CEH v10: 07 Malware Threats

Certified Ethical Hacker v10 Chapter 07: Malware Threats

Basic

Malware (Malicious Software) defines a wide variety of potentially harmful software.

Malware propagation ways

Free software (crack files, ...)
File sharing services: during the transfer, the file can be infected (torrent, ...)
Removable media (firmware embedded malware, ...)
Email (attachment, ...)
Not using firewall or anti-virus

Trojan

Misleads from its true intention and wait for the best time to attack. Typically spread by social engineering.

Most common use:

Create back door
Gaining unauthorized access
Steal information
Infect connected devices
Ransomware attacks
Using victim as botnet
Download other malicious software
Disable security

Trojan infection process

Creating trojan
Create a dropper
Create a wrapper
Propagate the trojan
Execute dropper

Trojan Construction Kit allow attacker to create their own trojan. Trojans created by using construction kits can avoid detection from virus and trojan scanning.

Trojan construction kits:

Dark Horse trojan virus maker
Senna Spy Generator
Trojan Horse Construction Kit
Progenic mail Trojan Construction Kit
Pandora's Box

Droppers

Dropper is a program that is designed to deliver a payload on the target machine, install the malware without being detected.

Tools:

Win32/Rotbrow.A
Win32/Swisyn
Win32/Meredrop
Troj/Destover-C

Wrappers

Wrapper binds malicious file in order to create and propagate the trojan along with it to avoid detection. Wrappers often popular executable files, like games, music, etc.

Crypter

The basic purpose is to encrypt, obfuscate and manipulate the malware. By using crypter, it becomes more difficult to detect. Crypter is used while creating the trojan.

Tools:

Cryogenic Crypter
Heaven Crypter
Swayz Cryptor

Deployment of trojan

An attacker is upload the trojan on a server, where it can be downloaded immediately when the victim clicks on the link

Types of trojans

Command Shell Trojans

Command Shell Trojans provide a remote control of command shell (i.e. open a port for Netcat)

Defacement Trojans

Defacement Trojans allow attacker to view, edit and extract information, for example User-Styled Custom Application

HTTP/HTTPS Trojans

HTTP/HTTPS Trojans create a http/https tunnel to communicate

Botnet trojans

Botnet is a large scale of compromised system, they spread over the world
Botnets controlled by Command and Control Center
Used to launch distributed attacks, like DDoS, spamming

Proxy Server Trojans

Proxy Server Trojans turns the compromised system into a proxy server
Attacker use this to hide the actual source of the attack

Remote Access Trojans (RAT)

RAT allows the attacker to get remote desktop access to the victim's computer
RAT includes a back door to maintain the access and control over the victim
Attacker can monitor user, access information, alter files, etc...

Tools

SSH-R.A.T.
BlackHole RAT
Pandora RAT

Other Types of Trojans

FTP Trojans
VNC Trojans
Mobile Trojans
ICMP Trojans
Covert Channel Trojans
Notification Trojans
Data Hiding Trojans

Trojan Countermeasures

Avoid to click on suspected email attachments
Block unused ports
Monitor network traffic
Avoid download from untrusted sources
Install / update security softwares and anti-viruses
Scan removable media before use
File integrity
Enable auditing
Configure host-based firewall
Intrusion detection software

Detection Techniques for Trojans

Scanning for suspicious network activities
Scanning for suspicious ports
Scanning for suspicious registry entries
Scanning for suspicious Windows services
Scanning for suspicious start-up programs
Scanning for suspicious files and folders
Scanning for suspicious processes

Virus and Worms

Viruses

The virus is a self-replicating program, it is capable of producing multiple copies by attaching with another program.

Characteristics of viruses:

Infecting other files
Alteration of data
Corruption
Encryption
Self-replication

Stages of Virus Life

Design: develop virus from scratch or using construction kits
Replication: after the virus is deployed, it will start to spread itself
Launch: user accidentally launch the infected program
Detection: the behavior of a virus is observed, the virus is identified
Incorporation: developers design a defensive code
Elimination: update the anti-virus, virus eliminated

Working of Viruses

Infection Phase

During infection phase, virus planted on a target system, replicate itself onto an executable file. It can be launched when user execute an infected program. These viruses spread by reproducing and infecting programs, documents or email attachments. They can enter the operating system through removable drives or any digital media.

Attack Phase

File is executed accidentally by user. Normally, viruses require a triggering action to infect, but they can also have configured to infect upon certain predefined conditions.

Types of Viruses

System or Boot Viruses: move actual Master Boot Record (MBR) from its actual location, the virus responds from the original location of MBR when the system boots, it executes yje virus first.
File Viruses: infect executable files or BAT files.
Multipartite Viruses: infect boot sector and files simultaneously.
Macro Viruses: designed for Microsoft Office and other application using Visual Basic for Application (VBA).
Cluster Viruses: designed to attack and modify the file location table or directory table.
Stealth/Tunneling Viruses: to evade detection, stealth virus employs tunnel technique ti launch under anti-virus via a tunnel and intercepting request from Operating System Interruptionhandler.
Logic Bombs: designed to remain in waiting state until a predetermined event occurs, then payload detonate and perform its intended task, difficult to detect, difficult to detect.
Encryption Virus: uses encryption to avoid detection, use new encryption to encrypt and decrypt the replica.

Ransomware

Ransomware is a malware program which restricts the access to the system files and folders by encrypting them. Some type of ransomware may lock the system as well. Attacker demands ransom to provide the decryption key. Ransomware is deployed using trojans. Example: WannaCry

Types:

Cryptobit Ransomware
CryptoLocker Ransomware
CryptoDefense Ransomware
CryptoWall Ransomware
Police-themed Ransomware

Others:

Metamorphic Viruses
File Overwriting or Cavity Viruses
Sparse Infection Viruses
Companion/Camuflage Viruses
Shell Viruses
File Extension Viruses
Add-on and Intrusive Viruses
Transient and Terminate and Stay Resident Viruses

Virus generating tools

Sam's Virus Generator
JPS Virus Maker
Sonic Bat

Worms

Worms can replicate themselves but cannot attach themselves. It has the capability to travel without human action. The worm can propagate using file transport and spread across the infected network which virus is not capable of.

Analysis and Detection Methods

Scanning: the suspected file is scanned for the signature string
Check: the entire disk is checked for integrity, integrity checker records integrity of all files by calculating checksum usually
Interception: request from operating system is monitored, emulation and heuristic analysis include behavior analysis and code analysis by executing it in a sophisticated environment

Malware Reverse Engineering

Sheep Dipping

The analysis is performing on a dedicated computer, along with port monitoring, anti-viruses and other security programs.

Malware Analysis

The process of identification of a malware until its verification that the malware is completely removed, including observing the behavior of malware, scoping the potential threat to a system and finding other measures.

Process:

Creating the testbed: use a virtual machine as a host operating system where malware analysis is performed by executing the malware, this virtual machine is isolated from the network, creating a quarantine with it
Static and Dynamic malware analysis: observe the behavior, using process monitoring tools, packet monitoring tools and debugging tools, later the network connection is also set up

Goals of Malware Analysis

Diagnostics of threat severity or level of attack
Diagnostics of the type of malware
Scope the attack
Build defense to secure networks and systems
Finding root cause
Built incident response actions
Develop anti-malware to eliminate

Types of Malware Analysis

Static Analysis or Code Analysis

Disassemble the binary file, fragmenting the resources, without executing it and study each component.

Dynamic Analysis or Behavioral Analysis

Execute the malware and observing its behavior. These analysis are performed in a sandbox environment. Sandboxing technology helps analysis in a dedicated manner in a sophisticated environment. During the sanboxing of the malware, it is searched in the intelligence database for the analysis report. The diagnose is recorded for future use, helps to respond faster.

CEH v10: 07 Malware Threats

Basic​

Malware propagation ways​

Trojan​

Trojan infection process​

Droppers​

Wrappers​

Crypter​

Deployment of trojan​

Types of trojans​

Command Shell Trojans​

Defacement Trojans​

HTTP/HTTPS Trojans​

Botnet trojans​

Proxy Server Trojans​

Remote Access Trojans (RAT)​

Tools​

Other Types of Trojans​

Trojan Countermeasures​

Detection Techniques for Trojans​

Virus and Worms​

Viruses​

Stages of Virus Life​

Working of Viruses​

Infection Phase​

Attack Phase​

Types of Viruses​

Ransomware​

Virus generating tools​

Worms​

Analysis and Detection Methods​

Malware Reverse Engineering​

Sheep Dipping​

Malware Analysis​

Goals of Malware Analysis​

Types of Malware Analysis​

Static Analysis or Code Analysis​

Dynamic Analysis or Behavioral Analysis​