiva-Burka

Answer 30

Port 1600

Question 31

Trojan - Trojan Cow

Answer 31

Port 2001

Question 32

Trojan - Deep Throat

Answer 32

Port 6670-71

Question 33

Trojan - Tini

Answer 33

Port 7777

Question 34

Trojan - NetBus

Answer 34

Port 12345-6

Question 35

Trojan - Whack a Mole

Answer 35

Port 12361-3

Question 36

Trojan - Black Orifice

Answer 36

Port 31337, 31338

Question 37

Netstat -an

Answer 37

Shows open ports in numerical order

Question 38

Netstat -b

Answer 38

Displays all active connections and the processing using them

Question 39

Process Explorer

Answer 39

Microsoft tool that shows you everything about running processes

Question 40

SysAnalyzer

Answer 40

Registry monitoring tool

Question 41

Tiny Watcher

Answer 41

Registry monitoring tool

Question 42

Active Registry Monitor

Answer 42

Registry monitoring tool

Question 43

Regshot

Answer 43

Registry monitoring tool

Question 44

Msconfig

Answer 44

Windows program that shows all programs set to start on startup

Question 45

Tripwire

Answer 45

Integrity verifier that can act as a HIDS in protection against trojans

Question 46

SIGVERIF

Answer 46

built into Windows to verify the integrity of the system. Log file can be found at c:\windows\system32\sigverif.txt

Question 47

Virus

Answer 47

Self-replicating program that reproduces by attaching copies of itself into other executable code. . Usually installed by user .

Question 48

Ransomware

Answer 48

Malicious software designed to deny accesss to a computer until a price is paid; usually spread via email.

Question 49

WannaCry

Answer 49

Famous ransomware. Within 24 hours, had 230,000 victims; exploited unpatched SMB

Question 50

Cryptorbit

Answer 50

Ransomware type

Question 51

Cryptolocker

Answer 51

Ransomware type

Question 52

CryptoDefense

Answer 52

Ransomware type

Question 53

Boot Sector Virus

Answer 53

Known as system virus; moves boot sector to another location and then inserts code into the original location.

Question 54

Shell Virus

Answer 54

Wraps around an application’s code, inserting itself before the application’s

Question 55

Cluster Virus

Answer 55

Modifies directory table entries so every time a file or folder is opened, the virus runs.

Question 56

Multipartite Virus

Answer 56

Attempts to infect both boot sector and files; generally referred to as virus with multiple infection methods

Question 57

Macro Virus

Answer 57

Written in VBA ; infects template files - mostly Word and Excel

Question 58

Polymorphic Code Virus

Answer 58

Mutates its code by using a polymorphic engine; difficult to find because code is always changing.

Question 59

Encryption Virus

Answer 59

Uses encryption to hide the code from antivirus

Question 60

Metamorphic Virus

Answer 60

Rewrites itself every time it infects a new file.

Question 61

Stealth Virus

Answer 61

Known as tunneling virus; attempts to evade Avs by intercepting their requests and returning them instead of letting them pass to the OS

Question 62

Cavity Virus

Answer 62

Overwrite portions of host files as to not increase the actual size of the file; uss null content sections

Question 63

Sparse Infector Virus

Answer 63

Only infects occasionally (e.g. every 10th time)

Question 64

File Extension Virus

Answer 64

Changes the file extensions of files to take advantage of most people having them turned off (readme.txt.vbs shows as readme.txt

Question 65

Sonic Bat

Answer 65

Virus maker

Question 66

Poison

Answer 66

Virus maker

Question 67

Sam’s Virus Generator

Answer 67

Virus maker

Question 68

IPS Virus Maker

Answer 68

Virus maker

Question 69

Worm

Answer 69

Self-replicating malware that sends itself to other computers without human intervention. Often used in botnets, resides in active memory.

Question 70

Ghost Eye Worm

Answer 70

Hacking tool that uses random messaging on Facebook and other sites to perform a host of malicious efforts

Question 71

What are the steps to analyzing malware?

Answer 71

1. Use a VM with NIC in host-only mode and no open shares. 2. Analyze the malware on the isolated VM in a static state. 3. Run the malware and check out processes . 4. Check and see what files are added, changed, or deleted.

Question 72

What is a Sheepdip system

Answer 72

A system that is used to check things introduced into a network. It is Airgapped.

Question 73

Botnets can be controlled over…

Answer 73

HTTP, HTTPS, IRC, ICQ

Question 74

DDoS Attack Category - Fragmentation Attacks

Answer 74

Attacks take advantage of the system’s ability to reconstruct fragmented packets.

Question 75

DDoS Attack Category - Volumetric Attacks

Answer 75

Bandwidth attacks; consume all bandwidth for the system of service.

Question 76

DDoS Attack Category - Application Attacks

Answer 76

Consume the resources necessary for the application to run. Usually against weak code.

Question 77

DDoS Attack Category - TCP-State-exhaustion attacks

Answer 77

Go after load balancers, firewalls, and application servers.

Question 78

DDoS Attack - SYN Attack

Answer 78

Send thousands of SYN packets to the machine with a false source address; eventually engages all resources and exhausts the machine.

Question 79

DDoS Attack - SYN Flood

Answer 79

Sends thousands of SYN packets to; but does NOT SPOOF IP but doesn’t respond to SYN/ACK

Question 80

DDoS Attack - ICMP Flood

Answer 80

Sends ICMP Echo packets with a spoofed address; eventually reaches limit of packets per second sent.

Question 81

DDoS Attack - Smurf Attack

Answer 81

Sending a large number of pings to the broadcast address of the subnet with source IP spoofed as the target; entire subnet responds exhausting the target.

Question 82

DDoS Attack - Fraggle

Answer 82

Same as smurf but with UDP packets

Question 83

DDoS Atttack - Ping of Death

Answer 83

Fragments ICMP messages; after reassembled, the ICMP packet is larger than the maximum size and crashes the system.

Question 84

DDoS Attack - Teardrop

Answer 84

Overlaps a large number of garbled IP fragments with oversized payloads; causes older systems to crash due to fragment reassembly.

Question 85

DDoS Attack - Peer to Peer

Answer 85

clients of peer-to-peer file sharing hub are disconnected and directed to connect to the target system.

Question 86

DDoS Attack - Phlashing

Answer 86

A DoS attack that causes permanent damage to a system; also called bricking a system.

Question 87

DDoS Attack - LAND attack

Answer 87

Sends a SYN packet to the target with a spoofed IP the same as the target; if vulnerable, target loops endlessly and crashes.

Question 88

Low Orbit Ion Cannon (LOIC)

Answer 88

DDoS tool that floods target with TCP, UDP, or HTTP requests.

Question 89

Trinity

Answer 89

Linux based DDoS tool

Question 90

Tribe Flood Network

Answer 90

Uses voluntary botnet systems to launch massive flood attacks

Question 91

R-U-Dead-Yet (RUDY)

Answer 91

DoS with HTTP POST via long-for field submissions.

Question 92

Session Hijacking

Answer 92

Attacker waits for session to begin and after the victim authenticates, steals the session for himself.

Question 93

Session Hijacking steps are:

Answer 93

1. Sniff traffic between client and server. 2. Monitor the traffic and predict the sequence number. 3. Desynchronize the session with the client. 4. Predict the session token and take over the session. 5. Inject packets to target server.

Question 94

Session Hijacking can be predicted by looking at _____________

Answer 94

Predicting can be done by knowing the window size and the packet sequence number. Sequence number increment on Acknowledgement. For example, an ACK of 105 with a window of 200 means you could expect sequence numbering from 105 to 305.

Question 95

Ettercap

Answer 95

Man-in-the middle tool and packet sniffer on steroids.

Question 96

Hunt

Answer 96

Sniff, hijack and reset connections

Question 97

T-Sight

Answer 97

Easily hijack sessions and monitor network connections

Question 98

Zaproxy

Answer 98

Session Hijacking tool

Question 99

Paros

Answer 99

Session Hijacking tool

Question 100

Burp Suite

Answer 100

Session Hijacking tool

Question 101

Juggernaut

Answer 101

Session Hijacking tool

Question 102

Hamster

Answer 102

Session Hijacking tool

Question 103

Ferret

Answer 103

Session Hijacking tool

Question 104

How can you defend against session hijacking?

Answer 104

Using unpredictable session IDs - Limiting incoming connections. - Minimizing remote access. - Regenerating the session key after authentication. - Use IPSec to encrypt

Question 105

IPSec - Transport Mode

Answer 105

Payload and ESP trailer are encrypted; IP header is NOT

Question 106

IPSec - Tunnel Mode

Answer 106

Everything is encrypted; cannot be used with NAT

Question 107

IPSec - Authentication Header

Answer 107

Guarantees the integrity and authentication of IP packet sender

Question 108

IPSec - Encapsulating Security Payload (ESP)

Answer 108

Proivdes origin authenticity and integrity as well as confidentiality.

Question 109

IPSec - Internet Key Exchange (IKE)

Answer 109

Produces the keys for the encryption process.

Question 110

IPSec - Oakley

Answer 110

Uses Diffie-Hellman to create master and session keys.

Question 111

Internet Security Association Key Management Protocol (ISAKMP)

Answer 111

Software that facilitates encrypted communication between two endpoints.