Certified Cybersecurity Technician Module 01 PDF

Summary

This module details information security threats and vulnerabilities, outlining threat sources, actors, and vectors. It clarifies various malware types and attack techniques. The module also discusses vulnerabilities, their impact, and risk assessment.

Full Transcript

Certified |Cybersecurity Technician Module - 01 Information Security Threats and Vulnerabilities Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Module Objectives 0000000000 Understanding the Threat and Threat Sources Understanding the Threat Actors/Agents Understanding Various Threat Vectors Overview of the Malware and the Common Techniques Attackers Use to Distribute Malware Understanding the Different Types of Malware Understanding the Vulnerability and Examples of Network Security Vulnerabilities Overview of the Common Areas of Vulnerability Understanding the Impact of Vulnerabilities Understanding the Risk of Vulnerabilities Understanding the Classification of Vulnerabilities Copyright © by EC- All Rights Reserved. Reproduction is Strictly Prohibited Module Objectives Attackers break into systems for various reasons and purposes. Therefore, it is important to understand how malicious hackers attack and exploit systems and the probable reasons behind those attacks. As Sun Tzu states in the Art of War, “If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat.” Security professionals must guard their infrastructure against exploits by knowing the enemy—the malicious hacker(s)—who seeks to use the same infrastructure for illegal activities. This module begins with an overview of the threat sources, threat actors, and threat vectors to information security. It provides insight into the various attributes of threat actors. Later, the module discusses malware and common techniques attackers use to distribute malware on the web. It provides a brief discussion on different types of malware. It gives an introduction to vulnerabilities and their impact. It provides insight into the common areas of vulnerability. The module ends with a brief discussion on vulnerability classification. At the end of this module, you will be able to: = Understand the threat and threat sources = Describe the threat actors/agents = Describe the threat vectors = Understand the malware and the common techniques attackers use to distribute malware on the web = Explain the different types of malware = Explain the vulnerability and examples of network security vulnerabilities = Understand the common areas of vulnerability Module 01 Page 3 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities = Describe the impact of vulnerabilities = Understand the risk of vulnerabilities = Understand the classification of vulnerabilities Module 01 Page 4 Exam 212-82 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Module Exam 212-82 Flow Define Threats Sources Define Threat Actors/ Agents Define Malware and its Types @ Define Vulnerabilities Understand Diffexrent Types of Vulnerabilities Copyright © by EC-{ L. All Rights Reserved. Reproduction is Strictly Prohibited. Define Threats Sources The security professionals need to understand the threat and threat sources to easily tackle and handle the evolving threats, their TTPs, and actors. This section discusses the threat, and threat sources. Module 01 Page 5 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 What is a Threat? = A threatis the potential occurrence of an undesirable event that can eventually damage and disrupt the operational and functional activities of an organization Attackers use cyber threats to infiltrate and steal data such as individual’s personal information, financial information, and login credentials Copyright © by EC-Councll. All Rights Reserved. Reproduction ks Strictly Prohibited. What is a Threat? A threat is the potential occurrence of an undesirable event that can eventually damage and disrupt the operational and functional activities of an organization. A threat can be any type of entity or action performed on physical or intangible assets that can disrupt security. The existence of threats may be accidental, intentional, or due to the impact of another action. Attackers use cyber threats to infiltrate and steal data such as personal information, financial information, and login credentials. They can also use a compromised system to perform malicious activities and launch further attacks. The criticality of a threat is based on how much damage it can cause, how uncontrollable it is, or the level of complexity in identifying the latest discovered integrity, threat incident or availability in advance. (CIA) of data. Threats They to data also result assets cause in data loss, loss of confidentiality, identity theft, cyber sabotage, and information disclosure. Examples of Threats = An attacker stealing sensitive data of an organization * An attacker causing a server to shut down = An attacker tricking an employee into revealing sensitive information = An attacker infecting a system with malware = An attacker spoofing the identity of an authorized person to gain access = An attacker modifying or tampering with the data transferred over a network = An attacker remotely altering the data in a database server = An attacker performing URL redirection or URL forwarding Module 01 Page 6 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 * An attacker performing privilege escalation for unauthorized access » An attacker executing denial-of-service (DoS) attacks for making resources unavailable * An attacker eavesdropping on a communication channel without authorized access Module 01 Page 7 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Threat Sources Threat Sources Unintentional * = Fires * Power failures * Floods * Unskilled administrators Accidents Lazy or untrained employees Fired ; ired employee * Hiachs ackers Disgruntled * Criminals employee * Terrorists * Service providers * * Foreign intelligence Contractors agents * Corporate raiders s Reserved. Reproduction is Strictly Prohibited Threat Sources The following are the various sources from which threats originate. They can be broadly classified as natural threats, unintentional threats, and intentional threats. Threat Sources v v Unintentional * Fires * Floods Intentional * Unskilled | administrators * " Hackers ; Fired employee Lazy or untrained employees * ® * Disgruntled + Criminals employee * Terrorists Service providers Contractors * Foreignintelligence agents * Corporate raiders Figure 1.1: Classification of Threat Sources = Natural Threats Natural factors such as fires, floods, power failures, lightning, meteor, and earthquakes are potential threats to the assets of an organization. For example, these may cause severe physical damage to computer systems. Module 01 Page 8 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Unintentional Threats Unintentional threats are threats that exist due to the potential for unintentional errors occurring within the organization. Examples include insider-originating security breaches, negligence, operator errors, unskilled administrators, lazy or untrained employees, and accidents. Intentional Threats There are two sources of intentional threats. O Internal Threats Most computer and Internet-related crimes are insiders or internal attacks. These threats are performed by insiders within the organization such as disgruntled or negligent employees and harm the organization intentionally or unintentionally. Most of these attacks are performed by privileged users of the network. The causes for insider attacks could be revenge, disrespect, frustration, or lack of security awareness. Insider attacks are more dangerous than external attacks because insiders are familiar with the network architecture, security policies, and regulations of the organization. Additionally, security measures and solutions typically focus more on external attacks, potentially leading an organization to be underequipped to identify and counter internal attacks. External Threats External attacks are performed by exploiting vulnerabilities that already exist in a network, without the assistance of insider employees. Therefore, the potential to perform an external attack depends on the severity of the identified network weaknesses. Attackers may perform such attacks for financial gain, to damage the reputation of the target organization, or simply for the sake of curiosity. External attackers can be individuals with expertise in attack techniques or a group of people who work together with a shared motive. For example, attacks can be performed with the objective of supporting a cause, by competitor companies for corporate espionage, and by countries for surveillance. Attackers performing external attacks have a predefined plan and use specialized tools and techniques to successfully penetrate networks. External attacks can include application- and virus-based attacks, password-based attacks, instant messaging—based attacks, network traffic— based attacks, and operating system (OS)-based attacks. External threats are further classified into two types. e Structured external threats Structured external threats are implemented by technically skilled attackers, using various tools to gain access into a network, with the aim of disrupting services. The motivation behind such attacks includes criminal bribes, racism, politics, terrorism, etc. Examples include distributed ICMP floods, spoofing, and simultaneously executing attacks from multiple sources. Tracking and identifying an attacker executing such an attack can be challenging. Module 01 Page 9 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities e Exam 212-82 Unstructured external threats Unstructured external threats are implemented by unskilled attackers, typically script kiddies who may be aspiring hackers, to access networks. Most of these attacks are performed primarily out of curiosity, rather than with criminal intentions. For example, untrained attackers use freely available online tools for attempting a network attack or for crashing a website or other public domains on the Internet. Unstructured external threats can easily be prevented by adopting security solutions such as port-scanning and address-sweeping tools. Module 01 Page 10 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Module Exam 212-82 Flow Define Threats Sources Define Threat Actors/ Agents Define Malware and its Types @ Define Vulnerabilities Understand Different Types of Vulnerabilities Copyright © by EC L. All Rights Reserved. Reproduction i Strictly Prohibited Define Threat Actors/Agents A security professional must know different types of threat actors/agents to understand the attacker’s perspective in hacking attempts. This section helps understand the different types of threat actors. Further, this section discusses the attributes of threat actors and threat vectors. Module 01 Page 11 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Threat Actors/Agents & R & Black Hats White Hats Gray Hats Hachoas Individuals with ; they resort to malicious or destructive Individuals who use their professed hacking skills for defensive purposes and are also known Individuals who work both and at various times activities and are also known as crackers A Suicide Script Kiddies Individuals who aim to bring down the critical infrastructure for a "cause" and are not worried about facing jail An unskilled hacker who compromises a system by as security terms or any were developed analysts other kind of punishment by real hackers , and software that Threat Actors/Agents (Cont’d) Individuals with a wide range of skills who are motivated by religious or political beliefs to create the fear through the large-scale disruption of computer networks 1' / \ Sfah;Sz::soxed Individuals employed by the government to penetrate and gain top-secret information from, and damage the information systems of other governments Individuals who promote a political agenda by hacking, especially by using hacking to deface or disable website Hacker Teams A consortium of skilled hackers having their own resources and funding. They work together in synergy for researching the state-of- the-art technologies Industrial Spies Module 01 Page 12 Individuals who perform corporate espionage by illegally spying on competitor organizations and focus on stealing information suchas blueprintsand formulas Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Threat Actors/Agents?—?C'J—ont’d') Insider Criminal Syndicates ' Organized Hackers Any employee (trusted person) who Groups of individuals that are Miscreants or hardened has access to critical assets of an organization. They use privileged access to violate rules or intentionally cause harm to the involved in organized, planned, and prolonged criminal activities. They illegally embezzle money by performing sophisticated cyber- criminals who use rented devices or botnets to perform various cyber-attacks to pilfer money from victims organization’s information system attacks L ANl Rights Reserved. Reproduction is Strictly Prohibited Threat Actors/Agents Threat actors usually fall into one of the following categories, according to their activities: = Black Hats: Black hats are individuals who use their extraordinary computing skills for illegal or malicious purposes. This category of hacker is often involved in criminal activities. They are also known as crackers. = White Hats: White hats or penetration testers are individuals who use their hacking skills for defensive purposes. These days, almost every organization has security analysts who are knowledgeable about hacking countermeasures, which can secure its network and information systems against malicious attacks. They have permission from the system owner. = Gray Hats: Gray hats are the individuals who work various times. Gray hats might help hackers to find network and, at the same time, help vendors hardware) by checking limitations and making them both offensively and defensively at various vulnerabilities in a system or to improve products (software or more secure. = Suicide Hackers: Suicide hackers are individuals who aim to bring down critical infrastructure for a “cause” and are not worried about facing jail terms or any other kind of punishment. Suicide hackers are similar to suicide bombers who sacrifice their life for an attack and are thus not concerned with the consequences of their actions. = Script Kiddies: Script kiddies are unskilled scripts, tools, and software developed quantity, rather than the quality, of the specific target or goal in performing the hackers who compromise systems by running by real hackers. They usually focus on the attacks that they initiate. They do not have a attack and simply aim to gain popularity or prove their technical skills. Module 01 Page 13 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities = Exam 212-82 Cyber Terrorists: Cyber terrorists are individuals with a wide range of skills who are motivated by religious or political beliefs to create the fear of large-scale disruption of computer networks. = State-Sponsored Hackers: State-sponsored hackers are skilled individuals having expertise in hacking and are employed by the government to penetrate, gain top-secret information from, and damage the information systems of other government or military organizations. The main aim of these threat actors is to detect vulnerabilities in and exploit a nation’s infrastructure and gather intelligence or sensitive information. = Hacktivist: Hacktivism is a form of activism in which hackers break into government or corporate computer systems as an act of protest. Hacktivists use hacking to increase awareness of their social or political agendas, as well as to boost their own reputations in both online and offline arenas. They promote a political agenda especially by using hacking to deface or disable websites. In some incidents, hacktivists may also obtain and reveal confidential information to the public. Common hacktivist targets include government agencies, financial institutions, multinational corporations, and any other entity that they perceive as a threat. Irrespective of hacktivists’ intentions, the gaining of unauthorized access is a crime. = Hacker Teams: A hacker team is a consortium of skilled hackers having their own resources and funding. They work together in synergy for researching state-of-the-art technologies. These threat actors can also detect vulnerabilities, develop advanced tools, and execute attacks with proper planning. * Industrial Spies: Industrial spies are individuals who perform corporate espionage by illegally spying on competitor organizations. They focus on stealing critical information such as blueprints, formulas, product designs, and trade secrets. These threat actors use advanced persistent threats (APTs) to penetrate a network and can also stay undetected for years. In some cases, they may use social engineering techniques to steal sensitive information such as development plans and marketing strategies of the target company, which can result in financial loss to that company. * Insiders: An insider is any employee (trusted person) who has access to critical assets of an organization. An insider threat involves the use of privileged access to violate rules or intentionally cause harm to the organization’s information or information systems. Insiders can easily bypass security rules, corrupt valuable resources, and access sensitive information. Generally, insider threats arise from disgruntled employees, terminated employees, and undertrained staff members. = Criminal Syndicates: Criminal syndicates are groups of individuals or communities that are involved in organized, planned, and prolonged criminal activities. They exploit victims from distinct jurisdictions on the Internet, making them difficult to locate. The main aim of these threat actors is to illegally embezzle money by performing sophisticated cyber-attacks and money-laundering activities. = Organized Hackers: Organized hackers are a group of hackers working together in criminal activities. Such groups are well organized in a hierarchical structure consisting Module 01 Page 14 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 of leaders and workers. The group can also have multiple layers of management. These hackers are miscreants or hardened criminals who do not use their own devices; rather, they use rented devices or botnets and crimeware services to perform various cyberattacks to pilfer money from victims and sell their information to the highest bidder. They can also swindle intellectual property, trade secrets, and marketing plans; covertly penetrate the target network; and remain undetected for long periods. Module 01 Page 15 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Attributes of Threat Actors Internal © @ Trusted insiders who have permission and authorized access to the organization’s network, systems, and physical resources External Outsiderswho do not have any authorized access to the organization’s network and systemsincluding physical resources Level of sophistication Highly sophisticated threat actorsare more successful in attacksthan less sophisticated threatactors Resources/funding © Determineshow a threatactor supports an attack financially or with the required software and equipment @) Intent/motivation Highly motivatedactorsare more likely to launch an attack; the intent of an attack can be connected to political or personal goals of the attacker Copyright © by EC-{ L All Rights Reserved. Reproduction is Strictly Prohibited Attributes of Threat Actors The complexity of evolving cyber security threats has alerted organizations to the importance of identifying and analyzing the behavior of threat actors. The attributes of threat actors such as their location, intent/motivation, and level of sophistication allows security professionals to analyze their behavior. Internal: Internal actors are trusted insiders who have permission and authorized access to the organization’s network, systems, and physical resources. Internal threat actors include internal employees, any third party associated with the organization, or even business partners in some scenarios. External: External actors are outsiders who do not have authorized access to the organization’s network and systems including physical resources. Such actors use social engineering techniques or malware to enter the target network or systems. Level of sophistication: The sophistication level is a crucial factor determining the risk of a threat actor. Highly sophisticated threat actors are more successful in attacks than less sophisticated threat actors. Resources/funding: This attribute determines the way a threat actor supports an attack financially or with the required software and equipment. Criminal groups and nationstate actors have relatively large budgets and can perform persistent attacks for longer time periods. Intent/motivation: This is a key attribute for the success of an attack. Highly motivated actors are more likely to launch an attack than less motivated actors, who may prepare for an attack but never launch it. The intent of an attack can be connected to political or personal goals of the attacker. Module 01 Page 16 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Threat Vectors Exam 212-82 A threat vector is a medium through which an attacker gains access to a system by exploiting identified vulnerabilities ®e©00 Direct access Removable media Wireless Email ©60-606 Threat vectors used by malicious actors Cloud Ransomware/malware Supply chain Business partners L All Rights Reserved. Reproduction is Strictly Prohibited Threat Vectors A threat vector is a medium through which an attacker gains access to a system by exploiting identified vulnerabilities. It is the path that attackers take to enter an organization’s network. Threat vectors can be exploited by numerous entities such as disgruntled employees, malicious hackers, and potential competitors to gain access to the systems of an organization and thereby disrupt services, access sensitive information, or steal technology. Discussed below are some of the important threat vectors used by malicious actors. = Direct access: Through direct access, the attacker gains physical access to the target system and performs malicious activities, which include modifications to the operating system and the installation of various types of programs such as keyloggers and software worms. Attackers can also download large amounts of data into backup media or portable devices. = Removable media: Devices such as USB drives, phones, and printers can become a threat vector when plugged into an organization’s system or network. These devices might contain malware that run automatically on the host system to steal or corrupt critical files. Detecting and preventing data leakage through removable media can be difficult. = Wireless: A corporate device implementing an unsecured wireless hotspot can be compromised along with the internal network. Attackers may use tools to crack the authentication credentials of a corporate wireless network or spoof a trusted access point to gain access to the target network. = Email: Attackers use email as a vector to perform various phishing malicious attachments to compromise the target. Attackers attempt Module 01 Page 17 attacks with to trick the Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 employees of an organization to click on malicious links and attachments that are sent through emails to infect their system with malware or to gather sensitive information. = Cloud: Attackers inject malware into cloud resources to gain access to user information. They can add a service implementation module to SaaS, PaaS, or a virtual machine instance to deceive a cloud system. The user’s requests will then be redirected to the attacker’'s module or instance, which initiates the execution of malicious code. Alternatively, attackers find user accounts with weak credentials and exploit them to gain access to the target cloud services/data. = Ransomware/malware: the target system to Attackers can take advantage of unpatched vulnerabilities in inject ransomware. Furthermore, including Trojans, adware, and file-less malware infiltrate the target organization. can various types be employed of malware by attackers to = Supply chain: Using this threat vector, the attacker attempts to compromise the target by exploiting vulnerabilities in the resources supplied by a third-party vendor. The attacker takes advantage of these vulnerabilities to introduce malicious payloads and bypass endpoint security devices/solutions. = Business partners: Third-party organizations can emerge as a threat vector to an organization. Attackers can use supply-chain attacks to gain access to the customers’ information. Organizations must introduce cybersecurity best practices and demonstrate mutual transparency to mitigate this risk. Module 01 Page 18 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Module Exam 212-82 Flow Define Threats Sources Define Threat Actors/ Agents Define Malware and its Types @ Define Vulnerabilities Understand Different Types of Vulnerabilities. All Rights Reserved. Reproduction ks Strictly Prohidited Define Malware and its Types To understand the various types of malware and their impact on network and system resources, we will begin with a discussion of the basic concepts of malware. This section describes malware, types of malware, and highlights the common techniques used by attackers to distribute malware on the web. Module 01 Page 19 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Introduction to Malware O Malware is malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft or fraud Malware programmers develop and use malware to: Attack browsers and track websites visited Slow down systems and degrade system performance Cause hardware failure, rendering computers inoperable Steal personal information, including contacts Copyright © by EC-C L All Rights Reserved. Reproduction is Strictly Prohibited Introduction to Malware Malware is malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for malicious activities such as theft or fraud. Malware includes viruses, worms, Trojans, rootkits, backdoors, botnets, ransomware, spyware, adware, scareware, crapware, roughware, crypters, keyloggers, etc. This malicious software may delete files, slow down computers, steal personal information, send spam, or commit fraud. Malware can perform various malicious activities ranging from simple email advertising to complex identity theft and password stealing. Malware programmers develop and use malware to: = Attack browsers and track websites visited = Slow down systems and degrade system performance = Cause hardware failure, rendering computers inoperable = Steal personal information, including contacts = Erase valuable information, resulting in substantial data loss = Attack additional computer systems directly from a compromised system »= Spam inboxes with advertising emails Module 01 Page 20 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Different Ways for Malware to Enter a System o Q b~ 8 L Downloading files from the ¢. Instant Messenger applications ‘ St aras m. Portable hardware media/removable devices. (3) Browserand email software bugs () Installation by other malware. Untrusted sites and freeware web applications/ software. Bluetooth and wireless networks Email attachments \V, Copyright © bty EC-Councll. All Rights Reserved. Reproduction ks Strictly Prohibited. Different Ways for Malware to Enter a System * Instant Messenger Applications Infection can occur via instant messenger applications such as Facebook Messenger, WhatsApp Messenger, LinkedIn Messenger, Google Hangouts, or ICQ. Users are at high risk while receiving files via instant messengers. Regardless of who sends the file or from where it is sent, there is always a risk of infection by a Trojan. The user can never be 100% sure of who is at the other end of the connection at any particular moment. For example, if you receive a file through an instant messenger application from a known person such as Bob, you will try to open and view the file. This could be a trick whereby an attacker who has hacked Bob's messenger ID and password wants to spread Trojans across Bob's contacts list to trap more victims. * Portable Hardware Media/Removable Devices o Portable hardware media such as USB drives, DVDs, and external hard drives can also inject malware into a system. A simple way of injecting malware into the target system is through physical access. For example, if Bob can access Alice’s system in her absence, then he can install a Trojan by copying the Trojan software from his flash drive onto her hard drive. o Another means of portable media malware infection is through the Autorun function. Autorun, also referred to as Autoplay or Autostart, is a Windows feature that, if enabled, runs an executable program when a user inserts a DVD in the DVDROM tray or connects a USB device. Attackers can exploit this feature to run malware along with genuine programs. They place an Autorun.inf file with the malware in a DVD or USB device and trick people into inserting or plugging it into Module 01 Page 21 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 their systems. Because many people are not aware of the risks involved, their machines are vulnerable to Autorun malware. The following is the content of an Autorun.inf file: [autorun] open=setup.exe icon=setup. exe To mitigate such infection, turn off the Autostart instructions below to turn off Autoplay in Windows 10: functionality. Follow the 1. Click Start. Type gpedit.msc in the Start Search box, and then press ENTER. 2. If you are prompted for an administrator password or confirmation, type the password, or click Allow. 3. Under Computer Configuration, expand Administrative Windows Components, and then click Autoplay Policies. Templates, expand 4. Inthe Details pane, double-click Turn off Autoplay. 5. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives. 6. Restart the computer. Browser and Email Software Bugs Outdated web browsers often contain vulnerabilities that can pose a major risk to the user’s computer. A visit to a malicious site from such browsers can automatically infect the machine without downloading or executing any program. The same scenario occurs while checking e-mail with Outlook Express or some other software with well-known problems. Again, it may infect the user's system without even downloading an attachment. To reduce such risks, always use the latest version of the browser and email software. Insecure Patch management Unpatched software poses a high risk. Users and IT administrators do not update their application software as often as they should, and many attackers take advantage of this well-known fact. Attackers can exploit insecure patch management by injecting the software with malware that can damage the data stored on the company’s systems. This process can lead to extensive security breaches, such as stealing of confidential files and company credentials. Some applications that were found to be vulnerable and were patched recently include Google Play Core Library (CVE-2020-8913), Cloudflare WARP for Windows (CVE-2020-35152), Oracle WebLogic Server (CVE-2020-14750), and Apache Tomcat (CVE-2021-24122). Patch management must be effective in mitigating threats, and it is vital to apply patches and regularly update software programs. Module 01 Page 22 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Rogue/Decoy Applications Attackers can easily lure a victim into downloading free applications/programs. If a free program claims to be loaded with features such as an address book, access to several POP3 accounts, and other functions, many users will be tempted to try it. POP3 (Post Office Protocol version 3) is an email transfer protocol. o If a victim downloads free programs and labels them as TRUSTED, protection software such as antivirus software will fail to indicate the use of new software. In this situation, an attacker receives an email, POP3 account passwords, cached passwords, and keystrokes through email without being noticed. Attackers thrive on creativity. Consider an example in which an attacker creates a fake website (say, Audio galaxy) for downloading MP3s. He or she could generate such a site using 15 GB of space for the MP3s and installing any other systems needed to create the illusion of a website. This can fool users into thinking that they are merely downloading from other network users. However, the software could act as a backdoor and infect thousands of naive users. Some websites even link to anti-Trojan software, thereby fooling users into trusting them and downloading infected freeware. Included in the setup is a readme.txt file that can deceive almost any user. Therefore, any freeware site requires proper attention before any software is downloaded from it. Webmasters of well-known security portals, who have access to vast archives containing various hacking programs, should act responsibly with regard to the files they provide and scan them often with antivirus and anti-Trojan software to guarantee that their site is free of Trojans and viruses. Suppose that an attacker submits a program infected with a Trojan (e.g., a UDP flooder) to an archive’s webmaster. If the webmaster is not alert, the attacker may use this opportunity to infect the files on the site with the Trojan. Users who deal with any software or web application should scan their systems daily. If they detect any new file, it is essential to examine it. If any suspicion arises regarding the file, it is also important to forward it to software detection labs for further analysis. o It is easy to infect machines using freeware; thus, extra precautions are necessary. Untrusted Sites and Freeware Web Applications/Software A website could be suspicious if it is located at a free website provider or one offering programs for illegal activities. o It is highly risky to download programs or tools located on “underground” sites, e.g., NeuroticKat software, because they can serve as a conduit for a Trojan attack on target computers. Users must assess the high risk of visiting such sites before browsing them. Many malicious websites have a professional look, massive archives, feedback forums, and links to other popular sites. Users should scan the files using antivirus Module 01 Page 23 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 software before downloading them. Just because a website looks professional does not mean that it is safe. o Always download popular software from its original (or officially dedicated mirror) site, and not from third-party sites with links to the (supposedly) same software. Downloading Files from the Internet Trojans enter a system when users download Internet-driven applications such as music players, files, movies, games, greeting cards, and screensavers from malicious websites, thinking that they are legitimate. Microsoft Word and Excel macros are also used effectively to transfer malware and downloaded malicious MS Word/Excel files can infect systems. Malware can also be embedded in audio/video files as well as in video subtitle files. Email Attachments An attachment to an e-mail is the most common medium to transmit malware. The attachment can be in any form, and the attacker uses innovative ideas to trick the victim into clicking and downloading the attachment. The attachment may be a document, audio file, video file, brochure, invoice, lottery offer letter, job offer letter, loan approval letter, admission form, contract approval, etc. Example 1: A user’s friend is conducting some research, and the user would like to know more about the friend’s research topic. The user sends an e-mail to the friend to inquire about the topic and waits for a reply. An attacker targeting the user also knows the friend’s e-mail address. The attacker will merely code a program to falsely populate the e-mail “From:” field and attach a Trojan in the email. The user will check the email and think that the friend has answered the query in an attachment, download the attachment, and run it without thinking it might be a Trojan, resulting in an infection. Some email clients, such as Outlook Express, have bugs that automatically execute attached files. To avoid such attacks, use secure email services, investigate the headers of emails with attachments, confirm the sender’s email address, and download the attachment only if the sender is legitimate. Network Propagation Network security is the first line of defense for protecting information systems from hacking incidents. However, various factors such as the replacement of network firewalls and mistakes of operators may sometimes allow unfiltered Internet traffic into private networks. Malware operators continuously attempt connections to addresses within the Internet address range owned by targets to seek an opportunity for unfettered access. Some malware propagates through technological networks. For example, the Blaster starts from a local machine’s IP address or a completely random address and attempts to infect sequential IP addresses. Although network propagation attacks that take advantage of vulnerabilities in common network protocols (e.g., SQL Slammer) have not been prevalent recently, the potential for such attacks still exists. Module 01 Page 24 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 File Sharing Services If NetBIOS (Port 139), FTP (Port 21), SMB (Port 145), etc., on a system are open for file sharing or remote execution, they can be used by others to access the system. This can allow attackers to install malware and modify system files. Attackers can also use a DoS attack to shut down the system and force a reboot so that the Trojan can restart itself immediately. To prevent such attacks, ensure that the file sharing property is disabled. To disable the file sharing option in Windows, click Start and type Control Panel. Then, in the results, click on the Control Panel option and navigate to Network and Internet > Network and Sharing Center - Change Advanced Sharing Settings. Select a network profile and under File and Printer Sharing section, select Turn off file and printer sharing. This will prevent file sharing abuse. Installation by other Malware A piece of malware that can command and control will often be able to re-connect to the malware operator’s site using common browsing protocols. This functionality allows malware on the internal network to receive both software and commands from the outside. In such cases, the malware installed on one system drives the installation of other malware on the network, thereby causing damage to the network. Bluetooth and Wireless Networks Attackers use open Bluetooth and Wi-Fi networks to attract users to connect to them. These open networks have software and hardware devices installed at the router level to capture the network traffic and data packets as well as to find the account details of the users, including usernames and passwords. Module 01 Page 25 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Common Exam 212-82 Techniques Attackers Use to Distribute Malware on the Web ‘ ; ’ Black hat Search Engine op ation (SEO) | Secial Engincesed | Tricking usersinto clicking on innocent-looking webpages Spear-phishing Sites | Mimicking legitimate institutions in an attempt to steallogin credentials I of legitimate, high-trafficsites |. e Hosting embedded malware that spreadsto unsuspecting visitors Click-jacking - 1 stising Compromised Legitimate Websites Drive-by Downloads Spem Emelle Ranking malware pages highly in search results ’ Embedding malwarein ad-networks that displayacross hundreds | Exploiting flaws in browser software to install My visiting a web page | Attaching the malwareto emails and tricking victims to click the attachment Copyright © by EC- malware ’ just by ’ 1. All Rights Reserved. Reproduction i Strictly Prohibited Common Techniques Attackers Use to Distribute Malware on the Web Source: Security Threat Report (https://www.sophos.com) Some standard techniques used to distribute malware on the web are as follows: = Black hat Search Engine Optimization (SEO): Black hat SEO (also referred to as unethical SEOQ) uses aggressive SEO tactics such as keyword stuffing, inserting doorway pages, page swapping, and adding unrelated keywords to get higher search engine rankings for malware pages. ® Social Engineered Click-jacking: Attackers inject malware into websites that appear legitimate to trick users into clicking them. When clicked, the malware embedded in the link executes without the knowledge or consent of the user. = Spear-phishing Sites: This technique is used for mimicking legitimate institutions, such as banks, to steal passwords, information. credit card and bank account data, and other sensitive ® Malvertising: This technique involves embedding malware-laden advertisements in legitimate online advertising channels to spread malware on systems of unsuspecting users. = Compromised Legitimate Websites: Often, attackers use compromised websites to infect systems with malware. When an unsuspecting user visits the compromised website, he/she unknowingly installs the malware on his/her system, after which the malware performs malicious activities. Module 01 Page 26 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 = Drive-by Downloads: This refers to the unintentional downloading of software via the Internet. Here, an attacker exploits flaws in browser software to install malware by merely visiting a website. *= Spam Emails: The attacker attaches a malicious file to an email and sends the email to multiple target addresses. The victim is tricked into clicking the attachment and thus executes the malware, thereby compromising his/her machine. This technique is the most common method currently in use by attackers. In addition to email attachments, an attacker may also use the email body to embed the malware. Module 01 Page 27 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Components of Malware QO The componentsof a malware software depend on the requirements of the malware author who designs it for a specific target to perform intended tasks Crypter Downloader Dropper Exploit Injector i O i Software that protects malware from undergoing reverse engineering or analysis A type of Trojan that downloads other malware from the Internet on to the PC A type of Trojan that covertly installs other malware files on to the system A malicious code that breaches the system security via software vulnerabilities install malware to access information or A program that injects its code into other vulnerable running processes and changes how they execute to hide or prevent its removal A program that conceals its code and intended security mechanisms to detect or remove it purpose via various techniques, and thus, makes it hard for A program that allows all files to bundle together into a single executable file via compression to bypass security software detection Payload Malicious Code A piece of software that allows control over a computer system after it has been exploited A command that defines malware’s basic functionalities such as stealing data and creating backdoors il All Rights Reserved. Reproduction is Strictly Prohibited Components of Malware Malware authors and attackers create malware using components that can help them achieve their goals. They can use malware to steal information, delete data, change system settings, provide access, or merely multiply and occupy space. Malware is capable of propagating and functioning secretly. Some essential components of most malware programs are as follows: = Crypter: It is a software program that can conceal the existence of malware. Attackers use this software to elude antivirus detection. It protects malware from reverse engineering or analysis, thus making it difficult to detect by security mechanisms. * Downloader: It is a type of Trojan that downloads other malware (or) malicious code and files from the Internet to a PC or device. Usually, attackers install a downloader when they first gain access to a system. = Dropper: It is a covert carrier of malware. Attackers embed notorious malware files inside droppers, which can perform the installation task covertly. Attackers need to first install the malware program or code on the system to execute the dropper. The dropper can transport malware code and execute malware on a target system without being detected by antivirus scanners. = Exploit: It is the part of the malware that contains code or a sequence of commands that can take advantage of a bug or vulnerability in a digital system or device. Attackers use such code to breach the system’s security through software vulnerabilities to spy on information or to install malware. Based on the type of vulnerabilities abused, exploits are categorized into local exploits and remote exploits. Module 01 Page 28 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities = Exam 212-82 |njector: This program injects exploits or malicious code available in the malware into other vulnerable running processes and changes the method of execution to hide or prevent its removal. = Obfuscator: It is a program that conceals the malicious code of malware via various techniques, thus making it difficult for security mechanisms to detect or remove it. = Packer: This software compresses the malware file to convert the code and data of the malware into malware. = an unreadable format. It uses compression techniques to pack the Payload: It is the part of the malware that performs the desired activity when activated. It may be used for deleting or modifying files, degrading the system performance, opening ports, changing settings, etc., to compromise system security. *= Malicious Code: This is a piece of code that defines the basic functionality of the malware and comprises commands that result in security breaches. It can take the following forms: o Java Applets o ActiveX Controls o Browser Plug-ins o Pushed Content Module 01 Page 29 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Types of Malware Bl mojans B russorGrayware B viruses B soyware B rensomware B xeylogger Bl computerWorms Bl sotnets B rootxits B0 Fiteless Maiware Copyright © by E I. All Rights Reserved. Reproduction is Strictly Prohibited. Types of Malware A malware is a piece of malicious software that is designed to perform activities intended by the attacker without user consent. It may be in the form of executable code, active content, scripts, or other kinds of software. Listed below are various types of malware: Trojans Viruses Ransomware Computer Worms Rootkits PUAs or Grayware Spyware Keylogger Botnets Fileless Malware Module 01 Page 30 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 What is a Trojan? It is a program in which the ' or is contained inside an apparently harmless program or data, which can later gain control and cause damage ©) Trojans get activated whena ' ‘ Trojans between the victim computer and the attacker for transferring sensitive data Change? | Destroy?......................................... Internet Malicious Files Downloads Malicious Files ! @ Victim infected with Trojan 1. All Rights Reserved. Reproduction is Strictly Prohibited Trojans What is a Trojan? According to ancient Greek mythology, the Greeks won the Trojan War with the aid of a giant wooden horse that was built to hide their soldiers. The Greeks left this horse in front of the gates of Troy. The Trojans thought that the horse was a gift from the Greeks, which they had left before apparently withdrawing from the war and brought it into their city. At night, the Greek soldiers broke out of the wooden horse and opened the city gates to let in the rest of the Greek army, who eventually destroyed the city of Troy. Inspired by this story, a computer Trojan is a program in which malicious or harmful code is contained inside an apparently harmless program or data, which can later gain control and cause damage, such as ruining the file allocation table on your hard disk. Attackers use computer Trojans to trick the victim into performing a predefined action. Trojans are activated upon users’ specific predefined actions such as unintentionally installing a malicious software, clicking on a malicious link, etc., and upon activation, they can grant attackers unrestricted access to all the data stored on the compromised information system and potentially cause severe damage. For example, users could download a file that appears to be a movie, but, when executed, unleashes a dangerous program that erases the hard drive or sends credit card numbers and passwords to the attacker. A Trojan is wrapped within or attached to a legitimate program, meaning that the program may have functionality that is not apparent to the user. Furthermore, attackers use victims as unwitting intermediaries to attack others. They can use a victim’s computer to commit illegal DoS attacks. Module 01 Page 31 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Trojans work at the same level of privileges as the victims. For example, if a victim has privileges to delete files, transmit information, modify existing files, and install other programs (such as programs that provide unauthorized network access and execute privilege elevation attacks), once the Trojan infects that system, it will possess the same privileges. Furthermore, it can attempt to exploit vulnerabilities to increase the level of access even beyond the user running it. If successful, the Trojan can use such increased privileges to install other malicious code on the victim’s machine. A compromised system can affect other systems on the network. Systems that transmit authentication credentials such as passwords over shared networks in clear text or a trivially encrypted form are particularly vulnerable. If an intruder compromises a system on such a network, he or she may be able to record usernames and passwords or other sensitive information. Additionally, a Trojan, depending on the actions it performs, may falsely implicate a remote system as the source of an attack by spoofing, thereby causing the remote system to incur a liability. Trojans enter the system by means such as email attachments, downloads, and instant messages. Change? ----------------------------------------- Downloads Malicious Attacker Files Internet propagates Trojan Malicious Files Victim infected with Trojan Figure 1.2: Depiction of a Trojan attack Module 01 Page 32 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 links, fli o :iz-':?\::r::seie:v:r:;?so Itisat The color settings of the operating P ’ everything is displayed backward @ e The default background or wallpaper settings change 23 ® r 7 B { automatically system (OS) change automatically v Web pages suddenly open without input from the user @ Antivirus programs are automatically disabled —_ @ ] e Pop-ups with bizarre messages suddenly appear L. All Rights Reserved. Reproduction i Kl Th ID: Indications of Trojan Attack Strictly Prohibited Indications of Trojan Attack The following computer malfunctions are indications of a Trojan attack: The DVD-ROM drawer opens and closes automatically. The computer screen displayed backward. blinks, flips upside-down, or is inverted so that everything The default background or wallpaper settings change automatically. This can performed using pictures either on the user’s computer or in the attacker’s program. is be Printers automatically start printing documents. Web pages suddenly open without input from the user. The color settings of the operating system (OS) change automatically. Screensavers convert to a personal scrolling message. The sound volume suddenly fluctuates. Antivirus programs are automatically disabled, and the data are corrupted, altered, or deleted from the system. The date and time of the computer change. The mouse cursor moves by itself. The left- and right-click functions of the mouse are interchanged. The mouse pointer disappears completely. The mouse pointer automatically clicks on icons and is uncontrollable. Module 01 Page 33 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Information Security Threats and Vulnerabilities = The Windows Start button disappears. = Pop-ups with bizarre messages suddenly appear. = (lipboard images and text appear to be manipulated. = The keyboard and mouse freeze. = Contacts receive emails from a user’s email address that the user did not send. = Strange warnings or question boxes appear. Often, these are personal messages directed at the user, asking questions that require him/her to answer by clicking a Yes, No, or OK button. * The system turns off and restarts in unusual ways. = The taskbar disappears automatically. = The Task Manager is disabled. The attacker or Trojan may disable the Task Manager function so that the victim cannot view the task list or end the task on a given program or process. Module 01 Page 34 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 How Hackers Use Trojans Delete or replace critical A~ d antivirus Record screenshots, audio, and video of victim’s PC @ Create backdoors to gain remote access operating system files Steal personal information such Use victim’s PC for spamming as passwords, security codes, and credit card information and blasting email messages Download spyware, adware, and malicious files Disable firewalls and @ Encrypt the data and lock out the victim from accessing the machine How Hackers Use Trojans Attackers create malicious programs such as Trojans for the following purposes: Delete or replace OS’s critical files Generate fake traffic to perform DoS attacks Record screenshots, audio, and video of victim’s PC Use victim’s PC for spamming and blasting email messages Download spyware, adware, and malicious files Disable firewalls and antivirus Create backdoors to gain remote access Infect the victim’s PC as a proxy server for relaying attacks Use the victim’s PC as a botnet to perform DDoS attacks Steal sensitive information such as: o Credit card information, which shopping using keyloggers o Account data passwords o Important company projects, including presentations and work-related papers such as email is useful passwords, for domain dial-up registration passwords, and as well as for web service Encrypt the victim’s machine and prevent the victim from accessing the machine Module 01 Page 35 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities = = Exam 212-82 Use the target system as follows: o To store archives of illegal materials, such as child pornography. The target continues using his/her system without realizing that attackers are using it for illegal activities o Asan FTP server for pirated software Script kiddies may just want to have fun with the target system; an attacker could plant a Trojan in the system just to make the system act strangely (e.g., the DVD tray opens and closes frequently, the mouse functions improperly, etc.) * The attacker might use a compromised system for other illegal purposes such that the target would be held responsible if these illegal activities are discovered by the authorities Module 01 Page 36 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Common Ports used by Trojans Port Trojan 20/22/80/443 Port | Emotet Trojan SpySender 8080 1863 XtremeRAT 8787 / 54321 Blade Runner, DarkFTP 22 SSH RAT, Linux Rabbit 23 EliteWrap 68 Mspy 80 Ismdoor, Poison Ivy, POWERSTATS 6666 443 Cardinal RAT, ghOst RAT, TrickBot 6667/12349 445 WannaCry, 1177 njRAT 1604 DarkComet 2140/3150/6670-71 | BackOfrice 2000 Delf SpyGate RAT, Punisher RAT 10100 Gift Blade Runner 11000 Senna Spy KilerRat, Houdini RAT 11223 Progenic Trojan Bionet, Magic Hound 12223 Hack 99 KeyLogger 6969 GateCrasher, Priority 23456 Evil FTP, Ugly FTP 7000 Remote Grab 7789 ICKiller 5400-02 | Deep Throat Zeus, Shamoon 10048 5000 RAT, Pandora RAT Trojan 1807 21 Petya Port 31337-38 65000 gii:%gfi‘e[ e Devil Bvevcvaviianzas iz W2 *Noe vy g Copyright © by EC-Councll.All Rights Reserved. Reproduction ks Strictly Prohibited. Common Ports used by Trojans Ports represent the entry and exit points of data traffic. There are two types of ports: hardware ports and software ports. Ports within the OS are software ports, and they are usually entry and exit points for application traffic (e.g., port 25 is associated with SMTP for e-mail routing between mail servers). Many existing ports are application-specific or process-specific. Various Trojans use some of these ports to infect target systems. Users need a basic understanding of the state of an "active connection” and ports commonly used by Trojans to determine whether a system has been compromised. Among the various states, the “listening” state is the important one in this context. The system generates this state when it listens for a port number while waiting to connect to another system. Whenever a system reboots, Trojans move to the listening state; some use more than one port: one for "listening" and the other(s) for data transfer. Common ports used by different Trojans are listed in the table below. Port 2 20/22/80/ 443 21/3024/ 4092/5742 21 Module 01 Page 37 Trojan Death Emotet. WinCrash Bla.dc.e Runner, Doly Troyc.m, Fore, Invisible FTP, WebEx, WinCrash, Port 5001/50505 5321 >400-02 5569 Trojan | Sockets de Troie FireHotcker Blade Runner/Blade Runner 0.80 Alpha Robo-Hack Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 DarkFTP 22 Shaft, SSH RAT, Linux Rabbit 6267 GW Girl 23 Tiny Telnet Server, EliteWrap 6400 Thing 25 Antigen, Email Password Sender, Terminator, WinPC, WinSpy, Haebu Coceda, Shtrilitz Stealth, Terminator, 6666 KilerRat, Houdini RAT 6667/12349 Bionet, Magic Hound Kuang2 0.17A-0.30, Jesrto, Lazarus Group, Mis-Type, Night Dragon 26 31/456 BadPatch Hackers Paradise 6670-71 DeepThroat Denis, Ebury, FIN7, Lazarus Group, 53 RedLeaves, Threat Group-3390, Tropic 6969 GateCrasher, Priority 7000 Remote Grab Trooper 68 Mspy Necurs, NetWire, Ismdoor, Poison lvy, Executer, Codered, APT 18, APT 19, APT 80 32, BBSRAT, Calisto, Carbanak, Carbon, Comnie, Empire, FIN7, InvisiMole, Lazarus Group, MirageFox, Mis-Type, 7300-08 NetMonitor Misdat, Mivast, MoonWind, Night Dragon, POWERSTATS, RedLeaves, SType, Threat Group-3390, UBoatRAT 7300/31338 /31339 113 Shiver 139 Nuker, Dragonfly 2.0 7597 Qaz 421 TCP Wrappers Trojan 7626 Gdoor 7777 GodMsg 443 ADVSTORESHELL , APT 29, APT 3, APT 33, AuditCred, BADCALL, BBSRAT, Bisonal, Briba, Carbanak, Cardinal RAT, Comnie, Derusbi, ELMER, Empire, FELIXROOT, FIN7, FIN8 , ghOst RAT, HARDRAIN, Hi-Zor, HOPLIGHT, Net Spy KEYMARBLE, Lazarus Group, LOWBALL, Mis-Type, Misdat, MoonWind, Naid, Nidiran, Pasam, PlugX, PowerDuke, POWERTON, Proxysvc, RATANKBA, RedLeaves, S-Type, TEMP.Veles , Threat Module 01 Page 38 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Group-3390, TrickBot, Tropic Trooper, TYPEFRAME, UBoatRAT 445 WannaCry, Petya, Dragonfly 2.0 7789 456 Hackers Paradise 8000 555 Ini-Killer, Phase Zero, Stealth Spy 8012 ICKiller BADCALL, C Volgmer ie, RESES Ptakks Zeus, APT 37, Comnie, EvilGrab, FELIXROOT, FIN7, HTTPBrowser, 666 Satanz Backdoor, Ripper 8080 Lazarus Group, Magic Hound, OceanSalt, SType, Shamoon, TYPEFRAME, Volgmer 1001 3 Silencer, WebEx 1011 Doly Trojan 1026/ 8443 8787/54321 | FELIXROOT, Nidiran, TYPEERAME BackOfrice 2000 | pom 9989 iNi-Killer RAT 10048 Delf 1170 Psyber Stream Server, Voice 10100 Gift 1177 njRAT 10607 1234 Ultors Trojan 11000 Valvo line 11223 Progenic Trojan SubSeven 1.0-1.8 12223 Hack’99 KeyLogger 12345-46 GabanBus, NetBus 64666 1095-98 1234/ 12345 1243 Coma 1.0.9 Senna Spy € $ 1243/6711 /6776/273 | Sub Seven 74 1245 VooDoo Doll 1777 Java RAT, Agent.BTZ/ComRat, Adwind 12361, 12362 Whack-a-mole 16969 Priority 20001 Millennium RAT 1349 Module 01 Page 39 Back Office DLL Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 1492 | FTP9ICMP 1433 Misdat 21544 GirlFriend 1.0, Beta-1.35 1600 Shivka-Burka 2323232323/ Prosiak 1604 FliAa\rTkComet RAT, Pandora RAT, HellSpy 29222 RuX 1807 SpySender 23432 Asylum 1863 XtremeRAT 23456 Evil FTP, Ugly FTP 1981 Shockrave 25685 Moon Pie 1999 BackDoor 1.00-1.03 26274 Delta 2001 Trojan Cow 30100-02 NetSphere 1.27a 2115 - 31337-38 Back Orifice/ Back Orifice 1.20 /Deep BO 2140 The Invasor 31338 DeepBO DeepThroat 31339 NetSpy DK 2155 Illusion Mailer, Nirvana 31666 BOWhack 2801 Phineas Phucker 34324 BigGluck, TN 3129 Masters Paradise 40412 The Spy 3131 SubSari 3150 The Invasor 47262 Delta 3389 RDP 50766 Fore Portal of Doom 53001 ;? Lrjr;z:iv\nNindows RA 54321 SchoolBus.69-1.11 / 2140/3150 39783(;//91%226— | 20034/1120 | S0 ;:g'lBEta' 40421-26 Masters Paradise 7/10167 4000 Module 01 Page 40 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 4567 File Nail 1 61466 Telecommando 4590 ICQTrojan 65000 Devil 5000 Bubbel, SpyGate RAT, Punisher RAT Table 1.1: Trojans and corresponding port of attack Module 01 Page 41 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. SRR AYOEISECUrity Technician Information Security Threats and Vulnerabilities Exam 212-82 Types of Trojans Remote Access Trojans 2 Backdoor Trojans 3 Botnet Trojans 4 Rootkit Trojans 5 E-Banking Trojans 6 Service Protocol Trojans Mobile Trojans loT Trojans Security Software Disabler Trojans Destructive Trojans Point-of-Sale Trojans DDoS Attack Trojans Defacement Trojans Command Copyright 3. © by EC- computer, such as transf erring, modifying, or cor rupting software, and rebooting the machine, without user detect ion. Botnet Trojans: Today, most ‘ MCH. files, Shell Trojans All Rights Reserved. Reproduction installing is Strictly Prohibited. malicious major information security attacks involve botnets. Attackers (also known as “bot herders”) use botnet Tro jans to infect a large number of Module 01 Page 42 Certified Cybersecurity Tech nician Copyright © by EC-C ouncil All Rights Reserved. Reproduction ic Strir Certified Cybersecurity Technician Information Security Threats and Vulnerabilities 4. Exam 212-82 Rootkit Trojans: As the name indicates, “rootkit” consists of two terms, i.e., “root” and “kit.” “Root” is a UNIX/Linux term that is the equivalent of “administrator” in Windows. The word access to backdoors detected control of “kit” denotes programs that allow someone to obtain root-/admin-level the computer by executing the programs in the kit. Rootkits are potent that specifically attack the root or OS. Unlike backdoors, rootkits cannot be by observing services, system task lists, or registries. Rootkits provide full the victim OS to the attacker. E-Banking Trojans: E-banking Trojans are extremely dangerous and have emerged as a significant threat to online banking. They intercept the victim's account information before the system can encrypt it and send it to the attacker's command-and-control center. Installation of these Trojans takes place on the victim’s computer when he or she clicks a malicious email attachment or a malicious advertisement. Attackers program these Trojans to steal minimum and maximum monetary amounts, so that they do not withdraw all the money in the account, thereby avoiding suspicion. Point-of-Sale Trojans: As the name indicates, point-of-sale (POS) Trojans are a type of financial fraudulent malware that target POS and payment equipment such as credit card/debit card readers. Attackers use POS Trojans to compromise such POS equipment and grab sensitive information regarding credit cards, such as credit card number, holder name, and CVV number. Defacement Trojans: Defacement Trojans, once spread over the system, can destroy or change the entire content of a database. However, they are more dangerous when attackers target websites, as they physically change the underlying HTML format, resulting in the modification of content. In addition, significant losses may be incurred due to the defacement of e-business targets by Trojans. Service Protocol Trojans: These Trojans can take advantage of vulnerable service protocols such as VNC, HTTP/HTTPS, and ICMP, to attack the victim’s machine. Mobile Trojans: Mobile Trojans are malicious software that target mobile phones. Mobile Trojan attacks are increasing rapidly due to the global proliferation of mobile phones. The attacker tricks the victim into installing the malicious application. When the victim downloads the malicious app, the Trojan performs various attacks such as banking credential stealing, social networking credential stealing, data encryption, and device locking. 10. loT Trojans: Internet of things (loT) refers to the inter-networking of physical devices, buildings, and other items embedded with electronics. IoT Trojans are malicious programs that attack loT networks. These Trojans leverage a botnet to attack other machines outside the loT network. 11. Security Software Disabler Trojans: Security software disabler Trojans stop the working of security programs such as firewalls, and IDS, either by disabling them or killing the processes. These are entry Trojans, which allow an attacker to perform the next level of attack on the target system. Module 01 Page 43 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 12. Destructive Trojans: The sole purpose of a destructive Trojan is to delete files on a target system. Antivirus software may not detect destructive Trojans. Once a destructive Trojan infects a computer system, it randomly deletes files, folders, and registry entries as well as local and network drives, often resulting in OS failure. 13. DDoS Attack Trojans: These Trojans are intended to perform DDoS attacks on target machines, networks, or web addresses. They make the victim a zombie that listens for commands sent from a DDoS Server on the Internet. There will be numerous infected systems standing by for a command from the server, and when the server sends the command to all or a group of the infected systems, since all the systems perform the command simultaneously, a considerable amount of legitimate requests flood the target and cause the service to stop responding. 14. Command Shell Trojans: A command shell Trojan provides remote control of a command shell on a victim’s machine. A Trojan server is installed on the victim's machine, which opens a port, allowing the attacker to connect. The client is installed on the attacker's machine, which is used to launch a command shell on the victim’s machine. Netcat, DNS Messenger, GCat are some of the latest command shell Trojans. Module 01 Page 44 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Creating a Trojan ° Trojan Horse construction kits help attackers to construct Trojan horses of their choice @ The tools in these kits can be dangerous and can backfire if not properly executed Trojan Horse :. Theef RAT Trojan Construction Kits Theef is a Remote Access Trojan written in Delphi. It allows remote DarkHorse Trojan Virus Maker Trojan Horse Construction Kit Senna Spy Trojan Generator attackers access to the system via port Batch Trojan Generator 9871 Umbra Loader - Botnet Trojan Maker yright © by All Rights Reserved. Reproduction is Strictly Prohibited Creating a Trojan Attackers can create Trojans using various Trojan horse construction Trojan Virus Maker, and Senna Spy Trojan Generator. kits such as DarkHorse Trojan Horse Construction Kit Trojan horse construction kits help according to their needs. These tools New Trojans created by attackers scanning tools, as they do not match to succeed in launching attacks. = attackers construct Trojan horses and customize them are dangerous and can backfire if not properly executed. remain undetected when scanned by virus- or Trojanany known signatures. This added benefit allows attackers Theef RAT Trojan Theef is a Remote Access Trojan written in Delphi. It allows remote attackers access to the system via port 9871. Theef is a Windows-based application for both client and server. The Theef server is a virus that you install on a target computer, and the Theef client is what you then use to control the virus. Module 01 Page 45 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Figure 1.3: Screenshot of Theef RAT Trojan Some additional Trojan horse construction kits are as follows: DarkHorse Trojan Virus Maker Trojan Horse Construction Kit Senna Spy Trojan Generator Batch Trojan Generator Umbra Loader - Botnet Trojan Maker Module 01 Page 46 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Trojan Example: Emotet O Emotet is a banking Trojan which can function both as a Trojan by itself or as the downloader and dropper of other banking Trojans QO Itisa polymorphic malware as it can change its own identifiable features to evade signature-based detection Prom: CUAtomer Gewaylerva €1 (8 [Maito (ATomer Gemayieryaes (a) Monday Aped 16 [ Subject: Mecopt Confimaton 84119160V [UNSCANNED) ransaction Status: N L Shipped! Hi _ RTINS - 2018 11 0% AM 16 Aprfl I - Sent: » Yo b [Corvgtn, Vet Hnriack et m e - m W R T £l v.A- = - E-E =B Beem F BE ] NS e [T -9 s S— AaBb iyl AaBSG. Ae Smesre 11109120 ARSY A rre DT | Your transaction processed successfully It's an official confirmation for your order. Please check the invoice to update your stuff shipping day. Password to access Invoice:722 Thanks for using our service! ® L !(Pl wemt 2 7D Soaam wm hrps:/fwww fortinet.com Copyright © by E L. All Rights Reserved. Reproduction s Strictly Prohibited Trojan Example: Emotet Source: https://www.fortinet.com Emotet is a revolutionary malware that is designed with a modular architecture, where the main programs are installed first before the delivery of other payloads. It is also considered as a dropper, a downloader, and a Trojan by security analysts. It is a polymorphic malware, as it can change its own identifiable features when downloaded so that it can elude signature-based detection and other antivirus programs. Emotet is usually a banking Trojan that can function both as a Trojan by itself or as the downloader and dropper of other banking Trojans. It has been employed as a dropper/downloader for well-known banking Trojans such as Zeus Panda banker, Trickbot, and Iced ID to infect victims globally. Although it is a Trojan, Emotet has advanced persistence techniques and worm-like self-propagation abilities, which make it uniquely resilient as a destructive malware that could jeopardize individuals, companies, and government entities globally. Module 01 Page 47 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 From: customerGewayservicesca [maito customer@emayservices ca) Semt: Morday. 16. 2018 11 0% AN To: Subject: Recept Confirmation #417916MV [UNSCANNED) ransaction Status: Shipped! 16 April 11109121 ARSY It's an official confirmation for your order. Please check the invoice to update your stuff shipping day. eWayServices.ca! Password to access Invoice:722 Thanks for using our service! Figure 1.4: Spam email with malicious content distributing Emotet ‘@A 0l DV 57 ome B 7 Paste Clipboard PAYOSTISTA6167553 doc [Compatibility Mode] - Microsoft Word Mome | Intert 7% U Pagelayout o - ae AW x' x, Font References 3 M 4AF Mailings Review ECIER AW € -! 0 RE E Paragraph View O - Developer m o Format T e acsscr AaBbC AaBDG BookTitle Emphasis Headingl Heading2 0 Styles ® SR g;‘;::_‘ O m | @ Setect * Eciting been. | _ ] To open the document, follow these steps: This document is only available for desktop or laptop versions of Microsoft Office Word. Click Enable editing button from the yellow bar above - Once you have enabled editing, please click Enable content button from the yellow bar above Page:1ofd | Words0 | 5 | I [EEEEX Figure 1.5: Malicious Word document used for installing Emotet Module 01 Page 48 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 What is aVirus? QO Avirus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document Q Viruses are generally transmitted through file downloads, infected disk/flash drives, and as email attachments Infect other programs = Characteristics of Viruses Transform themselves Encrypt themselves = Alter data = Corrupt files and programs = Self-replicate Copyright © by EC-Councll. All Rights Reserved. Reproduction is Strictly Prohibited Viruses What is a Virus? Viruses are the scourge of modern computing. Computer viruses have the potential to wreak havoc on both business and personal computers. The lifetime of a virus depends on its ability to reproduce itself. Therefore, attackers design every virus code such that the virus replicates itself n times. A computer virus is a self-replicating program that produces its code by attaching copies of itself to other executable code and operates without the knowledge or consent of the user. Like a biological virus, a computer virus is contagious and can contaminate other files; however, viruses can infect external machines only with the assistance of computer users. Virus reproduces its own code while enclosing other executables, and spreads throughout the computer. Viruses can spread the infection by damaging files in a file system. Some viruses reside in the memory and may infect programs through the boot sector. A virus can also be in an encrypted form. Some viruses affect computers as soon as their code is executed; other viruses remain dormant until a pre-determined logical circumstance is met. Viruses infect a variety of files, such as overlay files (.OVL) and executable files (.EXE,.SYS,.COM, or.BAT). They through file downloads, infected disk/flash drives, and email attachments. are transmitted A virus can only spread from one PC to another when its host program is transmitted to the uncorrupted computer. This can occur, for example, when a user transmits it over a network, or executes it on a removable media. Viruses are sometimes confused with worms, which are standalone programs that can spread to other computers without a host. A majority of PCs are now connected to the Internet and to local area networks, which aids in increasing their spread. Module 01 Page 49 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Characteristics of Viruses The performance of a computer is affected by a virus infection. This infection can lead to data loss, system crash, and file corruption. Some of the characteristics of a virus are as follows: = Infects other programs = Transforms itself = Encrypts itself = Alters data = Corrupts files and programs = Replicates itself Module 01 Page 50 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Purpose of CreatingViruses Inflict damage on competitors Realize financial benefits S Vandalize intellectual property & @ O © Q) @Q \flg\. \_/l I° Play pranks/Conduct. research Copyright © by EC-C Engage in cyber- terrorism e Damage networks or computers ® Gain remote access to a victim's computer I. All Rights Reserved. Reproduction is Strictly Prohibited Purpose of Creating Viruses Attackers create viruses with disreputable motives. Criminals create viruses to destroy a company’s data, as an act of vandalism, or to destroy a company’s products; however, in some cases, viruses aid the system. An attacker creates a virus for the following purposes: = Inflict damage on competitors = Realize financial benefits = Vandalize intellectual property = Play pranks * Conduct research = Engage in cyber-terrorism = Distribute political messages * Damage networks or computers = Gain remote access to a victim's computer Module 01 Page 51 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Indications Processes require more resources and time, resultingin of Virus Attack () ] (5 degraded performance Computer beeps with no display. Drive label changes and 'C‘:it.li::; Computer freezes frequently or encounters an error such as BSOD ()2 03 © : o— @ o Constant antivirus alerts (06 Files and folders are missing (07 Suspicious hard drive activity Browser window “freezes” L All Rights Reserved. Reproduction is Strictly Prohibited Indications of Virus Attack Indications of virus attacks arise from abnormal activities. Such activities reflect the nature of a virus by interrupting the regular flow of a process or a program. However, not all bugs created contribute toward attacking the system; they may be merely false positives. For example, if the system runs slower than usual, one may assume that a virus has infected the system; however, the actual reason might be program overload. An effective virus tends to multiply rapidly and may infect some machines in a short period. Viruses can infect files on the system, and when such files are transferred, they can infect machines of other users who receive them. A virus can also use file servers to infect files. When a virus infects a computer, the victim or user will be able to identify some indications of the presence of virus infection. Some indications of computer virus infection are as follows: = Processes require more resources and time, resulting in degraded performance = Computer beeps with no display = Drive label changes and OS does not load = Constant antivirus alerts = Computer freezes frequently or encounters an error such as BSOD = Files and folders are missing = Suspicious hard drive activity = Browser window “freezes” Module 01 Page 52 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities = Lack of storage space * Unwanted advertisements and pop-up windows = Unable to open files in the system = Strange emails received Module 01 Page 53 Exam 212-82 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Stages of Virus Lifecycle Virus replicates itself Users install antivirus for a period within the A virus is identified as target system and then spreadsitself a threatinfecting %% Rephcatlon Design Developing virus code using programming languages or construction kits the virus threats Execution of the Detection damage routine Incorporation Antivirus software It gets activated when the T updates and eliminate target system Launch 9 e user performs certain actions such as running infected programs developers assimilate defenses againstthe virus Copyright © by EC-(. All Rights Reserved. Reproduction is Strictly Prohibited Stages of Virus Lifecycle The virus lifecycle includes the following six stages from origin to elimination. 1. Design: Development of virus code using programming languages or construction kits. 2. Replication: The virus replicates for a period within the target system and then spreads itself. 3. Launch: The virus is activated when the user performs specific actions such as running an infected program. 4. Detection: The virus is identified as a threat infecting target system. 5. Incorporation: Antivirus software developers assimilate defenses against the virus. 6. Execution of the damage routine: Users install antivirus updates and eliminate the virus threats. Module 01 Page 54 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 How does a Computer Get Infected by Viruses? When a user accepts files and downloads without properly checkingthe source o Openinginfected e-mail attachments @ Not runningthe latest. antivirus application © Clicking malicious online ads Installing pirated Sl Not. Using portable media updatingand not instaul:ngneev versions of Connectingto untrusted networks plug-ins How does a Computer Get Infected by Viruses? To infect a system, first, a virus has to enter it. Once the user downloads and installs the virus from any source and in any form, it replicates itself to other programs. Then, the virus can infect the computer in various ways, some of which are listed below: * Downloads: Attackers incorporate viruses in popular software programs and upload them to websites intended for download. When a user unknowingly downloads this infected software and installs it, the system is infected. = Email attachments: Attackers usually send virus-infected files as email attachments to spread the virus on the victim’s system. When the victim opens the malicious attachment, the virus automatically infects the system. = Pirated software: Installing cracked versions of software (OS, Adobe, Microsoft Office, etc.) might infect the system as they may contain viruses. = Failing to install security software: With the increase in security parameters, attackers are designing new viruses. Failing to install the latest antivirus software or regularly update it may expose the computer system to virus attacks. = Updating software: If patches are not regularly installed when released by vendors, viruses might exploit vulnerabilities, thereby allowing an attacker to access the system. = Browser: By default, every browser comes with built-in security. An incorrectly configured browser could result in the automatic running of scripts, which may, in turn, allow viruses to enter the system. = Firewall: Disabling the firewall will compromise the security of network traffic and invite viruses to infect the system. Module 01 Page 55 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 = Pop-ups: When the user clicks any suspicious pop-up by mistake, the virus hidden behind the pop-up enters the system. Whenever the user turns on the system, the installed virus code will run in the background. = Removable media: When a healthy system is associated with virus-infected removable media (e.g., DVD, USB drive, card reader), the virus spreads the system. = Network access: Connecting to an untrusted Wi-Fi network, leaving Bluetooth ON, or permitting a file sharing program that is accessed openly will allow a virus to take over the device. = Backup and restore: Taking a backup of an infected file and restoring it to a system infects the system again with the same virus. = Malicious online ads: Attackers post malicious online ads by embedding malicious code in the ads, also known infected. = as malvertising. Once users click these ads, their computers get Social Media: People tend to click on social media sites, including malicious links shared by their contacts, which can infect their systems. Module 01 Page 56 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Types of Viruses ° QO viruses are categories according to their functioning and targets O Some of the example includes: System or Boot Sector Virus Polymorphic Virus Web Scripting Virus File and Multipartite Virus Metamorphic Virus Email and Armored Virus Macro and Cluster Virus Overwriting File or Cavity Virus Add-on and Intrusive Virus Stealth/Tunneling Virus Companion/Camouflage Virus Direct Action or Transient Virus Encryption Virus Shell and File Extension Virus Terminate & Stay Resident Virus Sparse Infector Virus FAT and Logic Bomb Virus Copyright © by EC-Councll. All Rights Reserved. Reproduction is Strictly Prohibited.. Types of Viruses Viruses are categories according to their functioning and targets. Some of the most common types of computer viruses that adversely affect the security of systems are listed below: 1. System or Boot Sector Virus: The most common targets for a virus are the system sectors, which include the master boot record (MBR) and the DOS boot record system sectors. The primary carriers of system or boot sector viruses are email attachments and removable media (USB drives). A boot sector virus moves MBR to another location on the hard disk and copies itself to the original location of MBR. When the system boots, first, the virus code executes and then control passes to the original MBR. 2. File Virus: File viruses infect files executed or interpreted in the system, such as COM, EXE, SYS, OVL, OBJ, PRG, MNU, and BAT files. File viruses can be direct-action (non- resident) or memory-resident viruses. File viruses insert their code into the original file and infect executable files. Such viruses are numerous, albeit rare. They infect in a variety of ways and are found in numerous file types. 3. Multipartite Virus: A multipartite virus (also known as a multipart virus or hybrid virus) combines the approach of file infectors and boot record infectors and attempts to simultaneously attack both the boot sector and the executable or program files. When the virus infects the boot sector, it will, in turn, affect the system files and vice versa. This type of virus re-infects a system repeatedly if it is not rooted out entirely from the target Tequila. 4. machine. Some examples of multipartite viruses include Invader, Flip, and Macro Virus: Macro viruses infects Microsoft Word or similar applications by automatically performing a sequence of actions after triggering an application. Most Module 01 Page 57 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 macro viruses are written using the macro language Visual Basic for Applications (VBA), and they infect templates or convert infected documents into template files while maintaining their appearance of common document files. Cluster Virus: Cluster viruses infect files without changing the file or planting additional files. They save the virus code to the hard drive and overwrite the pointer in the directory entry, directing the disk read point to the virus code instead of the actual program. Even though the changes in the directory entry may affect all the programs, only one copy of the virus exists on the disk. Stealth/Tunneling Virus: These viruses try to hide from antivirus programs by actively altering and corrupting the service call interrupts while running. The virus code replaces the requests to perform operations with respect to these service call interrupts. These viruses state false information to hide their presence from antivirus programs. For example, a stealth virus hides the operations that it modified and gives false representations. Thus, it takes over portions of the target system and hides its virus code. Encryption Virus: Encryption viruses or cryptolocker viruses penetrate the target system via freeware, shareware, codecs, fake advertisements, torrents, email spam, and so on. This type of virus consists of an encrypted copy of the virus and a decryption module. The decryption module remains constant, whereas the encryption makes use of different keys. Sparse Infector Virus: antivirus programs. To spread infection, viruses typically attempt to hide from Sparse infector viruses infect less often and try to minimize their probability of discovery. These viruses infect only occasionally upon satisfying certain conditions or infect only those files whose lengths fall within a narrow range. Polymorphic Virus: Such viruses infect code already decoded by a decryption for each replication to avoid detection. module and the instruction sequence. generators in their implementation. a file with an encrypted copy of a polymorphic module. Polymorphic viruses modify their code They accomplish this by changing the encryption Polymorphic mechanisms use random number 10. Metamorphic Virus: Metamorphic viruses are programmed such that they rewrite themselves completely each time they infect a new executable file. Such viruses are sophisticated and use metamorphic engines for their execution. Metamorphic code reprograms itself. It is translated into temporary code (a new variant of the same virus but with different code) and then converted back into the original code. This technique, in which the original algorithm remains intact, is used to avoid pattern recognition by antivirus software. Metamorphic viruses are more effective than polymorphic viruses. 11. Overwriting File or Cavity Virus: Some programs have empty spaces in them. Cavity viruses, also known as space fillers, overwrite a part of the host file with a constant (usually nulls), without increasing the length of the file while preserving its functionality. Maintaining a constant file size when infecting allows the virus to avoid detection. Cavity viruses are rarely found due to the unavailability of hosts and code complexity. Module 01 Page 58 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities 12. Companion Exam 212-82 Virus/Camouflage Virus: The companion filename as the target program file. The virus infects file, and it modifies the hard disk data. Companion before the execution of EXE files. The virus installs an virus stores itself with the same the computer upon executing the viruses use DOS to run COM files identical COM file and infects EXE files. 13. Shell Virus: The shell virus code forms a shell around the target host program’s code, making itself the original program with the host code as its sub-routine. Nearly all boot program viruses are shell viruses. 14. File Extension Virus: File extension viruses change the extensions of files. The extension.TXT is safe as it indicates a pure text file. With extensions turned off, if someone sends you a file named BAD.TXT.VBS, you will only see BAD.TXT. If you have forgotten that extensions are turned off, you might think that this is a text file and open it. It actually is an executable Visual Basic Script virus file and could cause severe damage. 15. FAT Virus: A FAT virus is a computer virus that attacks the File Allocation Table (FAT), a system used in Microsoft products and some other types of computer systems to access the information stored on a computer. By attacking the FAT, a virus can cause severe damage to a computer. FAT viruses can work in a variety of ways. Some are designed to embed themselves into files so that when the FAT accesses the file, the virus is triggered. Others may attack the FAT directly. 16. Logic Bomb Virus: A logic bomb is a virus that is triggered by a response to an event, such as the launching of an application or when a specific date/time is reached, where it involves logic to execute the trigger. When a logic bomb is programmed to execute on a specific date, it is referred to as a time bomb. Time bombs are usually programmed to set off when important dates are reached, such as Christmas and Valentine’s Day. 17. Web Scripting Virus: A web scripting virus is a type of computer security vulnerability that breaches your web browser security through a website. This allows attackers to inject client-side scripting into the web page. It can bypass access controls and steal information from the web browser. Web scripting viruses are usually used to attack sites with large populations, such as sites for social networking, user reviews, and email. 18. Email Virus: An e-mail virus refers to computer code sent to you as an e-mail attachment, which if activated, will result in some unexpected and usually harmful effects, such as destroying specific files on your hard disk and causing the attachment to be emailed to everyone in your address book. Email viruses perform a wide variety of activities, from creating pop-ups to crashing systems or stealing personal data. 19. Armored Virus: Armored viruses are viruses that are