Introduction to Programming Concepts

Questions and Answers

Which of the following is a common feature of most programming languages?

• Graphic design options
• Hardware interfacing
• User interface design
• Data manipulation capabilities (correct)

All programming languages are exclusively object-oriented.

False (B)

What is the main purpose of a compiler?

To translate high-level code into machine code.

In the context of programming, the term ______ refers to a sequence of instructions that can be executed by a computer.

algorithm

Match the following programming concepts to their definitions:

Variable = A storage location identified by a memory address Loop = A control structure that repeats a block of code Function = A reusable piece of code that performs a specific task Array = A collection of elements identified by an index

Which of the following types of malware can operate silently in the background without detection?

Spyware (B)

All malware can be classified into either a Trojan or a virus.

False (B)

What is the primary purpose of malware?

To damage or disable computer systems and allow control to the malware creator.

Which of the following is NOT a method for detecting Trojans?

Scan for suspicious email attachments (D)

It is safe to open email attachments from unknown senders if you're using antivirus software.

False (B)

Malware can enter a system through ______ applications.

instant messenger

Match the following malware types with their descriptions:

Trojan Horse = Disguises as legitimate software Ransomware = Locks or encrypts files for a ransom Spyware = Monitors user activity secretly Worm = Self-replicating malware that spreads across networks

Name one countermeasure to prevent backdoor installations.

Educate users not to install applications from untrusted sources.

One common method to detect Trojans is to scan for suspicious ______ entries.

registry

Match each scanning method with its description:

Scan for open ports = Identifies potential entry points for unauthorized access Scan for startup programs = Detects programs that run automatically when the computer starts Run Trojan scanner = Utilizes specialized software to find Trojans

What is the primary function of a wrapper in the context of Trojans?

To bind a Trojan executable with an innocent application (C)

A virus can self-replicate by attaching itself to a program or document.

True (A)

What is the role of a Command Shell Trojan?

It provides remote control of a command shell on a victim's machine.

Botnet Trojans are primarily used to launch ______ on a victim.

denial-of-service attacks

Match the types of Trojans with their functionalities:

Wrapper = Binds Trojan with innocent application Remote Access Trojan = Provides complete GUI access Command Shell Trojan = Gives control of a command shell Botnet Trojan = Infects multiple computers to form a network

Which technique is NOT effective for evading anti-virus detection?

Using Trojans downloaded from the web (D)

List one characteristic that defines a computer virus.

Self-replication

What is one reason people create computer viruses?

Inflict damage to competitors (C)

Computer worms require human interaction to spread.

False (B)

What action triggers the activation of a virus?

Running an infected program

A virus that uses simple encryption to encipher its code is known as an __________ virus.

encryption

Match the following malware types with their characteristics:

Virus = Requires user action to spread Worm = Replicates and spreads independently Trojan = Disguises itself as legitimate software Encryption Virus = Enciphers code to avoid detection

Which of the following is NOT a method for a computer to get infected by viruses?

Downloading from verified sources (D)

Antivirus sensor systems can detect malicious code threats.

True (A)

What is a potential consequence of a computer worm's payload?

Installation of backdoors or creation of botnets

The process of assimilating defenses against a virus by antivirus software developers is known as __________.

incorporation

Which of these actions is a method to help eliminate virus threats?

Installing antivirus updates (D)

Flashcards

Malware Definition

Harmful software designed to damage computer systems, give control to the creator, or steal information.

Trojan Horse Use

Trojans can steal data, create backdoors, infect PCs with other malware, and disable security.

Malware Distribution Technique

Attackers trick users into downloading malware, often through seemingly innocent webpages or software.

Malware Infection Methods

Malware can enter systems through various means: downloads, attachments, compromised websites, removable devices, and more.

Trojan Propagation

The process of spreading a Trojan across systems, usually after initial compromise

Wrapper Trojan

A Trojan disguised as a harmless .EXE file, like a game or office application. It installs the Trojan in the background while running the innocent application in the foreground.

Command Shell Trojan

A Trojan that allows remote control of a victim's command shell. The attacker connects to a port on the victim's machine and can then execute commands.

Remote Access Trojan

A Trojan that gives the attacker full GUI access to a victim's computer, essentially taking over their desktop.

Botnet

A large network of infected computers (bots) controlled by a single attacker. Used for various malicious activities like denial-of-service attacks or spam.

Virus

A self-replicating program that spreads by attaching itself to other programs, documents, or the boot sector.

Virus Characteristics

Viruses exhibit several characteristics, including infecting other programs, altering data, transforming itself, corrupting files and programs, encrypting itself, and self-replication.

Virus Design Stage

The initial stage of virus development where the virus code is created using programming languages or construction kits.

Suspicious Network Activity

Uncommon or unusual network traffic patterns, such as unexpected data flows or excessive connections to unknown servers.

Trojan Scanner

A specialized software program designed to identify and remove Trojan horse programs from a computer system.

Firewall Block Ports

Configuring your firewall to block access to specific ports on your computer, preventing unauthorized connections and potential Trojan infiltration.

Suspicious Registry Entries

Changes to the Windows Registry that are not expected or associated with legitimate software, possibly indicating Trojan presence.

Avoid Untrusted Sources

Downloading and executing applications only from reliable and verified sources to minimize the risk of Trojan infections.

Virus Replication

A virus multiplies within a system before spreading to other systems.

Virus Launch

A virus activates when a user performs specific actions, often by running infected software.

Virus Detection

Identifying a virus threat that infects a system.

Virus Incorporation

Antivirus developers include defenses against newly discovered viruses.

Virus Elimination

Removing a virus threat from a system using updated antivirus software.

Encryption Virus

A virus that uses encryption to hide its code, making it harder to detect.

Worm Replication

Worms can duplicate themselves and spread across a network without any human interaction.

Worm Payload

A destructive component that a worm may carry to damage a system.

Anti-Virus Sensor System

Software designed to identify and analyze malicious threats like viruses, worms, and Trojans.

How is a Worm Different from a Virus?

Worms can replicate themselves and spread across a network without needing to attach to other programs, while viruses need to attach to other files.

Study Notes

Malware Threats

• Malware is malicious software designed to damage or disable computer systems, giving limited or full control to its creator for purposes of theft or fraud.
• Common types of malware include Trojan Horses, viruses, backdoors, worms, rootkits, spyware, ransomware, botnets, adware, and crypters.

Different Ways Malware Enters a System

• Instant messaging applications
• Internet Relay Chat (IRC)
• Removable devices (USB drives, etc.)
• Email attachments
• Legitimate "shrink-wrapped" software (maliciously altered)
• Browser and email software bugs
• NetBIOS (File Sharing)
• Fake programs
• Untrusted sites and freeware software
• Downloading files, games, and screensavers from untrusted websites

Common Techniques Attackers Use to Distribute Malware

• Black hat search engine optimization (SEO): Ranking malware pages highly in search results
• Social engineering and clickjacking: Tricking users into clicking on malicious webpages
• Malvertising: Embedding malware in ad networks displaying on legitimate sites
• Spearphishing sites: Mimicking legitimate institutions to steal credentials
• Compromised legitimate websites: Hosting embedded malware to spread to unsuspecting visitors
• Drive-by downloads: Exploiting browser flaws to install malware by simply visiting a webpage

How Hackers Use Trojans

• Delete or replace essential operating system files
• Disable firewalls and antivirus software
• Generate fake traffic to create Denial-of-Service (DoS) attacks
• Record screenshots, audio, and video of victim's PC
• Use victim's PC for spamming and email blasts
• Download spyware, adware, and malicious files
• Create backdoors for remote access
• Infect victim's PC as a proxy server for attacks
• Use victim's PC in a botnet to perform DDoS attacks
• Steal information (passwords, security codes, etc.) using keyloggers

How to Infect Systems Using a Trojan

• Create a new Trojan using a construction kit
• Create a dropper (a part of trojanized packet) that will insert malicious code onto the target system
• Example of a Dropper: Installation path, autostart location, malicious code, file location, executable file, etc.
• Create a wrapper using wrapper tools to install the Trojan
• Propagate the Trojan
• Execute the dropper
• Execute the damage routine

Wrappers

• A wrapper binds a Trojan executable with an innocent-looking application (e.g., game, office app).
• Attackers might use greetings or animations within the wrapper app to install Trojans.

Command Shell Trojans

• Command shell Trojans provide remote control of a command shell on the victim's machine.
• The Trojan server installs on the victim's machine and opens a port for the attacker's machine (the client) to initiate a command shell.
• Example command use is: C:\>nc <ip> <port>.

Remote Access Trojans (RATs)

• A remote desktop access Trojan provides complete GUI access to the infected system.
• Attacker can monitor activity and potentially make changes/install or run programs remotely.
• The Trojan establishes a reverse connection with the attacker's machine.

Botnet Trojans

• Botnet Trojans infect many computers across a large geographical area to create a network of bots controlled by a central Command and Control (C&C) center.
• The botnet is used for various attacks, including denial-of-service (DoS), spamming, click fraud, and theft of financial information.

Evading Anti-Virus Techniques

• Break a Trojan into pieces and zip it to evade detection
• Write your own Trojan and embed it to disguise its nature
• Change EXE extension syntax (to DOC, PPT, etc.) within the code to bypass antivirus scrutiny
• Change Trojan content using a hex editor to alter checksums and encrypt the file

Introduction to Viruses

• A virus is a self-replicating program that spreads by attaching itself to other programs, computer boot sectors, or documents.
• Viruses are typically carried through downloads, infected storage drives, or as email attachments.
• Virus characteristics include infection of other programs, data alteration, self-transformation, corruption of files/programs, encryption, and self-replication.

Stages of Virus Life

• Design: Creating the virus code
• Replication: Virus replicates within the target system
• Launch: Virus triggers upon user actions or event
• Detection: Antivirus software identifies the virus
• Incorporation: Antivirus software incorporates defenses against the virus
• Elimination: Users remove the threat using antivirus

Why People Create Computer Viruses

• Inflict damage to competitors
• Financial benefits
• Research projects
• Play pranks
• Vandalism
• Distribute political messages
• Cyberterrorism

How a Computer Gets Infected by Viruses

• User accepts files/downloads without checking the source
• Open infected email attachments
• Install pirated software
• Fail to update or install new versions of plug-ins/software
• Fail to run the latest antivirus application

Encryption Viruses

• Encryption viruses encipher the malware code with a unique key for each infected file.
• Anti-virus scanning may not detect this type of virus/trojan because it does not use signature detection methods.

Computer Worms

• Computer worms are malicious programs that replicate, execute, and spread across networks independently.
• Most spread rapidly across a network and consume system resources.
• Some worms have a payload to damage the system or install backdoors.
• Attackers use worms to install backdoors and turn computers into zombies that aid in more cyber-attacks.

How a Worm Is Different From a Virus

• Worms replicate on their own using network resources without requiring an attached program.
• They spread automatically through the network, whereas viruses attach to program files.
• Worms use network resources, while viruses rely on the infected program's execution.

Anti-Virus Sensor Systems

• Anti-virus sensor systems are software packages that detect and analyze malicious code threats (viruses, worms, or Trojans).
• They work in conjunction with "sheep dip" computers to protect networks from spreading malware.

How to Detect Trojans

• Scan for suspicious open ports
• Scan for suspicious startup programs
• Scan for suspicious running processes
• Scan for suspicious files and folders
• Scan for suspicious registry entries
• Scan for suspicious network activities
• Scan for suspicious device drivers
• Scan for suspicious Windows services
• Run a Trojan scanner to detect the trojans on a targeted device/machine

Trojan Countermeasures

• Avoid opening email attachments from unknown senders.
• Install patches and security updates to operating systems and applications
• Block unnecessary ports using the firewall
• Avoid accepting program files from instant messaging
• Harden default settings/disable unnecessary functionalities for protocols and services
• Monitor internal network traffic for odd ports or encrypted traffic
• Scan CDs and DVDs with antivirus software before using.
• Restrict permissions in the desktop environment to limit malicious application installation
• Avoid blindly typing and implementing pre-fabricated programs
• Manage the file integrity (e.g., checksums) and perform port/network scans
• Avoid downloading applications or files from untrusted sources.
• Use host-based antivirus, firewall, and intrusion detection software

Backdoor Countermeasures

• Utilize commercial antivirus packages that can detect backdoors (e.g., McAfee, Norton, etc.) to help prevent these from impacting systems.
• Educate users not to install applications from untrusted websites or email attachments

System Hacking

• Includes many stages for hacking.

Information at Hand Before System Hacking

• Footprinting Module: IP range, namespace, employees
• Scanning Module: Target assessment, identified systems, identified services
• Enumeration Module: Intrusive probing, user lists, security flaws

System Hacking: Goals

• Gaining Access: Bypass access controls to gain entrance to the system
• Escalating Privileges: Acquire rights of another user (e.g., administrator)
• Executing Applications: Create and maintain remote access for malicious actions
• Hiding Files: Cover attacker's malicious activities and hide data theft
• Covering Tracks: Hide the evidence (e.g., clear logs) of the compromise

CEH Hacking Methodology (CHM)

• Footprinting
• Scanning
• Enumeration
• Gaining Access
• Cracking Passwords
• Escalating Privileges
• Executing Applications
• Hiding Files
• Clearing Logs
• Maintaining Access
• Covering Tracks

Password Cracking

• Password cracking retrieves passwords from computer systems.
• Attackers employ password cracking methods to gain access to weak or easily guessable passwords.

Sniffing

• Sniffing is the process of monitoring and capturing network packets.
• Attackers use sniffing to capture sensitive data through unauthorized connections and locations.

Network Sniffing and Threats

• Enterprises' switch ports are open: Allows anyone to plug in to the Ethernet.
• Enterprises might have switch ports open or inadequately protected to allow external devices to capture network data on the same physical location.

Sniffer Workings

• Sniffer turns the network interface card (NIC) into promiscuous mode. This mode is used by the sniffer to capture all network information on the network segment including information being sent between different machines.
• Attacker forces the switch to behave as a hub. In this mode, the sniffer can capture all traffic going through the hub.

Types of Sniffing: Passive Sniffing

• Passive sniffing monitors packets sent by other machines without sending any additional data.
• It's used to monitor/capture traffic on a hub.
• Modern networks generally use switches instead of hubs, thus making passive sniffing less effective.

Types of Sniffing: Active Sniffing

• Active sniffing injects packets into a switch-based network to flood the CAM table to enable the capture of traffic destined to different machines on the network.
• Common techniques used for sniffing include MAC flooding, DNS poisoning, ARP poisoning, DHCP attacks, port stealing, and spoofing attacks.

How an Attacker Hacks Using Sniffers

• An attacker connects a laptop to the network.
• An attacker learns about the topology of the network.
• An attacker targets a victim machine.
• ARP spoofing is used to redirect traffic to the attacker.
• Attacker extracts passwords and sensitive data.

Protocols Vulnerable to Sniffing

• Protocols with unprotected credentials over networks, such as: HTTP, Telnet, Rlogin, POP, IMAP, SMTP, NNTP, and FTP.

Sniffing in the Data Link Layer of the OSI Model

• Sniffers operate at the data link layer of the OSI model.
• Sniffers capture information from the packet directly on the network.
• Sniffing through the Data Link Layer does not affect OSI layers above the data link layer.

Hardware Protocol Analyzer

• Hardware protocol analyzers capture signals on a cable without altering the traffic.
• It's used to monitor the network, identify malicious traffic, decode, and analyze data packets.

Hardware Protocol Analyzers

• Keysight N2X N5540A
• Keysight E2960B
• RADCOM PrismLite Protocol Analyzer
• RADCOM Prism UltraLite Protocol Analyzer
• FLUKE Networks OptiView XG Network Analyzer
• FLUKE Networks OneTouch Network Assistant

Wiretapping

• Wiretapping involves monitoring phone and internet conversations by a third party using hardware/software or a combination of both to the network circuit.
• Active wiretapping monitors, records, alters communication traffic.
• Passive wiretapping just monitors and records traffic to gain data knowledge.

Lawful Interception

• Lawful interception is the legal interception of data communication.
• Law enforcement agencies use it for surveillance with appropriate legal authorization.

Wiretapping Case Study: PRISM

• PRISM is a data tool designed to collect foreign intelligence.
• The NSA used PRISM to intercept a large amount of foreign internet traffic that was sent via or saved on servers located in the United States.

MAC Flooding

• MAC flooding involves inundating the CAM table with fake MAC addresses and IP pairs to fill it up and make it act as a hub.
• Attackers can sniff traffic destined to various machines on the network.

How to Defend Against MAC Attacks

• Implement port security on the switch. Configure policies to only allow specified MAC addresses.
• Implement policies to restrict MAC addresses allowed on the network or specific port on the switch.

ARP Spoofing Attack

• Forging ARP packets sends data to the attacker's machine.
• Spoofing involves flooding the network with forged ARP requests/replies to overload the switch.
• The attacker can then sniff the network traffic.

ARP Poisoning Threats

• Packet sniffing: Capture packets for sensitive data or information
• Session hijacking: Gaining control of a network session by pretending to be another user
• VoIP call tapping: Intercept/monitor/track VoIP conversations
• Data manipulation: Changing data on active transmission
• Man-in-the-middle attack: Hiding/intercepting data exchanged between two end-points on a network
• Denial-of-Service (DoS) attack: An attempt to make a server or network unavailable

MAC Spoofing/Duplicating

• Launch an attack on a network by sniffing the MAC addresses currently associated with a switch port then re-using one of those to gain unauthorized access
• Attackers can intercept and use a legitimate user's MAC address
• Attackers can gain access to network and take over someone's identity.

DNS Poisoning Techniques

• DNS poisoning tricks the DNS server into accepting false IP address information for a target website.
• Attackers might create false DNS entries for the targeted site.

Sniffing Tool: Wireshark

• Wireshark is a network protocol analyzer tool that captures and analyzes network traffic in real time.

How to Defend Against Sniffing

• Use HTTPS instead of HTTP to protect user/password credentials (encryption)
• Use switches instead of hubs (switches send data only to the intended recipient)
• Use secure transfer protocols (e.g., SFTP, PGP, VPN, etc.) for files
• Use strong encryption protocols (HTTPS, WPA/2, etc.)
• Retrieve MAC address directly from the network interface card (NIC); ensures authenticity.
• Use tools to verify network devices are not in promiscuous mode (it listens to all network traffic)

How to Detect Sniffing

• Identify/Check which machines are operating in promiscuous mode.
• Run Intrusion Detection Systems (IDS) to monitor/capture/alert on suspicious changes to MAC addresses (e.g., routers' MAC addresses).
• Use network tools (e.g., Capsa Network Analyzer) to monitor unusual/strange network packets.

Types of Password Attacks

• Non-electronic Attacks (e.g., shoulder surfing, dumpster diving): No technical knowledge needed
• Active Online Attacks: Attacker directly communicates with the machine (e.g., dictionary, brute-forcing, rule-based)
• Passive Online Attacks: Attacker performs password cracking without contacting the authorized party (e.g., wire sniffing, Man-in-the-Middle attacks, replay attacks)
• Offline Attacks: Attacker copies target's password file to crack passwords on their own systems (e.g., rainbow table attack)
  • Rainbow Table Attack: A precomputed table that contains lists of words/passwords with their hash values.

Active Online Attacks: Dictionary, Brute Forcing, and Rule-based Attack

• Dictionary Attack: Loads a dictionary file into the cracking application.
• Brute Forcing Attack: Tries every combination of characters to break the password (exhaustive).
• Rule-based Attack: Attacker uses some known information about password criteria to narrow down the possibilities.

Active Online Attack: Password Guessing

• Creates a list of possible passwords from collected information (e.g., social engineering).
• Ranks passwords by probability (high to low).
• Tries passwords sequentially starting with the high-probability ones.

Default Passwords

• Default passwords are those supplied by manufacturers for new equipment (routers, switches)
• Attackers often use default passwords to gain unauthorized access, so it's important to immediately change these passwords to one that is more complex.
• Online tools can be used to search for default passwords.

Active Online Attack: Trojan/Spyware/Keylogger

• Attacker installs Trojan, spyware, or keylogger on a victim's machine.
• The malware runs in the background and sends victim's credentials to the attacker.
• The malware gets installed on victim's machine by using an embedded route or executing pop-up files.
• The malware sends data via an internet connection, such as over the domain server to the attacker.

Example of Active Online Attack Using USB Drive

• Attacker prepares a USB drive with malware.
• USB drive is inserted into victim's computer to execute the malware.
• Malware starts running in the background to collect data..
• Data gathered is copied to an external source, for example, back to the attacker's machine.

Passive Online Attacks: Wire Sniffing

• Attackers run packet sniffer tools to monitor the LAN network traffic for sensitive information.
• Capture credentials like passwords during FTP/rlogin sessions, etc.
• Captured credentials are used to compromise the targeted system.

Passive Online Attacks: Man-in-the-Middle and Replay Attack

• Attacker acquires access to communication channels between the victim and server.
• Sniffers retrieve data for replay attack (e.g., authentication tokens)
• Altered packets are inserted back into the network in a replay attack.
• This is considered a Man-in-the-Middle (MITM) attack.

Offline Attack: Rainbow Table Attack

• Rainbow tables are precomputed tables for quickly cracking passwords.
• Attackers capture/use password hashes and compare them to the precomputed rainbow table.
• Successful match leads to the password recovery (offline mode).

How to Defend Against Password Cracking

• Enable security audits
• Don't use the same password during password change.
• Don't share passwords
• Create/use strong passwords: 8-12 alphanumeric characters (uppercase/lowercase, numbers, symbols)
• Use strong encryption protocols
• Implement a password change policy (e.g., 30 days)
• Avoid storing passwords in insecure locations
• Don't use default passwords.
• Enable SYSKEY with strong password to encrypt the SAM database.

Privilege Escalation

• Attackers gain administrative access on the machine by taking advantage of vulnerabilities in operational systems by exploiting bugs/flaws
• Attackers gain higher privileges to gain access to the critical/sensitive data
  • Vertical: Gain higher privileges than existing (e.g. non-admin to admin)
  • Horizontal: Accessing the same privilege level from a different user account (e.g. accessing another user account with the same level of privilege).

How to Defend Against Privilege Escalation

• Restrict interactive logon
• Use encryption to protect sensitive data
• Limit user and application access privileges
• Reduce code that runs with admin privileges
• Implement multi-factor authentication
• Run services as unprivileged accounts.
• Implement a "privilege separation" methodology.
• Test operating system/application for coding errors.
• Patch systems frequently.

Executing Applications

• Attackers execute malicious applications.
• The malicious programs run remotely on the victim's machine.
• Attackers gather data, gain access/resources, crack passwords, or capture screenshots.

Keylogger

• Keyloggers capture each keystroke, log data, and transmit it to a remote location
• Legitimate applications use keyloggers for monitoring
• Physical keyloggers intercept keyboard signal before it reaches the operating system.

How to Defend Against Keyloggers

• Install anti-virus software to update signatures against keylogger threats.
• Install a "pop-up blocker."
• Use reputable firewalls for protection.
• Don't open unverified emails from unknown senders.
• Scrutinize downloaded files from unknown sources.

Spyware

• Spyware silently monitors user interaction with computers/internet without knowledge.
• Hides its presence, processes, files, bundled in freeware/warez programs and used for gathering information
• Used to collect usernames, passwords, credit card details, banking information, etc.

How to Defend Against Spyware

• Avoid using computers/systems that are not under your control
• Be cautious about suspicious emails/websites
• Regularly update software/firewall protection
• Regularly check task manager/configure manager to check for spyware installations
• Run anti-spyware software regularly.

Rootkits

• Rootkits hide their presence and attacker's malicious activities to gain full access to a server/host
• Replace operating system calls/utilities with modified versions that undermine security.
• A rootkit contains backdoor programs, DDoS tools, packet sniffers, logging utilities, IRC bots, etc.

How to Defend Against Rootkits

• Use up-to-date antivirus software (or other malware detection measures)
• Pay attention to software updates
• Run security scans frequently to look for inconsistencies
• Use a reliable firewall

Steganography

• Steganography is a technique for hiding messages within an ordinary message (e.g., image/audio).
• Attackers use steganography to hide data, such as compromised server listings, source code for hacking tools, attack plans, etc

Covering Tracks

• Intruder covers their tracks to hide activities after gaining admin access to the system e.g.
• Disable auditing: Disabling auditing features so that any actions aren't tracked
• Clearing logs: Deleting logs to hide evidence of the events
• Manipulating logs: Altering log files to hide/mask malicious activities.