Chapter 1 - 03 - Define Malware and its Types - 16_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Threats and Vulnerabilities How is @ Exam 212-82 a Worm Different from A Worm Replicates on its own * Awormiis a special type of malware that can replicateitself and use memory but cannot attach itself to other programs (:T/\ A Worm Spreads through the Infected Network * sy 7 y A% A worm takes advantage of file or information transport features on computer systems and automatically spreads through the infected network, but a virus does not Copyright How is a Worm a Virus? © by EC-C I All Rights Reserved. Reproduction is Strictly Prohibited. Different from a Virus? Worm Virus A virus infects a system by inserting itself into a file or executable program A worm infects a system by exploiting a vulnerability in an OS or application by replicating itself It might delete or alter the content of files or change the location of files in the system Typically, a worm does not modify any stored It alters the way a computer system operates without the knowledge or consent of a user It consumes network bandwidth, system memory, etc., excessively overloading servers and computer systems A virus cannot spread to other computers unless an infected file is replicated and sent A worm can replicate itself and spread using IRC, Outlook, or other applicable mailing programs after to the other computers installation in a system A virus spreads at a uniform rate, as programmed Viruses are difficult to remove from infected machines programs; it only exploits the CPU and memory A worm spreads more rapidly than a virus Compared with a virus, a worm can be removed easily from a system Table 1.2: Difference between virus and worm Module 01 Page 70 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Worm @ intome Womm Miker Thing - Versen 300 - Puic Edtion QM MAXES Malkers - V4 0 X Internet Worm Maker Thing Internet Worm Maker Thingisan open-source tool used to create worms thatcan infect victim's drives, files, show messages, and disable antivirus It PPy I trghet Drrp ™ Gowen S2p r Swsh Swre L I kn Swne - I~ Dasie Rogest ™ Comdle Eoplrer e I Cuwrge eg Ouner Ourer: - - I Crurge g Orparmaton Worm r Owrge Meda - Te — I~ Coon CoOmes Foyer e R r‘:_,.,, L E San ha e yorot| ™ Detene a Focer I i Text Max 8 Owrsk Oarge O Tewt I_ [———- [ Owgewsheosr [ ot O B - ™ o ’ I we et — ™ Ase Ve Fortes - et Ve 00 P e atea febevetaon con 1 P Kt Aty ng Aot VT o e e SopertSw et By Mg A g Dee Featme) et - s — Cere e wym I = software 7 jatch WormGe Makers Worm makers are tools that are used to create and customize computer worms to perform malicious tasks. These worms, once created, spread independently over networks and poison entire networks. With the help of pre-defined options in the worm makers, a worm can be designed according to the task it is intended to execute. = Internet Worm Maker Thing Internet Worm Maker Thing is an open-source tool used to create worms that can infect a victim's drives and files, show messages, disable antivirus software, etc. This tool comes with a compiler that can easily convert your batch virus into an executable to evade antivirus software or for any other purpose. Module 01 Page 71 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities @ Exam 212-82 Intemet Werm Maker Thing :- Version 4.00 :- Public Edition Payloads: = [~ Disable Windows Seaurity R Randomly Activate Payloads Chance of activating payloads: im [ owunce —— [~ Change Date Do MM [ Disable System Restore [_ [_ [~ Change NOD32 Text [™ Play a Sound [~ Print Message " Actvate Payloads On Date [~ Desable Norton Seaurity Tite: [~ Uninstall Norton Saript Blodang ™ Disable Macro Security [~ NoSearchC [T Swap Mouse Buttons d r Change Name I~ Mute Speakers [T Gobal Registry Startup ™ Local Registry Startup ™ Winlogon Shell Hook [ Change Drive lcon DU, BE, ICO: Index: Path: |C:\'-5‘rvdoas‘f001 3 [1_ Text: Extras: I Hde Vrus Fles [ Add To Context Menu 1f You Liked This Program Please [~ Change Gock Text http:/arusteam. fallenne twork. com If You Know Anything About VBS Text (Max 8 Chers): [~ Open Cd Drives I~ Spanish Startip ™ French Startup ™ Infect Vbe Files Computer ™ Delete aFle [T Change Win Meda Player Txt [~ German Startp [~ InfectBatFles [T Corrupt Antivirus Tite: I™ Englsh Startup [~ Blue Sgeen Of Death Infection Options: —— Startup: ™ Start As Service r—E:ah!Whdnms Admin Lockout Bug ™ Infect Vbs Fles [~ Disable Malnare Remove - Disable Windows File Protecton [~ Open Webpage [T Message Box — [~ Hde Desktop [T Dsable Task Manager [~ Disable Mouse ,_ ™ Loop Sound [~ Hde Al Drives [~ Dsable Keybord Y Visit Me On Programming Help Support This Project By Making A Plugn (See Readme). Thanks. ™ Lock Workstation [~ Download Fie I~ Itallan Startup [~ Keyboard Disco More? — URL: Generate Worm [T Change Time About Me Figure 1.11: Screenshot of Internet Worm Maker Thing Some additional worm makers are as follows: = = Batch Worm C++ Worm Module 01 Page 72 Generator Generator Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Rootkits @ Rootkits are programs that hide their presence RV as well as attacker’s malicious activities, granting A V them full access to the server or host at that time, and in the future 101101 ," f : L S’ 0101708 Rootkits replace certain operating system (—\ »" calls and utilities with their own modified versions of those routines that, in turn, undermine the security of the target 210301191 11. : _ | / L AR - 7 system causing malicious functions to be executed A typical rootkit comprises of backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc. Copyright © by EC- L. All Rights Reserved. Reproduction i Strictly Prohibited Rootkits (Cont’d) @ The attacker places a rootkit by: @ Objectives of a rootkit: O Scanning for vulnerable computers and servers on the web O To root the host system and gain remote backdoor access Q Wrapping it in a special package like a O To mask attacker tracks and presence game Q Installing it on public computers or of malicious applications or processes QO To gather sensitive data, network corporate computers through social traffic, etc. fromthe system to which engineering O Launching a zero-day attack (privilege escalation, buffer overflow, Windows kernel exploitation, etc.) attackers might be restricted or possess no access O To store other malicious programs on the system and act as a server resource for bot updates Copyright © by EC- cll. All Rights Reserved. Reproduction is Strictly Prohibited. Rootkits Rootkits are software programs designed to gain access to a computer without being detected. They are malware that help attackers gain unauthorized access to a remote system and perform malicious activities. The goal of a rootkit is to gain root privileges to a system. By logging in as the root user of a system, an attacker can perform various tasks such as installing software or deleting files. It works by exploiting the vulnerabilities in the OS and its Module 01 Page 73 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 applications. It builds a backdoor login process in the OS via which the attacker can evade the standard login process. Once the user enables root access, a rootkit may attempt to hide the traces of unauthorized access by modifying drivers or kernel modules and discarding active processes. Rootkits replace certain OS calls and utilities with their own modified versions of those routines that, in turn, undermine the security of the target system by executing malicious functions. A typical rootkit comprises backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, and others. Rootkits are used to hide viruses, worms, bots, etc., and are difficult to remove. Malware that are hidden by rootkits are used to monitor, filter, or steal sensitive information and resources, change the configuration settings of the target computer, and perform other potentially unsafe actions. Rootkits are installed by attackers after gaining administrative access, either by manipulating a vulnerability or cracking a password. Once the attacker obtains control over the target system, they can modify files and existing software that detects rootkits. Rootkits are activated each time the system is rebooted, before the operating system completes loading, making their detection challenging. Rootkits install hidden files, processes, hidden user accounts, etc., in the system’s operating system to perform malicious activities. They intercept data from terminals, keyboard, and network connections, and enable attackers to extract sensitive information from the target user. Rootkits gather sensitive user information such as usernames, passwords, credit card details, and bank account details, in order to commit fraud or accomplish other malicious objectives. The attacker places a rootkit by = Scanning for vulnerable computers and servers on the web = Wrapping the rootkit in a special package like a game = |Installing it on public or corporate computers through social engineering * lLaunching a zero-day attack (privilege escalation, Windows kernel exploitation, etc.) Objectives of a rootkit: * To root the host system and gain remote backdoor access * To mask attacker tracks and presence of malicious applications or processes = To gather sensitive data, network traffic, etc. from the system for which attackers might be restricted or have no access = To store other malicious programs on the system and act as a server resource for bot updates Module 01 Page 74 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.