Malware Threats Module 06 PDF

Summary

This presentation covers malware threats, focusing on Trojans, viruses, and worms. It details how these are created, spread, and detected, including evasion techniques and countermeasures. The slides highlight different attack methods and preventative measures, providing a basic overview of cybersecurity threats and solutions.

Full Transcript

# EH.VN Malware Threats - Module 06

## Unmask the Invisible Hacker.

### СЕН
Certified Ethical Hacker

## Introduction to Malware

Malware is a malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft or fraud.

### Examples of Malware

- Trojan Horse
- Virus
- Backdoor
- Worms
- Rootkit
- Spyware
- Ransomware
- Botnet
- Adware
- Crypter

## Different Ways a Malware can Get into a System

1. Instant Messenger applications
2. IRC (Internet Relay Chat)
3. Removable devices
4. Attachments
5. Legitimate "shrink-wrapped" software packaged by a disgruntled employee
6. Browser and email software bugs
7. NetBIOS (FileSharing)
8. Fake programs
9. Untrusted sites and freeware software
10. Downloading files, games, and screensavers from Internet sites

## Common Techniques Attackers Use to Distribute Malware on the Web

- **Blackhat Search Engine Optimization (SEO)** - Ranking malware pages highly in search results.
- **Social Engineered Click-jacking** - Tricking users into clicking on innocent-looking webpages.
- **Malvertising** - Embedding malware in ad-networks that display across hundreds of legitimate, high-traffic sites.
- **Spearphishing Sites** - Mimicking legitimate institutions in an attempt to steal login credentials.
- **Compromised Legitimate Websites** - Hosting embedded malware that spreads to unsuspecting visitors.
- **Drive-by Downloads** - Exploiting flaws in browser software to install malware just by visiting a web page.

## How Hackers Use Trojans

- Delete or replace operating system's critical files
- Disable firewalls and antivirus
- Generate fake traffic to create DOS attacks
- Create backdoors to gain remote access
- Record screenshots, audio, and video of the victim's PC
- Infect victim's PC as a proxy server for relaying attacks
- Use victim's PC for spamming and blasting email messages
- Use victim's PC as a botnet to perform DDOS attacks
- Download spyware, adware, and malicious files
- Steal information such as passwords, security codes, credit card information using keyloggers

## How to Infect Systems Using a Trojan

1. Create a new Trojan packet using a Trojan Horse Construction Kit
2. Create a dropper, which is a part in a trojanized packet that installs the malicious code on the target system.
- **Example of a Dropper**
- Installation path: c\windows\system32\svchosts.exe
- Autostart: HKLM\Software\Mic.....\run\Iexplorer.exe
- **Malicious code**
- Client address: client.attacker.com
- Dropzone: dropzone.attacker.com
- **A genuine application**
- File name: chess.exe
- Wrapper data: Executable file
3. Create a wrapper using wrapper tools to install Trojan on the victim's computer.
4. Propagate the Trojan
5. Execute the dropper
6. Execute the damage routine

## Wrappers

- A wrapper binds a Trojan executable with an innocent looking .EXE application such as games or office applications.
- When the user runs the wrapped EXE, it first installs the Trojan in the background and then runs the wrapping application in the foreground.
- The two programs are wrapped together into a single file.
- Attackers might send a birthday greeting that will install a Trojan as the user watches, for example, a birthday cake dancing across the screen.

## Command Shell Trojans

- Command shell Trojan gives remote control of a command shell on a victim's machine.
- Trojan server is installed on the victim's machine, which opens a port for an attacker to connect. The client is installed on the attacker's machine, which is used to launch a command shell on the victim's machine.

## Remote Access Trojans

- This Trojan works like a remote desktop access.
- Hacker obtains complete GUI access to the remote system.

- **Steps:**
1. Infect the victim's computer with server.exe and plant Reverse Connecting Trojan.
2. The Trojan connects to Port 80 to the attacker establishing a reverse connection.
3. The attacker has complete control over the victim's machine.

## Botnet Trojans

- Botnet Trojans infect a large number of computers across a large geographical area to create a network of bots that is controlled through a Command and Control (C&C) center.
- Botnet is used to launch various attacks on a victim including denial-of-service attacks, spamming, click fraud, and the theft of financial information

## Evading Anti-Virus Techniques

1. Break the Trojan file into multiple pieces and zip them as a single file.
2. Write your own Trojan, and embed it into an application.
3. Change the Trojan's syntax.
- Convert an EXE to VB script
- Change the .EXE extension to .DOC.EXE, .PPT.EXE or .PDF.EXE (Windows hides known extensions").
4. Change the content of the Trojan using a hex editor, change the checksum, and encrypt the file.
5. Never use Trojans downloaded from the web (antivirus can detect these easily).

## Introduction to Viruses

- A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document.
- Viruses are generally transmitted through file downloads, infected disk/flash drivers, and as email attachments.

### Virus Characteristics

- Infects other program
- Alters data
- Transforms itself
- Corrupts files and programs
- Encrypts itself
- Self-replication

## Stages of Virus Life

1. **Design** - Developing virus code using programming languages or construction kits.
2. **Replication** - Virus replicates for a period of time within the target system and then spreads itself.
3. **Launch** - It gets activated with the user performing certain actions such as running an infected program.
4. **Detection** - A virus is identified as a threat infecting target systems.
5. **Incorporation** - Antivirus software developers assimilate defenses against the virus.
6. **Elimination** - Users install antivirus updates and eliminate the virus threats.

## Why Do People Create Computer Viruses

- Inflict damage to competitors
- Financial benefits
- Research projects
- Play prank
- Vandalism
- Cyber terrorism
- Distribute political messages

## How does a Computer Get Infected by Viruses

- When a user accepts files and downloads without checking properly for the source.
- Opening infected e-mail attachments.
- Installing pirated software.
- Not updating, and not installing new versions of plug-ins.
- Not running the latest anti-virus application.

## Encryption Viruses

- This type of virus uses simple encryption to encipher the code.
- The virus is encrypted with a different key for each infected file.
- AV scanner cannot directly these types of viruses using signature detection methods.

## Computer Worms

1. Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction.
2. Most of the worms are created only to replicate and spread across a network, consuming available computing resources; however, some worms carry a payload to damage the host system.
3. Attackers use worm payload to install backdoors in infected computers, which turns them into zombies and creates botnet; these botnets can be used to carry further cyber attacks.

## How is a Worm Different From a Virus?

- **Replicates on its own** - A worm is a special type of malware that can replicate itself and use memory, but cannot attach itself to other programs.
- **Spreads Through The Infected Network** - A worm takes advantage of file or information transport features on computer systems and spreads through the infected network automatically but a virus does not.

## Anti-Virus Sensor Systems

- Anti-virus sensor system is a collection of computer software that detects and analyzes malicious code threats such as viruses, worms, and Trojans. They are used along with sheep dip computers.

## How to Detect Trojans

- Scan for suspicious OPEN PORTS
- Scan for suspicious STARTUP PROGRAMS
- Scan for suspicious RUNNING PROCESSES
- Scan for suspicious FILES and FOLDERS
- Scan for suspicious REGISTRY ENTRIES
- Scan for suspicious NETWORK ACTIVITIES
- Scan for suspicious DEVICE DRIVERS installed on the computer.
- Scan for suspicious modification to OPERATING SYSTEM FILES.
- Scan for suspicious WINDOWS SERVICES.
- Run Trojan SCANNER to detect Trojans.

## Trojan Countermeasures

- Avoid opening email attachments received from unknown senders
- Block all unnecessary ports at the host and firewall
- Avoid accepting the programs transferred by instant messaging
- Harden weak, default configuration settings and disable unused functionality including protocols and services
- Monitor the internal network traffic for odd ports or encrypted traffic
- Avoid downloading and executing applications from untrusted sources
- Install patches and security updates for the operating systems and applications
- Scan CDs and DVDs with antivirus software before using
- Restrict permissions within the desktop environment to prevent malicious applications installation
- Avoid typing the commands blindly and implementing pre-fabricated programs or scripts
- Manage local workstation file integrity through checksums, auditing, and port scanning
- Run host-based antivirus, firewall, and intrusion detection software

## Backdoor Countermeasures

- Most commercial anti-virus products can automatically scan and detect backdoor programs before they can cause damage.
- Educate users not to install applications downloaded from untrusted internet sites and email attachments.
- Use anti-virus tools such as McAfee, Norton, etc. to detect and eliminate backdoors.

## Virus and Worms Countermeasures

1. Install anti-virus software that detects and removes infections as they appear.
2. Generate an anti-virus policy for safe computing and distribute it to the staff.
3. Pay attention to the instructions while downloading files or any programs from the Internet.
4. Update the anti-virus software regularly.
5. Avoid opening the attachments received from an unknown sender as viruses spread via e-mail attachments.
6. Possibility of virus infection may corrupt data, thus regularly maintain data back up.
7. Schedule regular scans for all drives after the installation of anti-virus software.
8. Do not accept disks or programs without checking them first using a current version of an anti-virus program.

## Virus and Worms Countermeasures (Cont'd)

1. Ensure the executable code sent to the organization is approved.
2. Do not boot the machine with infected bootable system disk.
3. Know about the latest virus threats.
4. Check the DVDs and CDs for virus infection.
5. Ensure the pop-up blocker is turned on and use an Internet firewall
6. Run disk clean up, registry scanner and defragmentation once a week.
7. Turn on the firewall if the OS used is Windows XP.
8. Run anti-spyware or adware once in a week.
9. Do not open the files with more than one file type extension.
10. Be cautious with the files being sent through the instant messenger.

## Anti-Virus Tools

- AVG Antivirus
- BitDefender
- Kaspersky Anti-Virus
- Trend Micro Titanium Maximum Security
- Norton AntiVirus
- F-Secure Anti-Virus
- avast! Pro Antivirus 2014
- McAfee AntiVirus Plus 2014
- ESET Smart Security 7
- Total Defense Internet Security Suite