CEH v10: 07_Malware_Threats

Basic

Malware = Malicious Software Malware defines a wide variety of potentially harmful software.

Malware propagation ways

  • Free software (crack files, …)
  • File sharing services: during the transfer, the file can be infected (torrent, …)
  • Removable media (firmware embedded malware, …)
  • Email (attachment, …)
  • Not using firewall or anti-virus

Trojan

Misleads from its true intention and wait for the best time to attack. Typically spread by social engineering.

Most common use:

  • Create back door
  • Gaining unauthorized access
  • Steal information
  • Infect connected devices
  • Ransomware attacks
  • Using victim as botnet
  • Download other malicious software
  • Disable security

Trojan infection process

  • Creating trojan
  • Create a dropper
  • Create a wrapper
  • Propagate the trojan
  • Execute dropper

Trojan Construction Kit allow attacker to create their own trojan. Trojans created by using construction kits can avoid detection from virus and trojan scanning.

Trojan construction kits:

  • Dark Horse trojan virus maker
  • Senna Spy Generator
  • Trojan Horse Construction Kit
  • Progenic mail Trojan Construction Kit
  • Pandora’s Box

Droppers

Dropper is a program that is designed to deliver a payload on the target machine, install the malware without being detected.

Tools:

  • Win32/Rotbrow.A
  • Win32/Swisyn
  • Win32/Meredrop
  • Troj/Destover-C

Wrappers

Wrapper binds malicious file in order to create and propagate the trojan along with it to avoid detection. Wrappers often popular executable files, like games, music, etc.

Crypter

The basic purpose is to encrypt, obfuscate and manipulate the malware. By using crypter, it becomes more difficult to detect. Crypter is used while creating the trojan.

Tools:

  • Cryogenic Crypter
  • Heaven Crypter
  • Swayz Cryptor

Deployment of trojan

An attacker is upload the trojan on a server, where it can be downloaded immediately when the victim clicks on the link

Types of trojans

Command Shell Trojans

  • Command Shell Trojans provide a remote control of command shell (i.e. open a port for Netcat)

Defacement Trojans

  • Defacement Trojans allow attacker to view, edit and extract information, for example User-Styled Custom Application

HTTP/HTTPS Trojans

  • HTTP/HTTPS Trojans create a http/https tunnel to communicate

Botnet trojans

  • Botnet is a large scale of compromised system, they spread over the world
  • Botnets controlled by Command and Control Center
  • Used to launch distributed attacks, like DDoS, spamming

Proxy Server Trojans

  • Proxy Server Trojans turns the compromised system into a proxy server
  • Attacker use this to hide the actual source of the attack

Remote Access Trojans (RAT)

  • RAT allows the attacker to get remote desktop access to the victim’s computer
  • RAT includes a back door to maintain the access and control over the victim
  • Attacker can monitor user, access information, alter files, etc…

Tools

  • SSH-R.A.T.
  • BlackHole RAT
  • Pandora RAT

Other Types of Trojans

  • FTP Trojans
  • VNC Trojans
  • Mobile Trojans
  • ICMP Trojans
  • Covert Channel Trojans
  • Notification Trojans
  • Data Hiding Trojans

Trojan Countermeasures

  • Avoid to click on suspected email attachments
  • Block unused ports
  • Monitor network traffic
  • Avoid download from untrusted sources
  • Install / update security softwares and anti-viruses
  • Scan removable media before use
  • File integrity
  • Enable auditing
  • Configure host-based firewall
  • Intrusion detection software

Detection Techniques for Trojans

  • Scanning for suspicious network activities
  • Scanning for suspicious ports
  • Scanning for suspicious registry entries
  • Scanning for suspicious Windows services
  • Scanning for suspicious start-up programs
  • Scanning for suspicious files and folders
  • Scanning for suspicious processes

Virus and Worms

Viruses

The virus is a self-replicating program, it is capable of producing multiple copies by attaching with another program.

Characteristics of viruses:

  • Infecting other files
  • Alteration of data
  • Corruption
  • Encryption
  • Self-replication

Stages of Virus Life

  • Design: develop virus from scratch or using construction kits
  • Replication: after the virus is deployed, it will start to spread itself
  • Launch: user accidentally launch the infected program
  • Detection: the behavior of a virus is observed, the virus is identified
  • Incorporation: developers design a defensive code
  • Elimination: update the anti-virus, virus eliminated

Working of Viruses

Infection Phase

During infection phase, virus planted on a target system, replicate itself onto an executable file. It can be launched when user execute an infected program. These viruses spread by reproducing and infecting programs, documents or email attachments. They can enter the operating system through removable drives or any digital media.

Attack Phase

File is executed accidentally by user. Normally, viruses require a triggering action to infect, but they can also have configured to infect upon certain predefined conditions.

Types of Viruses

  • System or Boot Viruses: move actual Master Boot Record (MBR) from its actual location, the virus responds from the original location of MBR when the system boots, it executes yje virus first.
  • File Viruses: infect executable files or BAT files.
  • Multipartite Viruses: infect boot sector and files simultaneously.
  • Macro Viruses: designed for Microsoft Office and other application using Visual Basic for Application (VBA).
  • Cluster Viruses: designed to attack and modify the file location table or directory table.
  • Stealth/Tunneling Viruses: to evade detection, stealth virus employs tunnel technique ti launch under anti-virus via a tunnel and intercepting request from Operating System Interruptionhandler.
  • Logic Bombs: designed to remain in waiting state until a predetermined event occurs, then payload detonate and perform its intended task, difficult to detect, difficult to detect.
  • Encryption Virus: uses encryption to avoid detection, use new encryption to encrypt and decrypt the replica.
Ransomware

Ransomware is a malware program which restricts the access to the system files and folders by encrypting them. Some type of ransomware may lock the system as well. Attacker demands ransom to provide the decryption key. Ransomware is deployed using trojans. Example: WannaCry

Types:

  • Cryptobit Ransomware
  • CryptoLocker Ransomware
  • CryptoDefense Ransomware
  • CryptoWall Ransomware
  • Police-themed Ransomware

Others:

  • Metamorphic Viruses
  • File Overwriting or Cavity Viruses
  • Sparse Infection Viruses
  • Companion/Camuflage Viruses
  • Shell Viruses
  • File Extension Viruses
  • Add-on and Intrusive Viruses
  • Transient and Terminate and Stay Resident Viruses

Virus generating tools

  • Sam’s Virus Generator
  • JPS Virus Maker
  • Sonic Bat

Worms

Worms can replicate themselves but cannot attach themselves. It has the capability to travel without human action. The worm can propagate using file transport and spread across the infected network which virus is not capable of.

Analysis and Detection Methods

  • Scanning: the suspected file is scanned for the signature string
  • Check: the entire disk is checked for integrity, integrity checker records integrity of all files by calculating checksum usually
  • Interception: request from operating system is monitored, emulation and heuristic analysis include behavior analysis and code analysis by executing it in a sophisticated environment

Malware Reverse Engineering

Sheep Dipping

The analysis is performing on a dedicated computer, along with port monitoring, anti-viruses and other security programs.

Malware Analysis

The process of identification of a malware until its verification that the malware is completely removed, including observing the behavior of malware, scoping the potential threat to a system and finding other measures.

Process:

  • Creating the testbed: use a virtual machine as a host operating system where malware analysis is performed by executing the malware, this virtual machine is isolated from the network, creating a quarantine with it
  • Static and Dynamic malware analysis: observe the behavior, using process monitoring tools, packet monitoring tools and debugging tools, later the network connection is also set up

Goals of Malware Analysis

  • Diagnostics of threat severity or level of attack
  • Diagnostics of the type of malware
  • Scope the attack
  • Build defense to secure networks and systems
  • Finding root cause
  • Built incident response actions
  • Develop anti-malware to eliminate

Types of Malware Analysis

Static Analysis or Code Analysis

Disassemble the binary file, fragmenting the resources, without executing it and study each component.

Dynamic Analysis or Behavioral Analysis

Execute the malware and observing its behavior. These analysis are performed in a sandbox environment. Sandboxing technology helps analysis in a dedicated manner in a sophisticated environment. During the sanboxing of the malware, it is searched in the intelligence database for the analysis report. The diagnose is recorded for future use, helps to respond faster.