CEH v10: 07_Malware_Threats
Malware = Malicious Software Malware defines a wide variety of potentially harmful software.
Malware propagation ways
- Free software (crack files, …)
- File sharing services: during the transfer, the file can be infected (torrent, …)
- Removable media (firmware embedded malware, …)
- Email (attachment, …)
- Not using firewall or anti-virus
Misleads from its true intention and wait for the best time to attack. Typically spread by social engineering.
Most common use:
- Create back door
- Gaining unauthorized access
- Steal information
- Infect connected devices
- Ransomware attacks
- Using victim as botnet
- Download other malicious software
- Disable security
Trojan infection process
- Creating trojan
- Create a dropper
- Create a wrapper
- Propagate the trojan
- Execute dropper
Trojan Construction Kit allow attacker to create their own trojan. Trojans created by using construction kits can avoid detection from virus and trojan scanning.
Trojan construction kits:
- Dark Horse trojan virus maker
- Senna Spy Generator
- Trojan Horse Construction Kit
- Progenic mail Trojan Construction Kit
- Pandora’s Box
Dropper is a program that is designed to deliver a payload on the target machine, install the malware without being detected.
Wrapper binds malicious file in order to create and propagate the trojan along with it to avoid detection. Wrappers often popular executable files, like games, music, etc.
The basic purpose is to encrypt, obfuscate and manipulate the malware. By using crypter, it becomes more difficult to detect. Crypter is used while creating the trojan.
- Cryogenic Crypter
- Heaven Crypter
- Swayz Cryptor
Deployment of trojan
An attacker is upload the trojan on a server, where it can be downloaded immediately when the victim clicks on the link
Types of trojans
Command Shell Trojans
- Command Shell Trojans provide a remote control of command shell (i.e. open a port for Netcat)
- Defacement Trojans allow attacker to view, edit and extract information, for example User-Styled Custom Application
- HTTP/HTTPS Trojans create a http/https tunnel to communicate
- Botnet is a large scale of compromised system, they spread over the world
- Botnets controlled by Command and Control Center
- Used to launch distributed attacks, like DDoS, spamming
Proxy Server Trojans
- Proxy Server Trojans turns the compromised system into a proxy server
- Attacker use this to hide the actual source of the attack
Remote Access Trojans (RAT)
- RAT allows the attacker to get remote desktop access to the victim’s computer
- RAT includes a back door to maintain the access and control over the victim
- Attacker can monitor user, access information, alter files, etc…
- BlackHole RAT
- Pandora RAT
Other Types of Trojans
- FTP Trojans
- VNC Trojans
- Mobile Trojans
- ICMP Trojans
- Covert Channel Trojans
- Notification Trojans
- Data Hiding Trojans
- Avoid to click on suspected email attachments
- Block unused ports
- Monitor network traffic
- Avoid download from untrusted sources
- Install / update security softwares and anti-viruses
- Scan removable media before use
- File integrity
- Enable auditing
- Configure host-based firewall
- Intrusion detection software
Detection Techniques for Trojans
- Scanning for suspicious network activities
- Scanning for suspicious ports
- Scanning for suspicious registry entries
- Scanning for suspicious Windows services
- Scanning for suspicious start-up programs
- Scanning for suspicious files and folders
- Scanning for suspicious processes
Virus and Worms
The virus is a self-replicating program, it is capable of producing multiple copies by attaching with another program.
Characteristics of viruses:
- Infecting other files
- Alteration of data
Stages of Virus Life
- Design: develop virus from scratch or using construction kits
- Replication: after the virus is deployed, it will start to spread itself
- Launch: user accidentally launch the infected program
- Detection: the behavior of a virus is observed, the virus is identified
- Incorporation: developers design a defensive code
- Elimination: update the anti-virus, virus eliminated
Working of Viruses
During infection phase, virus planted on a target system, replicate itself onto an executable file. It can be launched when user execute an infected program. These viruses spread by reproducing and infecting programs, documents or email attachments. They can enter the operating system through removable drives or any digital media.
File is executed accidentally by user. Normally, viruses require a triggering action to infect, but they can also have configured to infect upon certain predefined conditions.
Types of Viruses
- System or Boot Viruses: move actual Master Boot Record (MBR) from its actual location, the virus responds from the original location of MBR when the system boots, it executes yje virus first.
- File Viruses: infect executable files or BAT files.
- Multipartite Viruses: infect boot sector and files simultaneously.
- Macro Viruses: designed for Microsoft Office and other application using Visual Basic for Application (VBA).
- Cluster Viruses: designed to attack and modify the file location table or directory table.
- Stealth/Tunneling Viruses: to evade detection, stealth virus employs tunnel technique ti launch under anti-virus via a tunnel and intercepting request from Operating System Interruptionhandler.
- Logic Bombs: designed to remain in waiting state until a predetermined event occurs, then payload detonate and perform its intended task, difficult to detect, difficult to detect.
- Encryption Virus: uses encryption to avoid detection, use new encryption to encrypt and decrypt the replica.
Ransomware is a malware program which restricts the access to the system files and folders by encrypting them. Some type of ransomware may lock the system as well. Attacker demands ransom to provide the decryption key. Ransomware is deployed using trojans. Example: WannaCry
- Cryptobit Ransomware
- CryptoLocker Ransomware
- CryptoDefense Ransomware
- CryptoWall Ransomware
- Police-themed Ransomware
- Metamorphic Viruses
- File Overwriting or Cavity Viruses
- Sparse Infection Viruses
- Companion/Camuflage Viruses
- Shell Viruses
- File Extension Viruses
- Add-on and Intrusive Viruses
- Transient and Terminate and Stay Resident Viruses
Virus generating tools
- Sam’s Virus Generator
- JPS Virus Maker
- Sonic Bat
Worms can replicate themselves but cannot attach themselves. It has the capability to travel without human action. The worm can propagate using file transport and spread across the infected network which virus is not capable of.
Analysis and Detection Methods
- Scanning: the suspected file is scanned for the signature string
- Check: the entire disk is checked for integrity, integrity checker records integrity of all files by calculating checksum usually
- Interception: request from operating system is monitored, emulation and heuristic analysis include behavior analysis and code analysis by executing it in a sophisticated environment
Malware Reverse Engineering
The analysis is performing on a dedicated computer, along with port monitoring, anti-viruses and other security programs.
The process of identification of a malware until its verification that the malware is completely removed, including observing the behavior of malware, scoping the potential threat to a system and finding other measures.
- Creating the testbed: use a virtual machine as a host operating system where malware analysis is performed by executing the malware, this virtual machine is isolated from the network, creating a quarantine with it
- Static and Dynamic malware analysis: observe the behavior, using process monitoring tools, packet monitoring tools and debugging tools, later the network connection is also set up
Goals of Malware Analysis
- Diagnostics of threat severity or level of attack
- Diagnostics of the type of malware
- Scope the attack
- Build defense to secure networks and systems
- Finding root cause
- Built incident response actions
- Develop anti-malware to eliminate
Types of Malware Analysis
Static Analysis or Code Analysis
Disassemble the binary file, fragmenting the resources, without executing it and study each component.
Dynamic Analysis or Behavioral Analysis
Execute the malware and observing its behavior. These analysis are performed in a sandbox environment. Sandboxing technology helps analysis in a dedicated manner in a sophisticated environment. During the sanboxing of the malware, it is searched in the intelligence database for the analysis report. The diagnose is recorded for future use, helps to respond faster.