March 27, 2016

GHR 107 – Malware

Objectives:

  • Topic 107.01 – Trojans
  • Topic 107.02 – Covert Communications (a.k.a. Backdoors)
  • Topic 107.03 – Keystroke Loggers
  • Topic 107.04 – Spyware
  • Topic 107.05 – Viruses
  • Topic 107.06 – Worms
  • Topic 107.07 – Ransomware
  • Topic 107.08 – Botnets
  • Topic 107.09 – Rootkits

Topic 107.01 – Trojans

  • RULE : Trojans use many different delivery systems:
    • Email attachments – is the most common one.  The user is presented with an interesting email attachment and clicks to open it, thus executing the trojan.
    • Instant messaging (IM) – the attacker sends a trojan via IM as a naked picture of someone attractive or a “top secret” document.
    • Internet browser vulnerabilities – unpatched version of Internet Explorer, Chrome, Firefox provide ways for javascript to execute malicious code.
    • Internet Relay Chat (IRC) – used by attackers looking for victims who are looking for file sharing opportunities.
    • Peer-to-peer networks (P2P) – used by file sharing torrents, since people are there to download files to start with.  Loading up the latest movie with a trojan provides a high payoff since a lot of people just blindly click to execute the trojan so they can watch the movie.
    • Physical access – if the attacker has physical access to a unprotected machine, it’s game over.  The trojan will be installed by the attacker directly.
    • Social networking sites – sites such as Twitter, Facebook, LinkedIn, etc. use tinyurl.com and bit.ly to create shorter urls in order to create friendlier and easier to remember links.  These are also used by attackers to redirect users to sites hosting a trojan for the victim to download thinking it’s an update to Adobe Flash or Silverlight.
    • Wrappers (a.k.a binders or packagers) – used to combine a legitimate program with a trojan.
  • RULE : Trojans require victim actions to spread.  They can’t seek out additional victims on their own like a worm.
  • RULE : Trojans can be created to do many types of tasks for the attacker:
    • Advanced Persistent Threat (APT) – used as part of a larger attack by nation state actors, criminal organizations, hacktivists, etc. to gain a foot hold into a network.
    • Banking information – used by the attacker to steal banking credentials in order to transfer money from the victim to the attacker.
    • Credit card data – used by the attacker for purchasing items online then having the victim get charged for it.
    • Denial of Service (DoS) – used to stop running services or block communications.
    • FTP – used to extract data from the victim or to download another payload to the victim.
    • Illegal data storage – used by scum of the earth petifiles to store illegal child porn photos on victims machines then allowing or selling access to those photos to other petifiles without the victim knowing it.  If law enforcement finds these file the victim might go to prison for hosting them.
    • Intellectual property theft – used for stealing a company’s crown jewels and selling the information to competitors.
    • Passwords gathering – used to broaden the scope of the attackers access from a single machine into email, social media, online banking, server accounts, and other online accounts.
    • Proxy – allows the attacker to perform malicious activities in the security context of the victim.
    • Ransomware – used to encrypt the victims files with a key only the attacker knows and force the victim to pay money in order to get their files unlocked.
    • Remote access – allows the attacker to control the victim’s machine.
    • Shutdown defense software – this is usually used to take down the victims defenses like virus scanners, software firewalls, malware detection software, etc. so that the known payload can be delivered to the victims machine for further exploitation.
  • RULE : Many remote access trojans open covert communication (CovCom) channels to hide their traffic.
  • RULE : CovCom that is initiated from the attacker, through the firewall, and onto the victims internal network is easy to detect and block.
  • RULE : A well designed trojan will spawn a connection from the victims machine out to the internet, so it looks like normal traffic.  This forces the victim to need egress filters on their firewall to stop the traffic.
  • RULE : Egress filtering is time consuming and breaks a lot of legitimate traffic, so most weakly defended victims won’t even deal with it.
  • RULE : If the attacker is physically close to the target company or individual, then the attacker can load a trojan on a USB thumb drive, microSD card, etc. and then leave it on the ground in the parking lot or some other near by location to where the victim will find it.  Out of curiosity the victim will pick it up and insert it in their machine and execute the trojan software.
  • RULE : Well known trojans:
    • Amitis – runs on Windows and uses TCP 1853, 4000, 27551.
    • Back Orifice – runs on Windows.
    • Beast – listens on TCP 6666.
    • Gh0st RAT – runs on Windows.
    • Jumper – runs on Windows.
    • Let Me Rule – listens on TCP 26097 by default.
    • NetBus – runs on Windows and listens on TCP 12345 and responds on TCP 12346.
    • Phatbot (Agobot) – is an IRC bot.
    • Poison Ivy – runs on Windows.
    • Qaz – runs on Windows and listens on TCP 7597.
    • Shady Rat – runs on Windows.
    • SubSeven – runs on Windows and listens on a number of TCP ports such as 1243, 6711, 6712, 6713, 6776, 27374.
    • Tini – runs on Windows and listens on TCP 7777.
    • Zombam.B – uses TCP 80.
  • RULE : Some dated trojans wrappers include:
    • Advanced File Joiner
    • EliteWrap
    • One File EXE Maker
    • Pretty Good Malware Protection (PGMP)
    • Restorator
    • SaranWrap
    • Teflon Oil Patch
    • Wrapper Convert Program
    • Yet Another Builder (YAB)

Topic 107.02 – Covert Communications (a.k.a. Backdoors)

  • RULE : A covert communication takes a normal protocol or application and uses it in an unconventional manner in order to communicate.  The traffic looks normal as not to draw attention.  During the cold war spies would use a chalk mark or a piece of colors electrical tape on a stop sign to leave a message that a dead drop was loaded.
  • RULE : Covert communication does not refer to encryption.
  • RULE : Covert communication can be used for:
    • Bypass firewalls.
    • Command and control of Bots in a BotNet.
    • Data extraction from a compromised machine or network.
    • Installing malware on compromised machines.
  • RULE : There are an infinite number of ways to communication covertly, but here are some examples:
    • Changing insignificant bits in the IP header like the Type of Service (ToS), crafting a non-random IP ID.
    • Optional IP header extension, which are (as the name implies) fields appended to an existing header.  The entire remainder of the packet can be filled up with header options, this allows for a huge payload.
    • ICMP Echo Request (ping) can be used easily since it has the optional data field.  Rather then letting the operating system fill the padding, the attacker can use that space and more (up to 64K) with data, commands, etc. such as ping -p 67696e67736f6674 10.10.10.241.  Here 67696e67736f6674 is the hex equivalent for “gingsoft” that I’ve sent to host 10.10.10.241 by using -p on linux.
    • Using a TCP ACK packet, without a previous SYN and SYN/ACK to sent packets through a firewall that only blocks packets based on the SYN packet.  That ACK packet can be used to extract data from the target machine.  AckCmd is an older trojan that does exactly that.
    • Using a HTTP tunnel to hide in plain sight by looking like normal web traffic and evading Intrusion Detection Systems.

Topic 107.03 – Keystroke Loggers

  • RULE : Hardware keystroke loggers can be wired or wireless and are undetectable by software.
  • RULE : Wired hardware keystroke loggers must be physically retrieved by the attacker in order for them to be of any use.  This is risky since it’s possible that the target user found it and set a trap by placing a camera nearby to see who comes back to the scene of the crime.
  • RULE : Wireless hardware keystroke loggers communicate over 802.11 or bluetooth, which give the attacker distance from the target and no need to return to the target machine (or into a trap).
  • RULE : Of course the physical presence of a hardware keystroke logger is a dead give away so attach them to a machine that is positioned where the device can be hidden from plain sight, like in the back of the machine.
  • RULE : Software keystroke loggers can record keystrokes in an encrypted log file and then email it to a dead drop inbox for the attacker to retrieve in a predetermined time interval.
  • RULE : Software keystroke loggers can avoid detection by running silently at the lowest level of the operating system so there isn’t a running process that shows up anywhere for the victim to find.

Topic 107.04 – Spyware

  • RULE : Spyware is a type of trojan typically used for generating advertising revenue or more importantly, surveillance.
  • RULE : Advertising based spyware will deliver ads to the infected machine via annoying pop-up ads and ads inserted into web pages.
  • RULE : Surveillance based spyware is used to track what you do on the web, such as buying habits, sites that you visit, etc. so you can be targeted for ads by marketing companies.
  • RULE : Surveillance based spyware can also used for identity theft since the attacker can gain intelligence to social engineer a customer support call posing as the victim with what is learned from the spyware.

Topic 107.05 – Viruses

  • RULE : A Virus is a small malicious executable program that inserts itself into another existing program.
  • RULE : Viruses can replicate itself to other host machines, usb drives, and network resources.
  • RULE : Viruses once unleashed can execute by themselves.
  • RULE : Viruses can have many types of objectives:
    • Deleting some files or reformatting the entire drive.
    • Infect other files in memory.
    • Infect the boot sector, so booting from USB and later the hard drive puts in the virus into memory and the virus then infects other file in memory.
    • Macro viruses infect Microsoft Office programs, which is a huge attack surface for corporations as Microsoft Office enjoys is standard in most small to large size companies.

Topic 107.06 – Worms

  • RULE : Worms are like trojans and viruses with one major distinction.  Worms don’t need another program to attach themselves to nor hide in.
  • RULE : Worms can enter a machine simply by exploiting a vulnerability or more simply, user execution.

Topic 107.07 – Ransomware

  • RULE : Ransomware is typically delivered as a trojan.  Once on the target machine the victim is tricked into executing it.  The payload encrypts files on the target machine, network drives, backups, and what ever the machine has access to.
  • RULE : Once the ransomware has encrypted the victim’s files, the victim is instructed to pay a ransom in the form of Bitcoins in order to decrypt their files.
  • RULE : Bitcoins are the way in which cyber criminals can get paid and still remain anonymous.
  • RULE : Originally ransomware targeted individuals, but in late 2015 Hospitals and commercial organizations became targets.

Topic 107.08 – Botnets

  • RULE : A Botnet is a collection of many infected machines (sometimes called zombies) that are controlled as a single unit by an attacker.
  • RULE : Botnets zombies typically number in the thousands or millions of infected machines.  The Conficker worm created over 10 million zombies for it’s botnet.
  • RULE : Botnet zombies can scan for new victims on their own and exploit vulnerabilities in new target machines in order to propagate.
  • RULE : Botnets are the perfect tool for creating a Distributed Denial of Service (DDoS) attack since the attack source IP addresses will be too numerous to filter and the aggregated traffic that the zombies create is almost always too overwhelming to defend against.
  • RULE : The owners of zombie machines usually have no idea that they are infected and are part of the botnet army.  When their machine is actively participating in a DDoS attack, their machines will begin to run a little slower than normal.
  • RULE : Earlier botnets employ a client/server architecture, where the zombies are the clients and the attacker employs a few Command and Control servers to give the zombies orders of when, how, who to attack.
  • RULE : IRC is typically the communication method since it provides a low bandwidth channel in which to operate.
  • RULE : The largest botnets typically uses domains acquired from a Bulk-Friendly hosting provider.  Bulk-Friendly providers operate a shady business and turn a blind eye to illegal cyber activities or activity participate in cybercrime.  Several have been taken down.
  • RULE : Botnets are shutdown when the Command and Control server is taken out of commission after detection.  For this reason, newer botnets have adapted to a peer-to-peer design which allows the botnet to survive even if many zombies are wiped out in a cyber raid.
  • RULE : Peer-to-peer botnets can use encrypted traffic in order to hide it’s activities and lists of known peers.

Topic 107.09 – Rootkits

  • RULE : Rootkits are a suite of malicious tools that allow an attacker to craft different attacks depending on the target machines, while remaining hidden.
  • RULE : Rootkits usually results in administrator or root level privileges (hence the name) on the target machine.
  • RULE : Rootkits can hide by overwriting common commands that the victim might use to identify an intrusion.
  • RULE : Linux ls, lsof, find, locate and Windows dir commands are typically overwritten with the attacker’s version of them.  When the victim goes to look for the malware nothing but the normal list of files and directories is returned (minus the hidden rootkit).
  • RULE : Rootkits can overwrite the linux ps and Windows Task Manager with the attackers version so that nothing related to the rootkit’s activities show up as a running process.
  • RULE : Rootkits can overwrite netstat, ifconfig (Linux), ipconfig (Windows) so the victim can’t see network traffic or new network interfaces related to the rootkit.
  • RULE : Most rootkits aimed at linux will overwrite the killall command so the processes used by the rootkit can not be stopped.
  • RULE : Some rootkits don’t overwrite any commands, but will instead will act like loadable kernel modules, which change what commands do during execution without actually modifying the command itself.