3) Rootkits, Web Threats and Internet Forensics Flashcards
What are rootkits?
Programs/malware with the main goal to gain access to the infected system without being detected. Hides from OS.
What types of rootkits do exist?
User mode: Runs in ring 3 of the OS. Can only hide itself from other ring 3 applications (like explorer.exe) but not from kernel mode applications.
Kernel mode: Runs at least partially in kernel mode (ring 0). Much more powerful than user mode rootkits.
What is meant by Hooking?
Hooking is the interception of system calls or messages / events sent between other programms and / or software components. Example: keylogger that sits between Keyboard and Computer.
What are ways to find Rootkits?
- Run AV scan to find obvious rootkits
- Compare User Level view with kernel level view by running key API calls and compare results.
- Look for OS hooks.
List some Rootkit Detection Tools.
Rootkit scanners are: Rootkit buster, GMER, RootRepeal
What is the problem with rootkits and Windows x64?
Win x64 only accepts digitally signed drivers to access kernel mode. Rootkits developers are not able to sign their malicious code. Switch to bootkits. A bootkits tries to intercept the startup routine of a computer.
What is the goal of Web Attacks?
Place a malicious piece of software on the victims computer or get access to sensitive information (PII)
What are the two major categories of web exploits?
Exploits against browser or exploits against browser plugin.
Name the four steps how an attack work.
- Passively analyse the victims browser to find out which exploit kit works best.
- Find vulnerability in the browser where malicous shell code can be place.
- Execution of shell code.
- Shell code normally downloads key payload.
List a few ways how to hide web attacks.
- iframe
- iframe with zero size
- JS with document.write() function
- JS with escape/unscape function to encode ASCII letters eval function
- fromCharCode() translates ASCII numbers to ASCII characters
- argument.callee function of JS. Reference to itself. Used to check with modification where performed.
Name two actions a malicious hop does.
REDIRECT or EXPLOIT
How do attackers obfuscate JavaScripts?
- Write code on one line
- Use document.write() function to put together code snippets (a+b+c)
- Usage of escape function
- Eval function
- fromCharCode()
- Use strange / random variables
- Spaghetti code
- Functions within functions
What are useful steps in analyzing obfuscated JavaScripts?
- Re-define document.write or eval function at the beginning of the script
- Change document.write to alert
- Write out document.write into a textarea
- Use online/offline deobfuscation tools
What does the eval function do?
It checks if the function is a real JavaScript and then executes it.
What is meant by escape/unescape?
Translate characters from letters to ASCII code and back.
What does the fromCharCode() function do?
Translates ASCII numbers to ASCII letters.
Name a few tools to deobfuscate JavaScript.
Revelo, JavaScript Beautifier, CyberChef
With what can the document.write function be replaced? Give a few examples.
alert or textarea
What does the function argument.callee()?
It will return back the content of the function itself. Attacker can check if code has been tampered (checking length, iterate through all characters in the function). => integrity checks.
What is Maltego?
Maltego is data visualising tool for open source intelligence gathering. It shows in a graph reletationships of various entities and can also run automated queries for information gathering (transforms).
What are the most common DNS record types?
- A
- AAAA
- CNAME
- PTR
- MX
- NS
- SOA
- SRV
- TXT
Name so Google Advanced search parameters.
- intitle
- intext
- inurl
- ext
- filetype
How can we find out site visited by a particular company with Maltego?
Find public IP range (via MX records). Look for any websites where this IP is stored (in changelog for example)
Describe how an attacker could use an Open Source Intelligences approach with tools such as Google, Pipl and Maltego to map a list of important employees in an organisation as the first phase in a targeted attacks.
First phase information / intelligence gathering about target person and their relationsship. There is a lot of information available not only via Google but also on social media site. Find alias of a person. The more information present the better will be a targeted attack (CEO fraud) or a social engineering attack.
