WIXLIB

Data Hiding Trojans (Encrypted Trojans) Encryption Trojans encrypts data files on the target’s system andrenders information unusable Written in C Attackers demand a ransom or force the target/s to make purchasesfrom their online drug stores to unlock files Targets include Company databasesPersonal informationVital files and foldersFinancial informationConfidential documents and information

Data Hiding Trojans (Encrypted Trojans) Encryption Trojans encrypts data files on the target’s system andrenders information unusable Written in C Attackers demand a ransom or force the target/s to make purchasesfrom their online drug stores to unlock files Targets include Company databasesPersonal informationVital files and foldersFinancial informationConfidential documents and information

6.4 TrojanTools

How to Infect Systems Using a Trojan Create a new Trojan packet using a Trojan Horse Construction Kit Create dropper, which is part of a trojanized packet that installs themalicious code on the target computer Create a wrapper using wrapper tools to install the Trojan on thetarget computer Propagate the Trojan Execute the dropper Execute the damaging program/routine Major Trojan Attack Paths User clicks on the malicious link User opens malicious email attachments

Wrappers A wrapper binds a Trojan executablewith an .exe application That appears to be a game or officeapplication The two programs are wrappedtogether into a single file When the user runs the wrapped .exe It installs Trojan in the background Then runs the wrapping application inforeground

Dark Horse Trojan Virus Maker

Crypters Software that is used by hackers to hide viruses, keyloggers, or toolsof any file to avoid detection by antiviruses Can encrypt, obfuscate, and manipulate malware Makes it harder to detect by security programs Used by cybercriminals to create malware that can bypass securityprograms Presents itself as a harmless program until it gets installed

Types of Crypters Static/statistical crypters Use different stubs to make each encrypted file unique Having a separate stub for each client makes it easier for malicious actors tomodify or, in hacking terms, “clean” a stub once it has been detected by asecurity software Polymorphic crypters Considered more advanced Use state-of-the-art algorithms that utilize random variables, data, keys,decoders, and so on One input source file never produces an output file that is identical to theoutput of another source file Crypter services are available online for a reasonable fee ( 10 - 100)

Crypter Examples Msfvenom AIO FUD Crypter Hidden Sight Crypter Galaxy Cryptor Criogenic Crypter Heaven Crypter SwayzCryptor Aegis Crypter

Creating a Malicious Using MSFVENOM

Exploit Kit An exploit kit or crimeware toolkit is a platform to deliver exploits andpayloads Trojans, spywares, backdoors, bots, buffer overflow scripts, etc. onthe target

Creating a Malicious Payload in Metasploit

Set Up Your Exploit Multi Handleruse exploit/multi/handlerset PAYLOAD windows/x64/meterpreter/reverse tcpset LHOST kali IP set LPORT 4444show optionsrun

Infinity The Infinity Exploit Kit is an exploit kit that uses vulnerabilities in MozillaFirefox, Internet Explorer and Opera to install threats on the targetcomputers Malware analysts have also reported that the Infinity Exploit Kit exploitsknown vulnerabilities in Web browser add-ons and platforms like Java andAdobe Flash to carry out its attacks The Infinity Exploit Kit is used to compromise the target computers andmay be associated with other threats The Infinity Exploit Kit Will Find and Use Any Vulnerability to Install Threatson the PC

Other Exploit Kits Phoenix Exploit Kit The Phoenix Exploit Kit is a commercial crimeware tool that until fairlyrecently was sold by its maker in the underground for a base price of 2,200 It is designed to booby-trap hacked and malicious Web sites so that theyimpose drive-by downloads on visitors Phoenix targets only Microsoft Windows computers Blackhole Exploit Kit BlackHole is commercial crimeware designed to be stitched into hacked ormalicious sites and exploit a variety of Web-browser vulnerabilities for thepurposes of installing malware of the customer’s choosing Once an extremely popular crimeware-as-a-service offering, Blackhole wasfor several years responsible for malware infections and stolen bankingcredentials, and likely contributed to tens of millions of dollars stolen fromsmall to mid-sized businesses

Other Exploit Kits (cont'd) Bleeding Life Exploit Pack Run on Java Juice What’s interesting about this kit is that its authors advertise that one of theexploits included isn’t really an exploit at all: It’s a social engineering attackwhere the hacked page will simply abuse built-in Java functionality to ask thevisitor to run a malicious Java applet Crimepack A prepackaged bundle of commercial crimeware that attackers can use tobooby-trap hacked Web sites with malicious software Another Java exploit software

Evading AntiVirus Techniques Break the Trojan file into multiple pieces and zip into a single file Always write the Trojan, and embed in an application Change Trojan’s syntax Convert .exe to a VB script Change .exe extension to .doc.exe, .ppt.exe, .pdf.exe as Windows hides fileextension by default Change the content of the Trojan using hex editor and also changethe checksum and encrypt the file Never use Trojans downloaded from the web as antiviruses candetect these with no trouble

6.5 Virus andWormConcepts

Introduction to Viruses A virus is a self-replicating program that produces its own copy byattaching itself to another program, computer boot sector, ordocument Viruses are usually transmitted through file downloads, infectedremovable disk drives, flash drives, and email attachments Virus characteristics Infects other programsAlters dataTransforms itselfCorrupts files and programsEncrypts itselfSelf-replicates

The Life of a Virus Design – a virus is developed using a programming code orconstruction kits Replication – viruses replicate for an amount of time and thenspreads Launch – virus is activated by the user Detection – virus is then detected by antivirus software Incorporation – antivirus software continuously updates its softwareto automatically eradicate the virus Elimination – the threat of that virus is eliminated when users keeptheir antivirus software up to date

Working of Viruses Infection Phase The virus replicates itself and attaches to an .exe file in the system Attack Phase Viruses are programmed with trigger events to activate and corrupt systems Viruses may infect each time they are run Viruses may run only when predefined conditions occur Viruses may run on specific days, dates, times, events

Reasoning Behind Creating Viruses Cause damage to an individual or organization Receive financial benefits Used for research projects Play a trick Cause vandalism Perpetrate cyber terrorism Distribute ideological messages (political, religious, etc.)

Indication of Virus Attack Abnormal Activities – the system acts in an unusual and unexpected way Processes take more time to completeComputer unresponsiveDrive labels changeUnable to boot operating systemComputer slows down when running normal applications False Positives – many glitches can result from viruses, but not all Many antivirus alertsComputer freezes periodicallyFiles and folders are missingHard drive accesses increaseBrowser window freezes frequently

How Do Computers Become Infected User/s download or run files from untrusted source User/s open infected email attachments User/s install pirated and untrusted applications User/s do not keep operating system/s applications updated regulary User/s do not install new versions of plug-ins when directed User/s do not keep antivirus applications up to date

6.6 VirusTypes

Ransomware Ransomware is a type of malware that restricts access to a targetcomputer’s files and folders and demands an online ransom paymentto the malware creators Types Crytorbit RansomwareCrptoLocker RansomwareCrptoDefense RansomwareCryptoWall RansomwarePolice-themed Ransomware

Types of Viruses System or Boot Sector File Cluster Multipartite Macro Stealth/Tunneling Encryption Sparse Infector Add-on Polymorphic Companion/Camouflage Intrusive Metamorphic Shell Direct Action or Transient Overwriting File File Extension Terminate and Stay Resident (TSR)

System or Boot Sector Viruses System or Boot Sector Viruses Boot sector virus moves MBR to another location on the hard disk andcopies itself to the original location of MBR When the affected system boots, virus code is executed first and thencontrol is passed to the original MBR

File and Multipartite Viruses File Viruses Infects files which are executed or interpreted in the system including .exe,.sys, .com, prg, .bat, .mnu, .obj, etc. Can be either direct-action (non-resident) or memory-resident Multipartite Viruses Infect the system boot sector and executable files at the same time.

Macro Viruses Macro Viruses Infect files create by Microsoft Word or Excel Most are written using Visual Basic for Applications (VBA) Infect templates or convert infected documents into template files, whileappearing normal

Cluster Viruses Cluster Virusies Modify directory table entries so that it points users or system processes tothe virus code rather than the actual application Only one copy of the virus is stored on disk, but infects all applications onthe computer Will launch itself first when any application on the computer is started afterwhich control is past to the actual application

Stealth/Tunneling Viruses Stealth/Tunneling Viruses Evade the antivirus software by intercepting requests to the operatingsystem Is hidden by intercepting the antivirus software’s request to read the fileand passing the request to the virus instead of the operating system Virus then returns an uninfected version of the file to the antivirus softwarethat makes it appear clean

Encryption Viruses Encryption Viruses Users simple encryption to encipher the code Is encrypted with a different key for each infected file The antivirus cannot directly detect them using signature detectionmethods

Polymorphic Code Polymorphic code Mutates while keeping the original algorithm intact To enable, the virus must have a polymorphic engine (mutating engine) When well-written, no parts remain the same on each infection

Metamorphic Viruses Metamorphic Viruses Rewrite themselves completely every time they infect a new executable Metamorphic code can reprogram itself by translating its own code into atemporary representation and then back to normal code

File Overwriting or Cavity Viruses File Overwriting or Cavity Viruses Cavity virus overwrites a part of the host file that is constant, usually withnulls, without increasing the length of the file and preserving functionality

Sparse Infector Viruses Sparse Infector Viruses Infects only occasionally, not every application that is executed Infects only files that are a certain size This aids in the virus not be detected

Companion/Camouflage Viruses Companion/Camouflage Viruses Is a computer virus that stores itself in a file that is named similar toanother program file that is commonly executed When that file is executed, the virus will infect the computer or performmalicious steps such as deleting the files on the user’s computer hard drive

Shell Viruses Shell Viruses Infects a computer by wrapping itself around code which already exists,such as the operating system code which writes to a file Whenever a program tries to use the enclosed code the virus code isexecuted

File Extension Viruses File Extension Viruses Change the extensions of files .txt is safe as it indicates a pure text file With file extensions turned off a file may appear to be safe, but will not be Example: Files.txt could really be File.txt.vbs Turn off, hide file extensions, in operating system

Add-on and Intrusive Viruses Add-on viruses Append their code to the host code without making any changes to the hostcode Inserts code at the beginning of the valid code Intrusive viruses Overwrite the host code partly or completely with the viral code

Transient, Terminate, and Stay ResidentViruses Transient Disappears after running TSR Loads itself into memory and stays there

Virus Hoaxes and Fake Antiviruses Virus Hoaxes Hoaxes are false alarms claiming reportsabout a non-existing virus which may containvirus attachments Fake warning message propagating to usersnot to open a specific email that will damageone’s system Fake Antiviruses Attacker disguise malware as an antivirus andtrick user/s into installing on one’s system Fake antiviruses damage target systems andcan be consider malware

Computer Worms Malicious programs that operate across network connectionswithout the need for human involvement Most worms replicate and spread across the network to consumeresources Some worms carry a damaging payload Worm payloads are often used to install backdoors, turning infectedcomputers into zombies and creating bobnets

Differences between Virus and Worm Worms self-replicate, viruses don’t Worms cannot attach themselves to other programs Worms use file/information transport features to spread throughinfected networks automatically, viruses don’t Type of worm – Ghost Eye Worm Worm Maker – Internet Work Maker Thing

6.7 MalwareAnalysis

Sheep Dip Computer Sheep dipping is an analysis of incoming messages/files for malware Sheep dip computers have port, file, and network monitors andanti-virus software Sheep dip computers have a strictly controlled connection to thenetwork

Antivirus Sensor System Computer software that identifies/analyzes malicious code threats Used in conjunction with sheep dip computers

Malware Analysis Preparing test bed by: Isolating system Disabling shared folders/guest isolation Copying malware to guest O/S

Malware Analysis1. Performing static analysis while malware is inactive2. Collect information concerning: String values found in binary Packaging/compressing technique3.4.5.6.Set up network connection and ensure there are no errorsRun virus and monitor process actions/system informationRecord network traffic informationDetermine which files have been added, which processes havebeen spawned, and which registry changes have been made7. Collect information on service requests, DNS information,incoming/outgoing connection attempts

Online Malware Analysis Services Anubis: Analyzing Unknown BinariesAvast! Online ScannerMalware Protection CenterThreatExpertDr. Web Online ScannersMetascan OnlineBitdefender QuickScanUploadMalware.comOnline Malware ScannerThreatAnalyzerVirusTotal

Various Analysis Services Trojan Analysis NeverQuest Virus Analysis Ransom Cryptolocker Worm Analysis Darlloz

6.8 MalwareReverseEngineering

Approaches to Reverse Engineering Malware Reverse engineer use a hex dumper to look for bit patterns Use disassembler to read executable instructions in text format Examine the malware’s exploitation techniques If the malware obfuscates itself, focus on reverse engineering on ly the newparts Look for mistakes in ransomware encryption implementation Look for command & control activity Categorization and clustering Do broad stroke analysis on bulk samples rather than a deep dive into a singlesample

Techniques Static analysis Analyze binaries without actually running them Look at file metadata, disassemble or decompile the executable Dynamic analysis Run the executable in a sandboxed environment Automated analysis Use automated tools Be careful that they don’t miss anything! Manual analysis Use if the malware contains anti-debugging routines or anti-analysismechanisms

Malware Analysis Tools Knowledge of Assembly language Disassembler – IDA Pro Debugger – OllyDbg, WinDbg System Monitor – Process Monitor, RegShot. Process Explorer Network Monitor – TCP View, Wireshark Packer Identifier – PEID Unpacking Tools – Qunpack. GUNPacker Binary Analysis Tools – PE Explorer, Malcode Analysts Pack Code Analysis Tools – LordPE, ImpRec

IDA Pro Example

6.9 MalwareDetection

How to Detect Trojans Scan for open ports that are suspicious Scan for startup programs that are suspicious Scan for running processes that are suspicious Scan for files/folders that are suspicious Scan for network activities that are suspicious Scan for registry entries that are suspicious Scan for device drivers that are suspicious Scan for O/S files that have been suspiciously modified Scan for Windows services that are suspicious Run a Trojan scanner

Scanning for Suspicious Ports Trojans open ports that are unused and connect to Trojan handlers Watch for connections to unknown/suspicious IP addresses

Ports Monitoring Tools TCPView CurrPorts

Scanning for Suspicious Services Trojans make thems

Remote Access Tools - Atelier Web Remote Commander Allows establishment of a remote connection to a remote computer Doesn't install any client or supporting software on the computer. Hell Raiser RAT HellRaiser allows an attacker to gain access to the target computer