Trojans And Other Attacks

Question 1

Name the ports of some typical Trojans

Answer 1

TCP WRAPPERS - port 421
Doom - port 666
Snipernet - port 667
Tini - port 7777
WinHole - port 1080-81
RAT - port 1095,1097-8
SpySender - port 1807
Deep Throat - port 2140,3150
NetBus - port 12345,12346
Whack a Mole - port 12362,12363
Back Orifice - port 31337,31338

Question 2

What are the types of viruses?

Answer 2

• Boot sector virus Also known as a system virus, this virus type actually moves the
boot sector to another location on the hard drive, forcing the virus code to be executed
first. They’re almost impossible to get rid of once you get infected. You can re-create the
boot record—old-school fdisk or mbr could do the trick for you—but it’s not necessarily a
walk in the park.
• Shell virus Working just like the boot sector virus, this virus type wraps itself around
an application’s code, inserting its own code before the application’s. Every time the
application is run, the virus code is run first.
• Multipartite virus Attempts to infect both files and the boot sector at the same time.
This generally refers to a virus with multiple infection vectors. This link describes one
such DOS-type virus: www.f-secure.com/v-descs/neuroqui.shtml. It was multipartite,
polymorphic, retroviral, boot sector, and generally a pretty wild bit of code.
• Macro virus Probably one of the most common malware types you’ll see in today’s
world, these are usually written with Visual Basic for Applications (VBA). This virus type
infects template files created by Microsoft Office, normally Word and Excel. The Melissa
virus was a prime example of this.
• Polymorphic code virus This virus mutates its code using a built-in polymorphic
engine. These viruses are difficult to find and remove because their signatures constantly
change.
• Metamorphic virus This virus type rewrites itself every time it infects a new file.
• Stealth virus Also known as a “tunneling virus,” this one attempts to evade antivirus
(AV) applications by intercepting the AV’s requests to operating system (OS) and
returning them to the virus instead of OS. The virus then alters the request and sends it
back to AV as uninfected, making the virus now appear “clean.”

Question 3

What is a worm?

Answer 3

A worm is a self-replicating
malware computer program that uses a computer network to send copies of itself to other
systems without human intervention.

Question 4

What are the common worms?

Answer 4

Code Red Named after the soft drink the Eeye Digital guys were drinking when they
discovered it, Code Red exploited indexing software on IIS servers in 2001. The worm
used a buffer overflow and defaced hundreds of thousands of servers.
• Slammer A.k.a. SQL Slammer, this was a denial-of-service worm attacking buffer
overflow weaknesses in Microsoft SQL services. Also called Sapphire, SQL_HEL, and
Helkern, it spread quickly using UDP, and its small size (the entire worm could fit inside a
single packet) allowed it to bypass many sensors.
• Nimda This worm’s name comes from the word admin spelled backward. Nimda was
a successful file infection virus that modified and touched nearly all web content on a
machine. It spread so quickly it became the most widespread worm in history within
about 22 minutes of its first sighting. Nimda spread through e-mail, open network shares,
and websites, and it also took advantage of backdoors left on machines infected by the Code Red worm.
• Bug Bear Propagating over open network shares and e-mail, Bug Bear terminated AV
applications and set up a backdoor for later use. It also contained keylogging capabilities.
• Pretty Park Pretty Park spread via e-mail (attempting a send every 30 minutes) and
took advantage of IRC to propagate stolen passwords and the like. Running the worm
executable often displayed the 3D Pipe screensaver on Windows machines.

Question 5

What are the methods for DoS and DDoS attacks?

Answer 5

SYN attack The hacker will send thousands upon thousands of SYN packets to the
machine with a false source IP address. The machine will attempt to respond with a
SYN/ACK but will be unsuccessful (because the address is false). Eventually, all the
machine’s resources are engaged, and it becomes a giant paperweight.
• SYN flood In this attack, the hacker sends thousands of SYN packets to the target but
never responds to any of the return SYN/ACK packets. Because there is a certain amount
of time the target must wait to receive an answer to the SYN/ACK, it will eventually bog
down and run out of available connections.
• ICMP flood Here, the attacker sends ICMP Echo packets to the target with a spoofed
(fake) source address. The target continues to respond to an address that doesn’t exist and
eventually reaches a limit of packets per second sent.
• Application level A simple attack whereby the hacker simply sends more
“legitimate” traffic to a web application than it can handle, causing the system to crash.
• Smurf The attacker sends a large number of pings to the broadcast address of the
subnet, with the source IP spoofed to that of the target. The entire subnet will then begin
sending ping responses to the target, exhausting the resources there. A fraggle attack is
similar but uses UDP for the same purpose.
• Ping of death (This isn’t a valid attack with modern systems, but is still a definition
you may need.) In the ping of death, an attacker fragments an ICMP message to send to a
target. When the fragments are reassembled, the resultant ICMP packet is larger than the
maximum size and crashes the system.
• Teardrop In a teardrop attack, a large number of garbled IP fragments with
overlapping, oversized payloads are sent to the target machine. On older operating
systems (such as Windows 3.1x, Windows 95, and Windows NT operating systems), this
takes advantage of weaknesses in the fragment reassembly functionality of their TCP/IP
stack, causing the system to crash or reboot.