Chapter 9 - Trojans and Other Attacks

Question 1

Overt Channels

Covert Channels

Answer 1

overt - legitimate communication channels

covert - used to transport data in unintended ways

Question 2

Wrappers

Answer 2

programs that let you bind an executable of your choice to an innocent file your target will want to open

they have their own signatures and show up on AV scans

Question 3

Elitewrap

Answer 3

wrapping program you can embed a backdoor with

Question 4

packers and crypters

Answer 4

tools that alter malware to hide it from signature based AV

packers - compress malware to smaller size, making it harder to detect

crypters - encrypt and manipulate code to make malware undetectable to AV

Question 5

Types of Trojans

defacement trojan
proxy server trojan
botnet trojan
remote access trojan
e-banking trojan
command shell trojan

Answer 5

botnet trojan examples - chewbacca, sky net

remote access trojan examples - RAT, MoSucker, Optic Pro, Blackhole

e-banking trojan examples - Zeus, Spyeye

command shell trojan - ECC says netcat is one

Question 6

netcat commands

nc -l -p 5555

nc ipaddress -p 5555

Answer 6

nc -l -p 5555
opens port 5555 in a listening state on the target

nc ipaddress -p 5555
connects to target on port 5555, like telnet

Question 7

Trojan names and port numbers for EC Exam

Death 
Senna Spy
Hackers Paradise
TCP Wrappers
Doom, SatanzBackDoor
Silencer, WebEx
RAT
SubSeven

Answer 7

Death 2
Senna Spy 20
Hackers Paradise 31, 456
TCP Wrappers 421
Doom, SatanzBackDoor 666
Silencer, WebEx 1001
RAT 1095-98
SubSeven 1243

Question 8

Trojan names and port numbers for EC Exam

Shivak Burka
Trojan Cow
Deep Throat
Tini
NetBus
Whack a Mole
Back Orifice

Answer 8

Shivak Burka 1600
Trojan Cow 2001
Deep Throat 6670-71
Tini 7777
NetBus 12345, 12346
Whack a Mole 12361-63
Back Orifice 31337, 31338

Question 9

what command to use on windows to show all connections and listening ports?

Answer 9

netstat -an

Question 10

what does net stat -b show?

Answer 10

all active connections and the processes using them

Question 11

Windows Registry locations to run things automatically

Answer 11

Run
RunServices
RunOnce
RunServicesOnce

all under HKLM…

Question 12

Registry monitoring tools

Answer 12

sysanalyzer
tiny watcher
active registry monitor
regshot

Question 13

Monitoring tools for processes and services

Answer 13

Windows Service Manager

Service Manager Plus

Smart Utility

check the startup routines, like with ‘msconfig’

Question 14

Tripwire

SIGVERIF

Answer 14

Tripwire - integrity verifier that can act as an HIDS against trojans

SIGVERIF - built into Windows to help verify integrity of critical files. log file called SIGVERIF.TXT and is in the windows folder

Question 15

Virus Types

Ransomware
Boot sector virus  (aka system virus)
shell virus
multi-partite virus
macro virus

Answer 15

Ransomware - locks you out of your system, demands payment

Boot sector virus - moves boot sector on HD to different location, forcing virus to execute first.

shell virus - works like boot sector virus, wraps itself around application’s code, so it runs before the application

multi-partite virus - infects files and boot sector at same time. Has multiple infection vectors

macro virus - infects template files from MS Office

Question 16

Virus Types

Polymorphic code virus
Encryption virus
Metamorphic virus
Stealth virus
cavity virus
sparse infector virus
file extension virus

Answer 16

Polymorphic code virus - mutates its code, hard to find because code constantly changes.

Encryption virus - uses encryption to hide its code from AV

Metamorphic virus - rewrites itself each time it infects new file

Stealth virus - evades AV by intercepting AV requests to OS and returning them to itself instead of the OS.

cavity virus - overwrite portions of host files so the actual file size doesn’t change. Uses null content sections of file, and original file still works

sparse infector virus - infect only occasionally

file extension virus - change file extensions to take advantage of extension view being turned off (ie readme.txt.vbs becomes readme.txt)

Question 17

Worms

Answer 17

self replicating program that sends copies of itself to other systems without human intervention

Question 18

Famous worms that could be on exam

Code Red
Darlloz
Slammer
Nimda
Bug Bear
Pretty Park

Answer 18

Code Red - exploited IIS servers using buffer overflow

Darlloz - linux based, targets ARM, MIPS and PowerPC platforms like routers, cable boxes, security cameras

Slammer - SQL Slammer, DoS worm. spread over UDP and entire thing could fit in one packet

Nimda - spread so fast it set a world record, through email, network shares, websites, backdoors left from Code Red

Bug Bear - spread over network shares and email. Terminated AV applications, setup backdoor and key logger

Pretty Park - spread via email, used IRC to spread stolen passwords. Often showed 3D pipe screensaver

Question 19

Steps for Analyzing Malware

Answer 19

Use VM with NIC in host-only mode

run malware and watch the processes with Process Monitor, Process Explorer

Review network traffic using NetResident, TCPView or Wireshark

See what files are added, changed, deleted, what processes keep spawning, what registry changes occur

Question 20

Malware Analysis Tools

binText and UPX

IDA Pro

VirusTotal

Anubis

Threat Analyzer

Answer 20

examine binary itself and the compression and packing techniques

Question 21

Sheep-dip Computer

Answer 21

checks physical media, software, other files for malware before it’s introduced to the network

Isolated from other computers, not on network

usually configured with multiple AV programs, registry and file integrity verifiers

Question 22

Denial of Service and DDoS

Answer 22

For exam, preferred communication channel for botnet signaling is IRC or ICQ. In real world, HTTP, HTTPS used at least as much

Question 23

ECC’s 4 categories of DoS / DDoS

Fragmentation Attacks
Volumetric Attacks
Application Attacks
TCP State Exhaustion Attacks

Answer 23

Fragmentation Attacks - takes advantage of system’s ability to reconstruct fragmented packets

Volumetric Attacks (aka bandwidth attacks) - consumes all available bandwidth

Application Attacks - consume resources needed for application to run, making it unavailable

TCP State Exhaustion Attacks - go after load balancers, firewalls, application servers by consuming all their connection state tables

Question 24

Types of attacks

SYN attack
SYN flood
ICMP flood
Application level
Smurf

Answer 24

SYN attack - attacker sends thousands of SYN packets with a false source IP. machine responds with SYN/ACK but fails because of false address. Eventually machine crashes

SYN flood - attacker sends thousands of SYN packets but never responds to replying SYN/ACK packets. Victim has to wait certain amount of time to get answer, so it eventually bogs down

ICMP flood - attacker sends ICMP Echo packets with fake source address. Target responds to fake address and eventually reaches a limit of packets per second sent

Application level - simple attack, hacker sends more legitimate traffic to web application than it can handle, causing it to crash. exploits weak programming code

Smurf - attacker sends large number of pings to broadcast address of subnet, with fake source IP spoofed to that of target. Entire subnet sends ping responses to the target.

Fraggle attack is like Smurf, but uses UDP

Question 25

Exam Tip ``` define botnet aka "Distributed reflection denial of service" aka DRDoS. ```

Answer 25

secondary machines send attack at request of attacker, so attacker stays hidden

Question 26

Types of Dos/DDoS Attacks Ping of death Teardrop Peer to peer Permanent (Phlashing) (Bricking)

Answer 26

Ping of death - attacker fragments ICMP message to send to a target. When they're reassembled, the ICMP packet is larger than the maximum size and crashes the system Teardrop - large number of garbled IP fragments with overlapping, oversized payloads sent to target. On Older Windows systems, this caused the system to crash because of weak TCP/IP stack Peer to peer - clients o P2P file sharing hub are disconnected and told connect to target system Permanent - Phlashing refers to DoS attack that causes permanent damage to hardware (bricking).

Question 27

LAND Attack

Answer 27

Sends SYN packet to target with source IP spoofed to same as target IP. If vulnerable, target loops endlessly, crashing the OS

Question 28

DoS attack tools ``` Low Orbit Ion Cannon (LOIC) Trinity Tribe Flood Network R-U-Dead-Yet (RUDY) SlowLoris ```

Answer 28

LOIC - simple DDoS tool, floods target with TCP, UDP or HTTP requests. Used for major, public attacks Trinity - Linux based DDoS tool like LOIC Tribe Flood - similar but uses botnet systems to launch massive flood attacks RUDY - performs DoS with HTTP POST via long-form submissions SlowLoris - TCP DoS tool that ties up open sockets and causes services to hang. Useful against web servers, doesn't consume large amounts of bandwidth

Question 29

DoS mitigations

Answer 29

standard stuff disable unnecessary services good firewall policy security patches good NIDS

Question 30

Compare Session Hijacking to Spoofing

Answer 30

Spoofing - attacker pretends to be someone else's addresses to sniff their attract Session Hijacking - attacker waits for target's session to begin, and after authentication is done, jumps in to steal the session.

Question 31

5 ECC Steps for Session Hijacking

Answer 31

sniff traffic between client and server monitor the traffic and predict sequence numbering desynchronize the session with the client predict the session token and take over the session inject packets to target server

Question 32

Exam Tips pg 327, figure 9-5 1. Sequence numbers increment on acknowledgement 2. given an acknowledgement number and a window size, find what sequence number is acceptable to the system.

Answer 32

2. acknowledgement of 105 and window size of 200 means you can expect sequence numbering from 105 through 305

Question 33

Session Hijacking Tools ``` Ettercap Hunt T-Sight Zaproxy Paros Burp Suite Juggernaut Hamster Ferret ```

Answer 33

Ettercap - excellent MITM tool Hunt - sniff, hijack, reset connections at will T-Sight - hijack sessions, monitor network connections ZaProxy, Paros more known as proxies

Question 34

2 Modes oF IPSEC transport tunnel

Answer 34

transport mode - payload and ESP trailer are encrypted but IP header is not. Means it can be used in NAT because original packet is still routable tunnel mode - entire original packet is encrypted. Cannot be used with NAT

Question 35

IPSEC Authentication Header

Answer 35

AH is a protocol that guarantees integrity and authentication of the IP packet sender

Question 36

Session Hijacking Countermeasures **use unpredictable session ID's limit incoming connections minimize remote access regenerate session key after authentication completes use encryption to protect the channel (like IPSEC)

Answer 36

use encryption to protect the channel (like IPSEC)

Question 37

Encapsulating Security Payload

Answer 37

ESP - protocol that provides origin authenticity and integrity but can also do encryption (confidentiality) In Transport Mode ESP does NOT provide integrity and authentication for entire packet. but it does in Tunnel Mode

Question 38

Internet Key Exchange

Answer 38

IKE - protocol that produces keys for encryption

Question 39

Oakley

Answer 39

protocol that uses Diffie-Helman to create master and session keys

Question 40

Internet Security Association Key Management Protocol

Answer 40

ISAKMP - software that facilitates encrypted communication between two endpoints