Chapter 9 - Trojans and Other Attacks Flashcards
Overt Channels
Covert Channels
overt - legitimate communication channels
covert - used to transport data in unintended ways
Wrappers
programs that let you bind an executable of your choice to an innocent file your target will want to open
they have their own signatures and show up on AV scans
Elitewrap
wrapping program you can embed a backdoor with
packers and crypters
tools that alter malware to hide it from signature based AV
packers - compress malware to smaller size, making it harder to detect
crypters - encrypt and manipulate code to make malware undetectable to AV
Types of Trojans
defacement trojan proxy server trojan botnet trojan remote access trojan e-banking trojan command shell trojan
botnet trojan examples - chewbacca, sky net
remote access trojan examples - RAT, MoSucker, Optic Pro, Blackhole
e-banking trojan examples - Zeus, Spyeye
command shell trojan - ECC says netcat is one
netcat commands
nc -l -p 5555
nc ipaddress -p 5555
nc -l -p 5555
opens port 5555 in a listening state on the target
nc ipaddress -p 5555
connects to target on port 5555, like telnet
Trojan names and port numbers for EC Exam
Death Senna Spy Hackers Paradise TCP Wrappers Doom, SatanzBackDoor Silencer, WebEx RAT SubSeven
Death 2 Senna Spy 20 Hackers Paradise 31, 456 TCP Wrappers 421 Doom, SatanzBackDoor 666 Silencer, WebEx 1001 RAT 1095-98 SubSeven 1243
Trojan names and port numbers for EC Exam
Shivak Burka Trojan Cow Deep Throat Tini NetBus Whack a Mole Back Orifice
Shivak Burka 1600 Trojan Cow 2001 Deep Throat 6670-71 Tini 7777 NetBus 12345, 12346 Whack a Mole 12361-63 Back Orifice 31337, 31338
what command to use on windows to show all connections and listening ports?
netstat -an
what does net stat -b show?
all active connections and the processes using them
Windows Registry locations to run things automatically
Run
RunServices
RunOnce
RunServicesOnce
all under HKLM…
Registry monitoring tools
sysanalyzer
tiny watcher
active registry monitor
regshot
Monitoring tools for processes and services
Windows Service Manager
Service Manager Plus
Smart Utility
check the startup routines, like with ‘msconfig’
Tripwire
SIGVERIF
Tripwire - integrity verifier that can act as an HIDS against trojans
SIGVERIF - built into Windows to help verify integrity of critical files. log file called SIGVERIF.TXT and is in the windows folder
Virus Types
Ransomware Boot sector virus (aka system virus) shell virus multi-partite virus macro virus
Ransomware - locks you out of your system, demands payment
Boot sector virus - moves boot sector on HD to different location, forcing virus to execute first.
shell virus - works like boot sector virus, wraps itself around application’s code, so it runs before the application
multi-partite virus - infects files and boot sector at same time. Has multiple infection vectors
macro virus - infects template files from MS Office
Virus Types
Polymorphic code virus Encryption virus Metamorphic virus Stealth virus cavity virus sparse infector virus file extension virus
Polymorphic code virus - mutates its code, hard to find because code constantly changes.
Encryption virus - uses encryption to hide its code from AV
Metamorphic virus - rewrites itself each time it infects new file
Stealth virus - evades AV by intercepting AV requests to OS and returning them to itself instead of the OS.
cavity virus - overwrite portions of host files so the actual file size doesn’t change. Uses null content sections of file, and original file still works
sparse infector virus - infect only occasionally
file extension virus - change file extensions to take advantage of extension view being turned off (ie readme.txt.vbs becomes readme.txt)
Worms
self replicating program that sends copies of itself to other systems without human intervention
Famous worms that could be on exam
Code Red Darlloz Slammer Nimda Bug Bear Pretty Park
Code Red - exploited IIS servers using buffer overflow
Darlloz - linux based, targets ARM, MIPS and PowerPC platforms like routers, cable boxes, security cameras
Slammer - SQL Slammer, DoS worm. spread over UDP and entire thing could fit in one packet
Nimda - spread so fast it set a world record, through email, network shares, websites, backdoors left from Code Red
Bug Bear - spread over network shares and email. Terminated AV applications, setup backdoor and key logger
Pretty Park - spread via email, used IRC to spread stolen passwords. Often showed 3D pipe screensaver
Steps for Analyzing Malware
Use VM with NIC in host-only mode
run malware and watch the processes with Process Monitor, Process Explorer
Review network traffic using NetResident, TCPView or Wireshark
See what files are added, changed, deleted, what processes keep spawning, what registry changes occur
Malware Analysis Tools
binText and UPX
IDA Pro
VirusTotal
Anubis
Threat Analyzer
examine binary itself and the compression and packing techniques
Sheep-dip Computer
checks physical media, software, other files for malware before it’s introduced to the network
Isolated from other computers, not on network
usually configured with multiple AV programs, registry and file integrity verifiers
Denial of Service and DDoS
For exam, preferred communication channel for botnet signaling is IRC or ICQ. In real world, HTTP, HTTPS used at least as much
ECC’s 4 categories of DoS / DDoS
Fragmentation Attacks
Volumetric Attacks
Application Attacks
TCP State Exhaustion Attacks
Fragmentation Attacks - takes advantage of system’s ability to reconstruct fragmented packets
Volumetric Attacks (aka bandwidth attacks) - consumes all available bandwidth
Application Attacks - consume resources needed for application to run, making it unavailable
TCP State Exhaustion Attacks - go after load balancers, firewalls, application servers by consuming all their connection state tables
Types of attacks
SYN attack SYN flood ICMP flood Application level Smurf
SYN attack - attacker sends thousands of SYN packets with a false source IP. machine responds with SYN/ACK but fails because of false address. Eventually machine crashes
SYN flood - attacker sends thousands of SYN packets but never responds to replying SYN/ACK packets. Victim has to wait certain amount of time to get answer, so it eventually bogs down
ICMP flood - attacker sends ICMP Echo packets with fake source address. Target responds to fake address and eventually reaches a limit of packets per second sent
Application level - simple attack, hacker sends more legitimate traffic to web application than it can handle, causing it to crash. exploits weak programming code
Smurf - attacker sends large number of pings to broadcast address of subnet, with fake source IP spoofed to that of target. Entire subnet sends ping responses to the target.
Fraggle attack is like Smurf, but uses UDP
Exam Tip
define botnet aka "Distributed reflection denial of service" aka DRDoS.
secondary machines send attack at request of attacker, so attacker stays hidden
Types of Dos/DDoS Attacks
Ping of death
Teardrop
Peer to peer
Permanent (Phlashing) (Bricking)
Ping of death - attacker fragments ICMP message to send to a target. When they’re reassembled, the ICMP packet is larger than the maximum size and crashes the system
Teardrop - large number of garbled IP fragments with overlapping, oversized payloads sent to target. On Older Windows systems, this caused the system to crash because of weak TCP/IP stack
Peer to peer - clients o P2P file sharing hub are disconnected and told connect to target system
Permanent - Phlashing refers to DoS attack that causes permanent damage to hardware (bricking).
LAND Attack
Sends SYN packet to target with source IP spoofed to same as target IP.
If vulnerable, target loops endlessly, crashing the OS
DoS attack tools
Low Orbit Ion Cannon (LOIC) Trinity Tribe Flood Network R-U-Dead-Yet (RUDY) SlowLoris
LOIC - simple DDoS tool, floods target with TCP, UDP or HTTP requests. Used for major, public attacks
Trinity - Linux based DDoS tool like LOIC
Tribe Flood - similar but uses botnet systems to launch massive flood attacks
RUDY - performs DoS with HTTP POST via long-form submissions
SlowLoris - TCP DoS tool that ties up open sockets and causes services to hang. Useful against web servers, doesn’t consume large amounts of bandwidth
DoS mitigations
standard stuff
disable unnecessary services
good firewall policy
security patches
good NIDS
Compare Session Hijacking to Spoofing
Spoofing - attacker pretends to be someone else’s addresses to sniff their attract
Session Hijacking - attacker waits for target’s session to begin, and after authentication is done, jumps in to steal the session.
5 ECC Steps for Session Hijacking
sniff traffic between client and server
monitor the traffic and predict sequence numbering
desynchronize the session with the client
predict the session token and take over the session
inject packets to target server
Exam Tips pg 327, figure 9-5
- Sequence numbers increment on acknowledgement
- given an acknowledgement number and a window size, find what sequence number is acceptable to the system.
- acknowledgement of 105 and window size of 200 means you can expect sequence numbering from 105 through 305
Session Hijacking Tools
Ettercap Hunt T-Sight Zaproxy Paros Burp Suite Juggernaut Hamster Ferret
Ettercap - excellent MITM tool
Hunt - sniff, hijack, reset connections at will
T-Sight - hijack sessions, monitor network connections
ZaProxy, Paros more known as proxies
2 Modes oF IPSEC
transport
tunnel
transport mode - payload and ESP trailer are encrypted but IP header is not. Means it can be used in NAT because original packet is still routable
tunnel mode - entire original packet is encrypted. Cannot be used with NAT
IPSEC Authentication Header
AH is a protocol that guarantees integrity and authentication of the IP packet sender
Session Hijacking Countermeasures
**use unpredictable session ID’s
limit incoming connections
minimize remote access
regenerate session key after authentication completes
use encryption to protect the channel (like IPSEC)
use encryption to protect the channel (like IPSEC)
Encapsulating Security Payload
ESP - protocol that provides origin authenticity and integrity but can also do encryption (confidentiality)
In Transport Mode ESP does NOT provide integrity and authentication for entire packet. but it does in Tunnel Mode
Internet Key Exchange
IKE - protocol that produces keys for encryption
Oakley
protocol that uses Diffie-Helman to create master and session keys
Internet Security Association Key Management Protocol
ISAKMP - software that facilitates encrypted communication between two endpoints
