Trojans and other Attacks

Question 1

Malware

Answer 1

Software designed to harm or secretly access a computer system without the owner’s informed consent. Computer contaminant

Question 2

Malvertising

Answer 2

Embedding malware into ad networks

Question 3

Malware Delivery

Answer 3

Downloaded from the Internet
Drive by downloading
Hijacking of peer to peer applications
Email attachment

Question 4

Overt Channels

Answer 4

Legitimate communication channels

Question 5

Covert Channels

Answer 5

Used to transport data in unintended ways

Question 6

Wrappers

Answer 6

Programs that allow you to bind a trojan to an innocent file

Question 7

Crypters

Answer 7

Software tools that use a combination of encryption and code manipulation to render malware undetectable to AV and other security-monitoring products, Fud-fully undetectable

Question 8

Packers

Answer 8

Use compression to pack the malware executable harder to detect for antivirus engines. Extraction occurs in memory and not on desk.

Question 9

Trojan Exploit Kits

Answer 9

Infinity
Bleeding Life
Crimepack
Blackhole Exploit Kit

Question 10

Trojan

Answer 10

Embedded malicious code in an otherwise normal application

Question 11

Types of Trojans

Answer 11

Defacement trojan
Proxy server trojan
Botnet trojan (tor based Chewbacca and Skynet)
Remote Access trojan (RAT, MoSucker, Optix Pro, Blackhole)
Ebanking trojan (Zeus, Spyeye)

Question 12

Covert Channel Tunneling Trojan (CCTT)

Answer 12

A form of remote access trojan that uses a variety of exploitation techniques to create data transfer channels in previously authorized data streams. Designed to provide an external shell from within the internal environment.

Question 13

Command shell trojan

Answer 13

Provides a backdoor to the system that you connect to via command-line access. Netcat, example: nc -e IPaddress port#
-t option will provide telnet
Example: nc -l -p 5555 opens a port in a listening state and nc IPaddress -p 5555 connects to the target machine with a telnet like connection
Netcat can be used for outbound or inbound connections over TCP or UDP, to or from any port on the machine. It offers DNS forwarding, port mapping and forwarding and proxying. It can also be used as a port scanner.

Question 14

Trojan Ports

Answer 14

Death 2
Senna Spy 20
Hackers Paradise 31,456
TCP Wrappers 421
Doom,Satanz Backdoor 666
Silencer,WebEx 1001
RAT 1095-98
SubSeven 1243
Shivka-Burka 1600
Trojan Cow 2001
Deep Throat 6670-71
Tini 7777
Netbus 12345,12346
Whack a Mole 12361-12363
Back Orifice 31337,313338
Use netstat -an to monitor listening ports
netstat -b - displays all active connections and the processes using them

Question 15

Neverquest Trojan

Answer 15

Targets banking websites. designed to steal credentials and sensitive information and to set up VNC remote access targets

Question 16

Port monitoring tools

Answer 16

Fport - shows same info as netstat -an but also maps them to running processes and PIDs
Whats Running
TCPView
IceSword
CurrPorts
Process Explorer

Question 17

Registry monitoring tools

Answer 17

SysAnalyzer, 
Tiny Watcher, 
Active Registry Monitor, 
Regshot, 
Malwarebytes

Question 18

Service monitoring

Answer 18

Windows Service Manager
Service Manager Plus
Smart Utility

Question 19

Verifying the integrity of system files - can act as a HIDS for trojans

Answer 19

Tripwire

Sigverif - creates c:\windows\system32\sigverif.txt

Question 20

Virus

Answer 20

self-replicating program that reproduces its code by attaching copies into other executable codes
Can be distributed through virus hoaxes and fake antivirus programs

Question 21

Ransomware

Answer 21

Malicious software designed to deny access to a computer until a ransom is paid

Question 22

Wannacry

Answer 22

Ransomware that took advantage of an unpatched SMBv1 exploit known as Eternal Blue

Question 23

Ransomware programs

Answer 23

Cryptorbit
Cryptolocker
CryptoDefense

Question 24

Boot sector virus

Answer 24

Also known as a system virus, this virus type actually moves the boot sector to another location on the hard drive, forcing the virus code to be executed first
Petya ransomware overwrote the master boot record

Question 25

Shell virus

Answer 25

Wraps itself around an application’s code, inserting its own code before the application’s

Question 26

Cluster virus

Answer 26

Modified directory table entries so that user or system processes are pointed to the virus code itself instead of the application

Question 27

Multipartite virus

Answer 27

Attempts to infect both files and the boot sector at the same time and refers to a virus with multiple infection vectors.

Question 28

Macro virus

Answer 28

Usually written with Visual Basic for Applications (VBA), infects template files created by Microsoft Office apps. Melissa virus was a macro virus

Question 29

Polymorphic code virus

Answer 29

Mutates its code using a built in polymorphic engine. Difficult to find and remove because its signature constantly changes.

Question 30

Encryption virus

Answer 30

Uses encryption to hide the code from antivirus scanners

Question 31

Metamorphic virus

Answer 31

Rewrites itself every time it infects a new file

Question 32

Stealth virus

Answer 32

Also known as tunneling virus that evades AV by intercepting the AV’s requests to the operating system and alters the response to AV as uninfected

Question 33

Cavity virus

Answer 33

Overwrite portions of host files using the null content sections so as not to increase the actual size of the file

Question 34

Sparse infector virus

Answer 34

Infects only occasionally for example only every tenth time an application is run

Question 35

File extension virus

Answer 35

Changes the file extensions of files to take advantage that file extensions are hidden by default. readme.txt.vbs looks like readme.txt when file extensions are not being shown

Question 36

Create your own virus

Answer 36

Sonic Bat,
PoisonVirus Maker,
Sam’s Virus generator,
JPS Virus Maker

Question 37

Worm

Answer 37

Self replicating malware computer program that uses a network to send copies to other systems. Normally it doesn’t alter files, but it resides in memory and duplicates itself eating up resources.

Question 38

Confiker worm

Answer 38

Disabled services, denied access to administrator shared drives, locked users out of directories, and restricted access to security-related sites.

Question 39

Ghost eye worm

Answer 39

Hacking tool that uses random messaging on Facebook and other sites to perform a host of malicious efforts

Question 40

Code red word

Answer 40

Exploited indexing software on IIS servers in 2001. Used a buffer overflow and defaced thousands of servers

Question 41

Darlloz

Answer 41

Worm for IOT. Linux based worm that targets running ARM, MIPS and PowerPC architectures, normally routers, set-top boxes and security cameras

Question 42

Nimda

Answer 42

Modified and touched nearly all web content on a machine. Was the most widespread worm in history. Nimda spread through email, open network shares, and websites and took advantage of backdoors left on machines infected by the Code Red worms.

Question 43

Slammer

Answer 43

SQL slammer was a denial of service worm attacking buffer overflow weaknesses in Microsoft SQL. ALso called Saphire, SQL_HEL, and Helkern, spread quickly using UDP and its small size (fit inside a single packet)

Question 44

Bug Bear

Answer 44

Propagated over open network shares and email. Terminated AV applications and set up a backdoor for later use. Also a keylogger

Question 45

Pretty Park

Answer 45

Spread via email and took advantage of IRC to propagate stolen passwords. Often displayed a 3D Pipe screensaver.

Question 46

Analyzing malware

Answer 46

Use a virtual machine with the NIC in host only mode and open shares. Analyze the malware statically using tools like binText and UPX to examine the binary itself as well as the compression and packaging techniques. Then execute the malware and check the processes in place (with Process Monitor and Process Explorer). Review network traffic using NetResident, TCPview, or wireshark. Tools for malware analysis include IDA Pro, virustotal, anubis, and threat analyzer.

Question 47

Sheepdip System

Answer 47

A standalone computer that is set up to check physical media, device drivers, and other files for malware before it is introduced to a network. Normally configured with a couple of different AV programs, port monitors, registry monitors, and file integrity verifiers.

Question 48

Netizen

Answer 48

Cybercitizen, a person actively involved in online communities

Question 49

Technorati

Answer 49

blog search engine

Question 50

Distributed Denial of Service (DDoS) attack

Answer 50

DOS from many systems normally part of a botnet

Question 51

Botnet

Answer 51

A network of zombies computers the hacker can use to start a distributed denial of service attack

Question 52

Botnet software

Answer 52

Shark, Poison Ivy. Preferred communication channel used to signal the bots is Internet Relay Chat (IRC) ir Internet Chat Query (ICQ), Could also be http or https

Question 53

Categories of DOS/DDOS

Answer 53

1. Fragmentation attacks - takes advantage of the system’s ability to reconstruct fragmented packets
2. Volumetric attacks - also known as a bandwidth attacks, these consume all available bandwidth for the system or service
3. Application attacks - consume the resources necessary for the application to run

Question 54

TCP state exhaustion attacks

Answer 54

Goes after load balancers, firewalls, and applications servers by attempting to consume their connection state tables

Question 55

SYN attack

Answer 55

Sending thousands of SYN packets to the victim with a false source IP address. Eventually all the resources are consumed

Question 56

SYN flood

Answer 56

Sending thousands of SYN packets to the victim but does not respond to the SYN/ACK. Also consumes all resources on the victim that has to leave the connection open waiting for a response that never arrives.

Question 57

ICMP flood

Answer 57

Sending thousands of ICMP echo packets to the target with a false source IP address.

Question 58

Smurf

Answer 58

Sending thousands of ping requests to a subnet broadcast address with the source IP of the target. Fraggle attack is similar but uses UDP

Question 59

Ping of Death

Answer 59

The attacker fragments an ICMP message to a target. When the fragments are reassembled, the resultant ICMP packet is larger than the maximum size and crashes the system.

Question 60

Teardrop

Answer 60

A large number of garbled IP fragments with overlapping, oversized payloads are sent to the target machine. On older Microsoft OS this would cause a crash.

Question 61

Peer to peer

Answer 61

Clients of a peer to peer hub are disconnected and directed to connect to a target system

Question 62

Pemanent

Answer 62

Phlashing causes permanent damage to a system normally by overwriting firmware. Also known as bricking a system,

Question 63

LAND attack

Answer 63

Will send a SYN packet to the target with the source IP spoofed to the same IP of the target. The target will loop endlessly and crash the OS.

Question 64

DOS/DDOS tools

Answer 64

Low Orbit Ion Cannon (LOIC) - can flood a target with TCP, UDP, or HTTP requests
Trinity - linux based
Tribe Flood Network - uses a botnet
R-U-Dead-Yet (RUDY) - performs DOS with HTTP post via a long form field
Slowloris - TCP DOS tool that ties up open sockets and causes services to hang. Useful against web servers

Question 65

DOS/DDOS countermeasures

Answer 65

Disabling unnecessary services
Good firewall policy
Patching
Use a good NIDS
Skydance - can detect a DOS
Network ingress filtering and auditing

Question 66

Session Hijacking

Answer 66

Refers to stealing an active TCP session from a client. The server is not aware and the client reconnects using a different session.

1. Sniff the traffic between the client and the server
2. Monitor the traffic and predict the sequence numbering
3. Desynchronize the session with the client by sending a TCP RST, or FIN.
4. Predict the session token
5. Take over the session by pretending to be the client to the server. Inject packets to the target server

Session hijacking can be done via brute force, calculation or stealing.

Sequence numbers increment on acknowledgment, An acknowledgment of 105 with a windows size of 200 means you could expect sequence numbering from 105 through 305

Question 67

Session hijacking tools

Answer 67

Ettercap
Hunt - can sniff, hijack and reset connections
T-sight
Zaproxy
Paros - also a proxy
Burp Suite
Juggernaut
Hamster
Ferret

Question 68

Man in the browser

Answer 68

When an attacker sends a trojan to intercept browser calls, sitting between the browser and the libraries, allowing a hacker to watch and interact within a browser session.

Question 69

Session hijacking countermeasures

Answer 69

Use unpredictable session IDs
Limit incoming connections
Minimize remote access
Regenerate the session key after authentication is complete
Use encryption to protect the channel (IPSEC is an option)

Question 70

IPSEC

Answer 70

Secures traffic by providing encryption and authentication services to each packet. Works in one of two modes:

1. Transport mode - payload and ESP trailer are encrypted but the original IP header is not. Can be used in a NAT network
2. Tunnel mode - the whole packet including the original IP header is encrypted making it incompatible with NAT

Question 71

IPSEC Authentication Header (AH)

Answer 71

Guarantees the integrity and authentication of the IP packet sender

Question 72

IPSEC Encapsulating Security Payload (ESP)

Answer 72

Provides origin authenticity and integrity and can also encrypt. ESP does not provide integrity and authentication for the entire IP packet in transport mode, but in tunnel mode protection is provided to the entire IP packet

Question 73

Internet Key Exchange (IKE)

Answer 73

IKE produces the encryption keys

Question 74

Oakley

Answer 74

Uses Diffie-Hellman to create master and session keys

Question 75

Internet Security Association Key Management Protocol (ISAKMP)

Answer 75

Facilitates encryption between two endpoints

Question 76

Spectre and Meltdown

Answer 76

Attacks that took advantage of speculative processing