CEHv8 Module 06 Trojans and Backdoors.pdf

Trojans and Backdoors Module 06

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Trojans and Backdoors Module 06

Engineered by Hackers. Presented by Professionals.

CEH

Ethical Hacking and C oun term easure s v8 v8 Module 06: Trojans and Backdoors Exam 312-50

Module 06 Page 828

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.



Security News 1 1 11 1 1 11U i 1■ P C M A G .C O M

Troian Types Indication of Troian Trojan Detection Troian Horse Construction Ki t

Cyber-Criminals Plan Massive Trojan Attack on 30 Banks

Oct 05, 2012 1:24 PM EST

A large-scale coordinated Trojan attack to launch fraudulent wire transfers may be headed your way. And it has nothing to do with the recent wave of denial-of-service attacks. A group of cybercriminals appear to be actively recruiting up to 100 botmasters to participate in a complicated man-in-the-middle hijacking scam using a variant of the Gozi Trojan, RSA's FraudAction research team said in a blog post yesterday. The team put together the warning after weeks of monitoring underground chatter. As many as 30 financial institutions in the United States may be targeted in this "blitzkrieg-like" series, said Mor Ahuvia, a cyber-crime communications specialist at RSA FraudAction. It's possible these well-known and high-profile institutions were selected, not because of "anti-American motives," but simply because American banks are less likely to have deployed two-factor authentication for private banking consumers, Ahuvia said. European banks banks generally require all consumers to use two-factor two-factor for wire transfers, making it harder to launch a man-in-the-middle session hijacking attack. http://securitywatch.pcmag.com

Copyright © by EG-Gouncil. All Rights Jteservfed.;Reproduction Jteservfed.; Reproduction is Strictly Stri ctly Prohibited. Prohibit ed.

^

amps

Security Security News

- fjfgg fjfggC C yber-C riminals Plan M assive Trojan Attack Attack on 30 Banks Source: http://securitvwatch.pcmag.com A large-scale coordinated Trojan attack to launch fraudulent wire transfers may be headed your way. And it has nothing to do with the recent wave of denial-of-service attacks. A group of cybercriminals appears to be actively recruiting up to 100 botmasters to participate in a complicated man-in-the-middle hijacking scam using a variant of the Gozi Trojan, RSA's FraudAction research team said in a blog post recently. The team put together the warning after weeks of monitoring underground chatter. As many as 30 financial institutions in the United States may be targeted in this "blitzkrieg-like" series, said Mor Ahuvia, a cyber-crime communications specialist at RSA FraudAction. It's possible these well-known and high-profile institutions were selected, not because of "antiAmerican motives," but simply because American banks are less likely to have deployed twofactor authentication for private banking consumers, Ahuvia said. European banks generally require all consumers to use two-factor for wire transfers, making it harder to launch a man-inthe-middle session hijacking attack.

Module 06 Page 829




"A cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign," Ahuvia said. Potential targets and relevant law enforcement agencies have already been notified, RSA said. RSA FraudAction was not sure how far along the recruitment campaign has gone, or when the attacks are expected. While it's possible revealing the gang's plans may cause the criminals to scuttle their operation, it may just cause the group to modify the attack. "There are so many Trojans available and so many points of failure in security that could go wrong, that they'd still have some chance of success," Ahuvia said.

Anatomy of the Attack The proposed cyber-attack consists of several parts. The first part involves infecting victim computers with the variant of the Gozi Trojan, which RSA has dubbed Gozi Prinimalka, Once the computer has been compromised, it will communicate with the botmaster's computer, which has a "virtual machine syncing module," capable of duplicating the victim's PC settings, such as the time zone, screen resolution, cookies, browser type, and installed software IDs, into a virtual machine, RSA said. When the attacker accesses victim accounts using the cloned system, the virtual machine appears to be a legitimate system using the last-known IP address for the victim's computer, RSA said. This cloning module would make it easy for the attackers to log in and initiate wire transfers. The attackers also plan to use VoIP phone flooding software to prevent victims from receiving confirmation calls or texts verifying online account transfers and activity, RSA said. The recruits have to make an initial investment in hardware and agree to training on how to deploy the Gozi Trojan, Ahuvia wrote. They will receive executable files, but not the compilers used to create the Trojan. In return, the new partners in this venture will receive a cut of the profits.

Trojan Behind Previous Attacks Attacks The Trojan is not as well-known as others, such as SpyEye or Citadel, nor is it as widely available, Ahuvia said. Its relative obscurity means antivirus and security tools are less likely to flag it as malicious. RSA has linked the Gozi Trojan to previous attacks responsible for more than $5 million in losses in the United States in 2008. The researchers have linked the Trojan to a group called the HangUp Team, and speculated the same group was behind this latest campaign. The way the attack is structured, it is very likely the targeted institutions won't even realize they'd been affected till at least a month or two after the attacks. "The gang will set a prescheduled D-day to launch its spree, and attempt to cash out as many compromised accounts as possible before its operations are ground to a halt by security systems," Ahuvia said.

Module 06 Page 830




Cop yright 1996-2012 Z iff Davis, Davis, Inc. Inc.

By Author: Fahmida Y. Rashid http://securitvwatc http://securitvwatch.pcma h.pcmag.com/none/B03 g.com/none/B03577-cvbe 577-cvber-criminals-planr-criminals-plan-rr1assive-troian-atta rr1assive-troian-attack-onck-on30-banks

Module 06 Page 831




Module Objectives J

What Is a Trojan Trojan??

J

Type Types s of of Troj Trojan ans s

J

What Do Troj Trojan an Creat Creator ors s Loo Look k For For

J

Troj Trojan an Anal Analys ysis is

J

Indica Indicatio tions ns of a Troj Trojan an Attac Attack k

J

How to Dete Detect ct Tro Troja jans ns

J

Comm Common on Por Ports ts used used by Troj Trojan ans s

J

Troj Trojan an Count Counterm ermeas easure ures s

J

How to Infec Infectt Syste Systems ms Usin Using g a Troj Trojan an

J

Troj Trojan an Horse Horse Cons Constru tructi ction on Kit

J

Diffe Differen rentt Ways Ways a Troj Trojan an can can Get Get into into a System

J

AntiAnti-Tr Troj ojan an Software Software

J

Pen Test Testin ing g for for Troj Trojan ans s and and Back Backdo door ors s

J

^

Howto Deploy Deploy a Troj Trojan an

C EH

1

I

J------1 t l z y <

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on isStrictly Stri ctly Prohibited.

M o d u le l e O b j e c ti ti v e s The main objective of this module is to provide you with knowledge about various kinds of Trojans and backdoors, the way they propagate or spread on the Internet, symptoms of these attacks, consequences of Trojan attacks, and various ways to protect network or system resources from Trojans and backdoor. This module also describes the penetration testing process to enhance your security against Trojans and backdoors. This module makes you familiarize with: e

What Is a Trojan?

© Types of Trojans

©

What Do Trojan Creators Look For?

0

Trojan Analysis

©

Indications of a Trojan Attack

©

How to Detect Trojans

e

Common Ports Used by Trojans

© Trojan Countermeasures

0

How to Infect Systems Using a Trojan

0

Trojan Horse Construction Kit

0

Different Ways a Trojan Can Get into a

0

Anti-Troj Anti-Trojan an So ftware

0

Pen Testing for Trojans and Backdoors

System 0

How to Deploy a Trojan

Module 06 Page 832




Module Flow

CEH CE H

Penetration Penetra tion Testing Testing

Trojan Concepts

Anti-Trojan Software

Trojan Infection

Countermeasures

Types of Trojans Hg y

Trojan Detection

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohibi ted.

Module Flow To understand various Trojans and backdoors and their impact on network and system resources, let's begin with basic concepts of Trojans. This section describes Trojans and highlights the purpose of Trojans, the symptoms of Trojan attacks, and the common ports used by Trojans.

Countermeasures

Trojan Concepts

, •

Trojans Infection

f|j||

4 ^— v—

Types Types of Trojan Trojans s

^

1

Trojan Detection

Module 06 Page 833

Anti-Trojan Software 1 Penetration Testin Testing g




CEH CE H J

It is a program program in which the malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining the file allocation table on your hard disk

J

Trojans Trojans replicate, spread, and get activated activated upon users' certain predefined actions

J

With the help of a Troja Trojan, n, an attacker attacker gets gets access to the stored passwords in the Trojaned computer and would be able to read personal documents, delete files and display pictures, and/or show messages on the screen

. .

Send me credit card details

Victim in Chicago infected with Trojan

Here is my credit card number and expire date

Send me Facebook account information

Victim in London infected with Trojan Here is my Facebook login and profile

Send me e-banking login info

Victim in Paris infected with Trojan Here is my bank ATM and pincode

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on Is Strictly Stri ctly Prohibited. Prohibi ted.

W hat Is a Trojan? According According to to Gree k mytholo gy, the Greeks won the Trojan W ar by entering in to the fortified city of Troy hiding in a huge, hollow wooden horse. The Greeks built a huge wooden horse for their soldiers to hide in. They left the horse in front of the gates of Troy. The Trojans thought it to be a gift from the Greeks, who had withdrawn from the war, and so they transported the horse into their city. At night, the Spartan soldiers broke through the wooden horse, and opened the gates for their soldiers who eventually destroyed the city of Troy. Taking a cue from Greek mythology, a computer Trojan is defined as a "malicious, securitybreaking program that is disguised as something benign." A computer Trojan horse is used to enter a victim's computer undetected, granting the attacker unrestricted access to the data stored on that computer and causing immense damage to the victim. For example, a user downloads what appears to be a movie or a music file, but when he or she runs it, it unleashes a dangerous program that may erase the unsuspecting user's disk and send his or her credit card numbers and passwords to a stranger. A Trojan can also be wrapped into a legitimate program, meaning that this program may have hidden functionality that the user is unaware of. In another scenario, a victim may also be used as an intermediary to attack others—without his or her knowledge. Attackers can use the victim's computer to commit illegal denial-of-service attacks such as those that virtually crippled the DALnet IRC network for months on end.

Module 06 Page 834




(DALnet is an Internet relay chat (IRC) network that is a form of instant communication over the network.) Trojan horses work on the same level of privileges that the victim user has. If the victim had the privileges, Trojan can delete files, transmit information, modify existing files, and install other programs (such as programs that provide unauthorized network access and execute privilegeelevation attacks). The Trojan horse can attempt to exploit a vulnerability to increase the level of access beyond that of the user running the Trojan horse. If successful, the Trojan horse can operate with increased privileges and may install other malicious codes on the victim's machine. A compromise of any system on a network may affect the other systems on the network. Systems that transmit authentication credentials such as passwords over shared networks in clear text or in a trivially encrypted form are particularly vulnerable. If a system on such a network is compromised, the intruder may be able to record user names and passwords or other sensitive information. Additionally, a Trojan, depending on the actions it performs, may falsely implicate the remote system as the source of an attack by spoofing and, thereby, cause the remote system to incur liabilities. Send me credit card details

Here is my credit card number and expire date

Victim in Chicago Chicago infected with Trojan

;y ::!D y

Send me Facebook account Information Victim in London infected with Trojan Here is my Facebook login and profile

Send me e-banking login info I Here is my bank ATM and pincode

t j

I

»

J

Victim in Paris infected with Trojan

FIGURE 6.1: 6.1: Attacker extracting extracting sensitive information from the system's infected with Trojan

Module 06 Page 835




Communication Paths: Overt and Covert Channels Overt Channel J

J

A le gi tim at e co m m un ic at io n

Cover t Channe l J

An un au th or iz ed ch an ne l used

path within a computer system,

for transferring sensitive data

or netw ork, for transfer of data

within a computer system, or network

Ex am ple of ov er t ch an ne l includes games or any legitimate programs

Poker.exe (Legitimate Application)

EH

J

Th e sim ple st fo rm of co ve rt channel is a Trojan

*

^

Trojan.exe (Keylogger Steals Passwords)


n^

C o m m u n i c at a t io io n P a th t h s : O v e rt r t a n d C o v er er t C h a n n e l s Overt means something that is explicit, obvious, or evident, whereas covert means

something that is secret, concealed, or hidden. An overt channel is a legal, secure channel for the transfe r of data or information within the network of a company. This This channel is within the secure environment of the company and works securely for the transfer of data and information. On the other hand, a covert channel is an illegal, hidden path used to transfer data from a network. Covert channels are methods by which an attacker can hide data in a protocol that is undetectable. They rely on a technique called tunneling, which allows one protocol to be carried over another protocol. Covert channels are generally not used for information exchanges, so they cannot be detected by using standard system security methods. Any process or bit of data can be a covert channel. This makes it an attractive mode of transmission for a Trojan, since an attacker can use the covert channel to install the backdoor on the target machine.

Module 06 Page 836




Overt Channel

Covert Channel

A legitimate communication path within a computer system, or network, for the transfer of data

A channel that transfers information within a computer system, or network, in a way tha t violates the security policy

An overt channel can be exploited to create the presence of a covert channel by selecting selecting components of the ove rt channels with care that are idle or not related

The simplest form of covert channel is a Trojan

TABLE 6.1: Comparison between Overt Channel and Covert Channel

Module 06 Page 837




Purpose of Trojans Delete or replace operating system's

C EH

Disable firewalls and antivirus

critical files

Generate fake traffic to create DOS

Create backdoors to gain remote

attacks

access

Download spyware, adware, and

Infect victim's PC as a proxy server

malicious files

for relaying attacks

Record Record screenshots, audio, and video

Use victim's PC as a botnet to

of victim's PC

perform DD 0 S attacks

Steal information such as passwords, security codes, credit card information

Use victim's PC for spamming and blasting email messages

using keyloggers

Copyright © by EG-Gtancil. All Rights Reserved. Reproduction Reproducti on isStrictly Stri ctly Prohibited Prohibit ed

a .’* .’*

Purpo se of Trojans I I

Trojan horses are the dangerous malicious programs that affect computer systems

without the victim's knowledge. The purpose of Trojan is to: 0

Delete or replace the operating system's critical critical files

0

Gen era te fake traffic to create DOS attacks

0

Download spyware , adwa re, and malicious files

0

Record screenshots, and audio and video of the victim's PC

0

Steal inform ation such as as passwords, passwords, security codes, and and credit card information using using keyloggers

0

Disable Disable firewalls and antivirus softw are

0

Create backdoors backdoors to gain gain remo te access

0

Infect a victim' vict im's s PC as a proxy serv er for relaying attacks

0

Use a victim 's PC PC as a botnet to perform DDoS attacks

0

Use a victim vic tim 's PC PC for spamming spammi ng and blasting blasting email messages

Module 06 Page 838




W hat D o Tr Troj an Crea tors Look For For Credit card information

Financial data (bank account numbers, social security numbers, insurance information , etc.)

CEH CE H

Using the victim's comput er for illegal purposes, such such as to hack, scan, flood, or infiltrate other machines on the network or Internet

VISA Hacker


^ W hat Do Trojan C reators Look Loo k For? Trojans are written to steal information from other systems and to exercise control over them. Trojans look for the target's personal information and, if found, return it to the Trojan writer (attacker). They can also allow attackers to take full control over a system. Trojans are not solely used for destructive purposes; they can also be used for spying on someone's machine and accessing private and/or sensitive information. Trojans are created for the following reasons: 9

To steal sensitive information, such such as: as: ©

Credit card informatio n, which can be be used used for domain regis tratio n, as as well wel l as for shopping.

9

Acco unt data such as email passwords, p asswords, dial-up dial-up passwords, and web services passwords. Email addresses also help attackers to spam.

9

Impor tant comp any projects including including presentatio ns and work- relate d papers could be the targets of these attackers, who may be working for rival companies.

Module 06 Page 839



9


Attackers can use use the target's compu ters for storing archives of illegal materia ls, such such as as child pornography. The target can continue to use their computer, and have no idea about the illegal activities for which their computer is being used.

© Attackers can use use the target comput er as as an FTP FTP Serve r for pirated software. 0

Script kiddies may just want to have fun fun with the target's system. They might might plant a Trojan in the system, which then starts acting strangely: the CD tray opens and closes frequently, the mouse functions improperly, etc.

Q

The compromised system might be used used for other illegal illegal purposes, purposes, and the target would be held responsible for all illegal activities, if the authorities discover them.

< Hacker FIGUR E 6.2: Hacker stealing stealing credit card information from victim

Module 06 Page 840




Indications of a Trojan Attack

CEH CE H

CD-ROM CD-ROM d rawe r opens and closes by itself

Abnormal activity by the modem, netwo rk adapter, or hard drive

Computer brow ser is redirected redirected to unknown pages

The account passwords are changed or unauthorized access

Strange chat boxes boxes appear on victim's computer

Strange purchase statements appear in the credit card bills bills

Documents or messages are printed from the printer

The ISP complains to the victim that his/her computer is IP

themselves

scanning

Functions of the right and left

*

mouse buttons are reversed

People know too much personal information a bout a victim

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on IsStrictly Stri ctly Prohibited Prohibit ed

Ind ication icati on s of a Trojan Attack Att ack

^

A Trojan is software designed to steal data and demolish your system. It creates a backdoor to attackers to intrude into your system in stealth mode. The system becomes vulnerable to the Trojan and attackers can easily launch their attack on the system if it is not safeguarded. Trojans can enter your system using various means such as email attachments, downloads, instant messages, open ports, etc. The following are some of the indications that you may notice on your system when it is attacked by the Trojan: 0

CD-ROM dra we r opens and closes by itself

0

Comput er browse r is redirected to unknown pages pages

0

Strange chat boxes boxes appear on on target's compute r

0

Documents or messages messages are printed printed from the printer

0

Functions of the right right and left left mouse mouse buttons are reversed

0

Abnormal activity by the modem, network adapter, or hard drive

0

The account passwords are changed or unauthorized access access

0

Strange purchase state men ts appear in the credit card bills bills

0

The ISP complains to the target that his his or her com puter is IP scanning

0

People know too much much personal information about a target

Module 06 Page 841




I n d i c a t i o n s o f a T ro r o ja j a n A t ta ta c k (Cont’d)

Antivirus is disabled or does not work properly

Screensaver's settings change automatically

Wallpaper or background settings change

The computer shuts down and powers off by itself

Ctrl+Alt+Del stops working

The taskbar disappears

Windows color color settings change

g

q (•Itlfwtf

|

Itklttl IU(kM

Computer screen flips upside down or inverts

Copyright © by EC-CMICil. All Rights Reserved. Reproduction Reproducti on isStrictly Stri ctly Prohibited.

Ind ication s of a Tro jan Attack Attac k (Con t’d) t’d) Though Trojans run in stealth mode, they exhibit some characteristics, observing which; you can determine the existence of Trojans on your computer. The following are typical symptoms of a Trojan horse virus infection: 9

Ant ivirus softwa re is disabled or does not work properly

9

The taskbar disappears

9

Win do ws color settings change

9

Comput er screen flips upside upside down or inverts

9

Screensaver's settings settings change change automatically

9

Wa llp ape r or background background settings change

9

Wind ows Start button disappears disappears

9

Mous e pointer disappears or moves by itself

9

The com pute r shuts down and powers off by itself

9

Ctrl+Alt+Del stops working

9

Repeate d crashes or programs open/close unexpectedly

9

The com pute r monitor turns itself off and on

Module 06 Page 842

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures


Trojans and Backdoors

C o m m o n P o r t s u s e d b y T r o ja ja n s

C EH Urtif M

Por t

Trojan

Por t

Death

FTP99CMP

20

Senna Spy

Shivka-Burka

21

Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash

1807

Port

Trojan

5569

Robo-Hack

KZSH

6670-71 0- 71

DeepThroat

22222

GirlFriend Girl Friend 1.0, Beta-1.35 Prosiak

GateCrasher, Priority

23456

Evil FTP, Ugly FTP

Port

SpySender

6969

2001

80 421

TCP Wrappers trojan

2140

The Invasor

9989

iNi-Killer

Hackers Paradise lni*Killer, Phase Zero, Stealth Spy Satanz Backdoor

2155

Illusion Mailer, Nirvana

10607

3129

Masters Paradise The Invasor

11000 11223

Coma 1.0.9 Senna Spy Progenictrojan

12223

Hack'99Keylogger

23 25 31

456 m

1 666

1170

1245

Shockrave BackDoor 1.00-1.03

Trojan

Shaft Tiny Telnet Server Antigen, Email Password Sender, Terminator, WinPC, WinSpy, Hackers Paradise Executor

22

m

Tr o j an

2

4567

File Nail 1

RAT

4590

ICQTrojan

ICKiller

5000

Bubbel

UltorsTrojan SubSeven 1.0-1.8

5001

Sockets de Troie Firehotcker

5321

5400-02 0- 02 Blade Runner

NetSphere 1.27a 31337-38 7- 38 Back Orifice, DeepBO

BackOfrice 2000 Portal of Doom

WinCrash

Psyber Stream Server, Voice

VooDoo Doll

7789

Ripper Bugs

Silencer, WebEx Doly Trojan

Delta

Remote Grab NetMonitor

Trojan Cow

IthKJl IlMkM

NetSpy DK BOWhack 33333

BigGluck, TN The Spy 40421-26 1- 26 Masters Paradise 34324

40412 47262

12345*46 GabanBus, NetBus 12361, 12362 16969 20001 20034

Prosiak

50505 50766

Delta Sockets de Troie Fore Remote Windows Shutdown

Whack-a-mole

53001

Priority Millennium

61466

SchoolBus .69-1.11 Telecommando

65000

Devil

NetBus 2.0, BetaNetBus 2.01

54321

Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohi bited.

Co m mo n Ports Ports Used by Trojans Trojans IP ports play an important role in connecting your computer to the Internet and surfing the web, downloading information and files, running software updates, and sending and receiving emails and messages so that you can connect to the world. Each computer has unique sending and receiving ports for each function. Users need to have a basic understanding of the state of an "active connection" and ports commonly used by Trojans to determine if the system has been compromised. There are different states, but the "listening" state is the important one in this context. This state is generated when a system listens for a port number when it is waiting to make a connection with another system. Trojans are in a listening state when a system is rebooted. Some Trojans use more than one port as one port may be used for "listening" and the other(s) for data transfer.

Module 06 Page 843

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.




Po r t 2 20 21

T ro ja n

Po r t

T ro j a n

Death

1492

FTP99CMP

Senna Spy

1600

Shivka-Burka

1807

SpySender

Blade Runner, Doly Trojan, Trojan, Fore, Invisible FTP, WebEx, WinCrash

22

Shaft

1981

Shockrave

23

Tiny Telnet Server

1999

BackDoor 1.00 1.03

2001

Trojan Cow

25

Antigen, Email Password Sender, Terminator, Terminator, WinPC, W inSpy,

Po r t

Robo Hack

21544

GirlFriend 1.0, Beta 1.35

DeepThroat

22222

Prosiak

Gatecrasher, Priority

23456

Evil FTP, Ugly FTP

6969 7000 7300-08 7789

ICKiller

31337-38

Back Orifice, DeepBO

8787

BackOfrice 2000

Executor

2115

Bugs

421

TCP Wrappers trojan trojan

2140

The Invasor

9989

456

Hackers Paradise

2155

Illusion Mailer, Nirvana

555

Ini-Kille Ini-Killer, r, Phase Zero, S tealth Spy

3129

Masters Paradise

666

The Invasor

31339

NetSpy DK

31666

BOWhack

iNi-Killer

33333

Prosiak

10607

Coma 1.0.9

34324

BigGluck.TN

11000

Senna Spy

40412

The Spy

11223

Progenic trojan

9872-9875 Portal of Doom

Satanz Backdoor

3150

1001

Silencer, WebEx

4092

WinCrash

1011

Do ly Trojan

4567

File Nail 1

12223

4590

ICQTrojan

12345-46

1234

ultors Trojan

5001

sockets de Trole

1243

SubSeven 1.0-1.8

5321

Firehotcker

V 00D00 Doll

5400-02

Blade Runner Runner

Delta NetSphere 1.27a

SO

Bubbel

26274 30100-02

Ripper

5000

Remote Grab NetMonitor

2023

Psyber Stream Server, Voice

T rojan

5569

Hackers Paradise

1170

Po r t

6670-71

31

1095-98 RAT

T ro j a n

12361,

40421-26

Masters Paradise

47262

Delta

Hack’‘)‘) Key Logger

50505

Sockets de Troie

GabanBus, NetBus

50766

Fore Remote Windows

Whack-a-mole

53001

16969

Priority

54321

SchoolBus .69-1.11

20001

Millennium

61466

Telecommando

65000

Devil

12362

20034

NetBus 2.0, Beta NetBus 2.01

Shutdown

TABLE 6.2: Common ports used by Trojans

Module 06 Page 844






M o d u le Flow

CEH

UrtifM

IthKJi Nm Im

So far we have discussed various Trojan concepts. Now we will discuss Trojan infections.

Trojan Concepts

Countermeasures

Trojan Infection

||| ||r

Anti-T Anti-Troja rojan n Softwares

yv —

Types of Trojans Trojans

^

Penetration Testin Testing g

*

Trojan Detection

)

—

In this section, we will discuss the different methods adopted by the attacker for installing Trojans on the victim's system and infecting their system with this malware.

Module 06 Page 845






How Ho w to to Infect Infect S ystem s U sing a Trojan

process J

£

Create a new Trojan packet using a Trojan Horse Construction Kit

U

S

f

a

Create a dropper, which is a part in a trojanized packet that installs the malicious code on the target system

Example of a Dropper ndows\ syst em32\ 32\ svchost s . exe exe Installation path: c\ wi ndow So£tware\ are\ Ml c \ run\l expl expl orer. exe exe AlitOStart: HKLM\ So£tw

e

O

Malicious code

1 0

Attacker

Client address: client.attacker.com Dropzone: dropzone.attacker.com

...

Malicious Code

A genuine application

Wrapper

File name: chess.exe Wrapper data: Executable file


m i■ 1" HI

How to Infect S yst em s U sing a Trojan Trojan

An attacker can control the hardware as well as software on the system remotely by installing Trojans. When a Trojan is installed on the system, not only does the data become vulnerable to threats, chances are that the attacker can perform attacks on the third-party system. Attackers infect the system using Trojans in many ways: 0

Trojans Trojans are included included in bundled bundled shareware sharewar e or download able software. Wh en a user user downloads those files, Trojans are installed onto the systems automatically.

9

Users are tricked with the differ dif ferent ent pop-up pop-up ads. It is programmed by the attacker attac ker in such a way that it doesn't matter if is the user clicks YES or NO; a download starts and the Trojan is installed onto the system automatically.

0

Attackers send Trojans through email attachments. When those attachments are opened, the Trojan is installed on the system. Users are sometimes tempted to click on different kinds of files such as greeting cards, porn videos, images, etc., where Trojans are silently installed one the system.

Module 06 Page 846






The step-by-step process for infecting machines using a Trojan is as follows: Step 1: Create a new Trojan packet using a Trojan Horse Construction Kit. Step 2: Create a dropper, which is a part in a Trojanized packet that installs the malicious code on the target system. n

Example of a Dropper Installation path: path: Autostart:

s

c\windows\system32\svchosts.exe

HKIiM\Software\Mi.c...\ru n\ Ie3
Malicious code Client address: d i e n t . a t t a c k e r . c o m Dropzone: d r o p z o n e . a t t a c k e r . c o m

Attacker

Malicious Code

A genuine application

■>

Wrapper

File name: chess.exe Wrapper data: Executable Executable file

FIGURE 6.3: Illustrating the process of infecting machines using Trojans (1 of 2)

Module 06 Page 847






How to Infect System s U sing a Trojan (Cont’d)

C EH

Create a wrapper using wrapper tools to install Trojan on the victim's computer

Propagate the Trojan


gr|jr How to Infe ct Sys tem te m s Usi ng a Trojan (Con t’d t’d) Step 3: Create a wrapper using tools to install the Trojan on the victim's computer. By using various tools like petite.exe, Graffiti.exe, EliteWrap, etc., a wrapper is created to install the Trojan on the victim's computer. Step 4: Propagate the Trojan. Trojan. Computer Co mputer virus propagatio pr opagation n (spreading) can be done through through various methods: 0

An automatic autom atic execution mechanism is is one method where traditional tradit ionally ly it it was spread spread through floppy disks and is now spread through various external devices. Once the computer is booted, the virus automatically spreads over the computer.

0

Even viruses can can be be propagated through emails, Internet Inter net chats, chats, network networ k sharing, sharing, P2P file sharing, network redirecting, or hijacking.

Step 5: Execute the Dropper. Drop per is used by attackers attacker s to disguise the ir malwa ma lware. re. The user is confused and believes that all the files are genuine or known files. Once it gets loaded into the host computer, it helps other malware to get loaded and perform the task. Step 6: Execute the damage routine. Most computer viruses contain a Damage Routine that delivers payloads. A payload sometimes just displays some images or messages whereas other payloads can even delete files, reformat hard drives, or cause other damage.

Module 06 Page 848






......

Dropper

-1 1

......

>

Trojan Packet W 0

)

Attacker

s

* ■

y

11 -----

.......

chess.exe

w

Dropper drops the Troj Troja an

Wrapper

Trojan code execution

Victim's System

FIGURE 6.4: Illustrating the process of infecting machines using Trojans (2 of 2)

Module 06 Page 849

Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil




W ra p p e rs

CEH

A wrapper binds a Trojan executable with an innocent looking .EXE application such âs games or office applications

Chess.exe Che

/

Trojan.exe

Filesize: 90K

Filpci7p• Filpci7p• 20K 70 k Filesize:

Pilpci lpci

Chess.exe Filesize: 110K

When the user runs the wrapped EXE, it first installs the Trojan Trojan in the background background and then runs the wrapping application in the foreground

N The two programs are wrapped tog ether into a single file

V.

J

Attackers might send a birthday greeting that will install a Trojan as the user watches, for example, a birthday cake dancing across the screen

Source: http://www.objs.com Wrappers are used to bind the Trojan executable with a genuine-looking .EXE application such as games or office applications. When the user runs the wrapped EXE, it first installs the Trojan in the background and then runs the wrapping application in the foreground. The attacker can compress any (DOS/WIN) binary with tools such as petite.exe. This tool decompresses an EXE file (once compressed) on runtime. This makes it possible for the Trojan to get in virtually undetected, since most antivirus software is not able to detect the signatures in the file. The attacker can place several executables inside one executable, as well. These wrappers may also support functions such as running one file in the background while another one is running on the desktop. Technically speaking, wrappers can be considered another type of software "glueware" used to bind other software components together. A wrapper encapsulates into a single data source to make it usable in a more convenient fashion than the original unwrapped source. Users can be tricked into installing Trojan horses by being enticed or frightened. For instance, a Trojan horse might arrive in an email described as a computer game. When the user receives the mail, the description of the game may entice him or her to install it. Although it may, in fact, be a game, it may also be taking other action that is not readily apparent to the user, such as Module 06 Page 850





deleting files or mailing sensitive information to the attacker. In another instance, wan attacker sends a birthday greeting that will install a Trojan as the user watches, such as a birthday cake dancing across the screen.

8t l ( W ? Ch e s s . e x e

Filesize: Filesize: 90K

Tr o j a n . e x e

^

Filesiz Filesize: e: 20K

cness.exe Chess.exe ^

Filesize: File Filesi size ze:: 110K 110K 110K

FIGURE 6.5: Wrappers

Module 06 Page 851






Wrapper Covert Covert Programs Program s fci-Vrf*C6«T «TAlLM5I Crtf tfte teu

Hte5ce

CEH

[njarrio

vi TrOjaa.Net Advanced File Joiner

version 1.0 Ms.11' .1 1'. All I rl1.3j 1.3j q

rteujw!

1

Cr nll^ i C::t» t»

FJt5« FJt5«

|®IC ^Documtrt*aij

□c!D1c1ifrtt9rf[ jSir? jSir?1

I Hffi

'Cn' 'C n'W. W.'U 'Ui. i. »»*> 56

SC8 LAB’S

3««b

Pronessonal Malware Tod | !•Hr fl

rfrr.fvlit tndcx ) Crrptor Blndtr Downloado Downloadorr [ Spreader

Kriptomatik

Nome Nome

| Poll !

______

_________________________ ______________

SC&Ldb... C:\ C:\ D0CUmemts arid S(1Mir1Qs\Atl 111i .. No .1 ^ d‘ j 0 " " | cument$. . _j!to__

.

V

j

No

|

Advanced File Joiner Joiner |Theattachedfiles edfilesw weigh714KB

SCB LAB's - Professional Malware Malwa re Tool Tool Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Wrapper Wrapper Covert Program s Kriptomatik Kriptomatik is a wrapper covert program that is designed to encrypt and protect files against crackers and antivirus software. It spreads via Bluetooth and allows you to burn CD/DVDs with Autorun. {

It has the following features: 0

Configure Configur e icons

0

Gather files

e

Posts

© Propagat Prop agation ion 0

Other Othe r features featur es such such as autostart, attributes, attr ibutes, encryp encryption tion,, etc etc..

Module 06 Page 852






File Name jJjIx jJjIxRA RAYMYPC-INST INSTAL ALL.M L.MSI Hb8thc Hb8 thc.e .exe xe

File Path

File Size

Inject Injec t To

C:\D C:\Doc ocu umentsan tsandSetti etting ngs\ks\k-AD ADes... C:\Documentsand Settings\ .,Des... .,Des. ..

4 Mb 379Kb

%apppat %apppath% h% %apppa %ap ppath% th%

Extract To %none% %none%

►

Plugin Count Count:: 0006

Status Stat us : all spread commands unchecked...

FIGURE 6.6: Kriptomatik screenshot

5-----® A dvan ced File Joiner Advanced File Joiner is software that is used to combine and join various files into a single file. If you have downloaded multiple pieces of a large file split into smaller files, you may easily join them together with this tool. For example, you can combine ASCII text files or combine video files such as MPEG files into a single file if and only if they are of same size, format, and encoding. This tool cannot be used effectively for joining a file format containing head information such as AVI, BMP, JPEG, and DOC files. So, for each of these types of file formats, you have to use specific software join program.

Module 06 Page 853






File List Anti Debugging Compile Ftes Ftes Event Event Logs About

|©|C:\Documents and Settings^ Settings^ V>esktop\Music.wav 58 nc:\Do nc: \Docume cuments nts and Settings\ \Desktop\iusion_b... 392 Kb

1 1

Add To File File Path:

Execute:

Yes

FIGURE 6.7: Advanced File Joiner Screenshot Screens hot

Module 06 Page 854






SCB LAB’ LAB’ss - Pro fessio nal M alw are Tool Professional Malware Tool is designed to encrypt (crypter), together (binder), download (downloader), and files spread (spread).

SC8 LAB'S Profiessw Profiesswial ial Malw alware are Too Tool t ,V - «■

Index | Crypter

Name

Binder

Downloader Downloader Spreader

Path

Execute

]SC B Lab... Lab... C:\DocumentsandSettings\Admi... *“ icuments and Settings\Admi... Add file ► Yes Execute Build! No

No No

Remove file

|The attached files weigh 714 KB

FIGURE 6.8: SCB LAB's - Professional Professional Malware Malwar e Tool Tool Screenshot

Module 06 Page 855






D ifferent Ways a Trojan ca n Get into into a Sy stem Instant Messenger applications

r

IRC (Internet Relay Chat)

Physical Access

\ 1

r 2

Legitimate "shrinkwrapped" software packaged by a disgruntled employee

3

Browser and email software bugs

4

Attachments

\ 5

r 6

Fake programs

\ 7

Untrusted sites and freeware software

CEH

r 8

NetBIOS (FileSharing)

\ 9

Downloading files, games, and screensavers from Internet sites


Different W ays a Trojan Can Get into into a System Different access points are used by Trojans to infect the victim's system. With the help of these points, the Trojan attacks the target system and takes complete control over the system. They are as follows:

I n s t a n t M e s s e n g e r A p p li l i c a ti ti on on s The system can get infected via instant messenger applications such as ICQ or Yahoo Messenger. The user is at high risk while receiving files via the messenger, no matter from whom or from where. Since there is no file checking utility bundled with instant messengers, there is always a risk of infection by a Trojan. The user can never be 100% sure who is on the other side of the computer at any particular moment. It could be someone who hacked a messenger ID and password and wants to spread Trojans over the hacked friends list.

IRC (Intern (Intern et Re lay Chat) Chat)

tA

IRC is another method used for Trojan propagation. Trojan.exe can be renamed something like Trojan.txt (with 150 spaces).exe. It can be received over IRC and, in the DCC (Direct Client to Client), it will appear as •TXT. The execution of such files will cause infection. Most people do not notice that an application (.exe) file has a text icon. So before

Module 06 Page 856






such things are run, even if it is with a text icon; the extensions must be checked to ascertain that they are really .TXT files. 9

Do not not download any files that appear to to be free porn or or Internet Inter net software soft ware.. Novice computer users are often targets of these false offers, and many people on IRC are unaware of security. Users get infected from porn-trade channels, as they are not thinking about the risks involved—just how to get free porn and free programs.

irt ir t 1! P hy sica l Ac cess

LiJ 0

Restricting physical access is important for a computer's security. Example: 9

A user's friend wants want s to have physical access to his his system. The The user might might sneak into his friend's computer room in his absence and install a Trojan by copying the Trojan software from his disk onto the hard drive.

9

Autost Aut ostart art is another anot her way to infect a system while having physical physical access. access. When Wh en a CD is placed in the CD-ROM tray, it automatically starts with a setup interface. An example of the Autorun.inf file that is placed on such CDs:

[autorun] open=setup.exe icon=setup.exe 9

Trojan Troja n could be run easily easil y by running a real setup program.

9

Since many people do not know about this CD function, their the ir machine might get infected, and they would not understand what happened or how it was done.

9

The Autostart Autost art functionality functional ity should should be be turned off by doing the following: following :

Start Start > Sett Settin ings gs > Co Cont ntro roll Panel Panel -> Syst System em Properties ■) Settings

Devic Device e Manager ■> CDRO DROM

>

Once there, a reference to Auto Insert Notification will be seen. (It checks approximately once per second whether a CD-ROM has been inserted, or changed, or not changed.) To avoid any problems with this function, it should be turned off.

Brow ser and E m ail Softwa Software re Bugs Bug s Users do not update their software as often as they should, and many attackers take advantage of this well-known fact. Imagine an old version of Internet Explorer being used. A visit to a malicious site will automatically infect the machine without downloading or executing any program. The same scenario occurs while checking email with Outlook Express or some other software with well-known problems. Again, the user's system will be infected without even downloading an attachment. The latest version of the browser and email software should be used, because it reduces the risk of these variations.

Module 06 Page 857






9

Check the following sites to understand how dangerous these bugs are, all due to the use of an old version of the software: 9

http://www.guninski.com/ http://www.guninski.com/browsers.ht browsers.html ml

9

http://www.guninski.co http://www.guninski.com/netscape.ht m/netscape.html ml

F a k e P r o g r am am s 9

Attackers can easily lure a victim into downloading free programs that are suitable for their needs, and loaded with features such as an address book, access to check several POP3 accounts, and many other functions that make it even better than the currently used email client.

9

The victim downloads downl oads the program and marks marks it as TRUSTED, TRUST ED, so that the protection prote ction software fails to alert him or her of the new software being used. The email and POP3 account passwords are mailed directly to the attacker's mailbox without anyone noticing. Cached passwords and keystrokes can also be mailed. The aim is to gather ample information and send it to the attacker.

9

In some cases, an attacker may have complete access to a system, but what the attacker does depends on his or her ideas about how to use the hidden program's functions. While sending email and using port 25 or 110 for POP3, these could be used for connections from the attacker's machine (not at home, of course, but from another hacked machine) to connect and use the hidden functions they implemented in the freeware program. The idea here is to offer a program that requires a connection with a server be established.

9

Attackers thrive on creativity. Consider an example where a fake audio galaxy, which is a site for downloading MP3, is given. An attacker generates such a site by using 15-gb space on his system to place a larger archive there for the MP3. In addition, some other systems are also configured in the same fashion. This is done to fool users into thinking that they are downloading from other people who are spread across the network. The software acts as a backdoor and will infect thousands of naive users using ADSL connections.

9

Some fake programs have hidden codes, but still maintain a professional look. These websites link to anti-Trojan software, thus fooling users into trusting them. Included in the setup is readme.txt. This can deceive almost any user, so proper attention needs to be given to any freeware before it is downloaded. This is important because this dangerous method is an easy way to infect a machine via Trojans hidden in the freeware.

Module 06 Page 858






— .

S h r i n k - W r a p p e d S o ftw ft w a re

| Legitimate "shrink-wrapped" software package packaged d by a disgruntled emp loyee loye e can can contain Trojans.

Via A ttachm ttachm ents When unaware web users receive an email saying they will get free porn or free Internet access if they run an attached .exe file, they might run it without completely understanding the risk to their machines. 0

Example: 0

A user has a good good friend who is carrying out some research and wants to know about a topic related to his friend's field of research. He sends an email to his friend asking about the topic and waits for a reply. The attacker targeting the user also knows his friend's email address. The attacker will simply code a program to fake the email From: field and make it appear to be the friend's email address, but it will include the TROJANED attachment. The user will check his email, and see that his friend has answered his query in an attachment, and download and run it without thinking that it might be a Trojan. The end result is an infection.

0

Trash Trash email with the subject line, line, "Microso ft IE Update," Upda te," without viewing it. it.

0

Some email clients, such such as Outlook Express, Express, have bug bugs s that automati auto matically cally execute the attached files.

Untrusted Sites and Freeware Software 0 A site located at a free web we b space provider provide r or one just offering programs for illegal activities can be considered suspicious. 0

There are many underground sites such as Neurot Neu roticK icKat at Softw Sof twar are. e. It is highly risky risky to download any program or tool located on such a suspicious site that can serve as a

0

conduit condui t for a Trojan attack on a victim's victi m's computer. No matter matt er what software softw are you use, use, are you ready to take that risk?

0

Many Man y sites sites are available that have a professional look and contain huge archives. These sites are full of feedback forms and links to other popular sites. Users must take the time to scan such files before downloading them, so that it can be determined whether or not they are coming from a genuine site or a suspicious one.

0

Softwar Sof tware e such such as mIRC, mIRC, ICQ, ICQ, PGP, or any other othe r popular software soft ware must be downloaded downl oaded from its original (or official dedicated mirror) site, and not from any other websites that may have links to download supposedly the same software.

0

Webmaste Web maste rs of well-known well-known security portals, portals, who have vast archives with with various "hacking" programs, should be responsible for the files they provide and scan them often with anti-virus and anti-Trojan software to guarantee the site to be "free of Trojans and viruses." Suppose an attacker submits a program infected with a Trojan,

Module 06 Page 859






9

e.g., e.g., a UDP flooder, to the webmaster webm aster for the the archive; if the webmaster webm aster is not alert, the attacker may use the webmaster's irresponsibility to infect the site's files with a Trojan.

tJ

Users who deal with any kind kind of software softw are or web we b applicati appli cation on should scan their thei r systems on a daily basis. If they detect any new file, it should be examined. If any suspicion arises regarding the file, it must be forwarded to software detection labs for further analysis.

Q

It is easy to infect machines u usin sing g freew fre eware are programs. Free is not always the best" and hence these programs are hazardous for systems.

Net N etB B IO S (F ile il e S h a rin ri n g ) If port 139 on the system is open, i.e., file sharing is enabled, it can be used by others to access the system, install trojan.exe, and modify a system's file. 9

The attacker can also use a DoS DoS attack to shut down the system and force a reboot, so the Trojan can restart itself immediately. To block file sharing in the WinME version, go to: 9

Start > Settings Settings -> Control Control Panel

Netwo rk > File and Print Sharing Sharing

9

Uncheck the boxes boxes there. This This will prevent NetB IOS abuse. abuse.

Downloading Downloading files, games, and screensavers from Internet sites can be dangerous.

Module 06 Page 860






How How to Deploy Dep loy a Troja T rojann

c EH

(crtifwd IUmjI KmIm

Majo r Trojan Trojan Attack Paths: » User clicks clicks on the malicious link 8 User opens opens malicious email attachments

Attacker installs the Trojan infecting his machine

Trojan Trojan Serv er

(Russia) Trojan is sent to the victim


How to De ploy a T rojan A Trojan is the means by which an attacker can gain access to the victim's system. In order to gain control over the victim's machine, an attacker creates a Trojan server, and then sends an email to a victim containing a link to the Trojan server. Once the victim clicks on the link sent by the attacker, it connects him or her directly to the Trojan server. The Trojan server sends a Trojan to the victim system. The attacker installs the Trojan, infecting the victim's machine. As a result, victim is connected to the attack server unknowingly. Once the victim connects to an attacker server, the attacker takes complete control over the victim's system and performs any action the attacker chooses. If the victim carries out any online transaction or purchase, then the attacker can easily steal sensitive information such as credit card details, account information, etc. In addition, attackers can also use the victim's machine as the source for launching attacks on other systems. Computers typically get infected by users clicking on a malicious link or opening an email attachment that installs a Trojan on their computers that serves as a back door to criminals who can then command the computer to send spam email.

Module 06 Page 861





Computers typically get infected by clicking on a malicious link or opening an e-mail attachment that installs a Trojan on their computers that serves as a back door to criminals w ho can then command the computer to send spam email

ru Ed* vi** Toob h»sm o« noo &

Bi *!**

x

HfftyAl Hffty Al fat•ft6 •ft6

Orlrfa

O

O I ■vD

Subject : Apo«A**a0f• Odorm ?27867

Apple Store Call 1-800-MY-APPLE Dear Customer

4

Victim

Attacker installs the Trojan infecting his machine

The Trojan connects to the attack server

Link to Trojan Server

xlfnake changes to yelr To view the most up-to-date status 8nd| Apple Online Store order, visit online y|ur Qrc^rSiatus. | You car. aJso contact Apple Stor e Cust omer Se rvicc a: 1-800-576-2775 orvu t cniat for mere nfo:1r.aCoc.

Immediately connects to Trojan server ser ver in Russia

Attacker sends an email to victim containing link to Trojan server

Internet

la

Troj an Server

(Russia)

Trojan Is sent to the victim

FIGURE 6.9: Diagrammatical representation of deploying a Trojan in victims system

Module 06 Page 862





E vading A nti-Vi nti-Virus rus T ech niqu es

Break the Trojan file into multiple pieces and zip them as single file

Never use Trojans downloaded from the web (antivirus can detect these easily)

ALWAYS write your own Trojan and embed it into an application

Change the content of the Trojan using hex editor and also change the checksum and encrypt the file

Change Trojan's syntax: «

Convert an EXE to VB script script

e

Change .EXE extension to .DOC.EXE, .PPT.EXE or .PDF.EXE (Windows hide "known extensions", by default, so it shows up only .DOC, .PPT and .PDF)

Copyright Copyri ght © by EG-Gouncil . All Rights Jte$ervfei;Reproduction is Strictly Prohibited. Prohibited.

Evading Antivir Anti virus us Tech nique s The following are the various techniques used by Trojans, viruses, and worms to evade most most of antivirus software: 1.

Never use Trojans downloade down loaded d from the web (antivirus (antiv irus detects these easily).

2. W rite ri te your own Trojan and and embed it into an application. applicati on. 3. Change the Trojan's Troj an's syntax: 0

Convert Conve rt an EXE to VB script

0

Conver Con vertt an EXE to a DOC DOC file

0

Convert Conve rt an EXE to a PPT file

4. Change the checksum. 5. Change the conten con tentt of the Trojan using a hex editor. editor . 6.

Break the Trojan Trojan file into multiple pieces.

Module 06 Page 863






So far, we have discussed various concepts of Trojans and the way they infect the system. Now we will discuss various types of Trojans that are used by attackers for gaining sensitive information through various means.

J

^—

Trojan Concepts

Countermeasures

Trojans Infection


Types Types of Trojan Trojans s

y )

Penetrati on Testing Testing

v -

I 1 Troj Troja an Det Detec ecttion ion

This section covers various types of Trojans such as command-shell Trojans, document Trojans, email Trojans, botnet Trojans, proxy server Trojans, and so on. Module 06 Page 864






T y p e s o f T r o jjaa n s / i

V NC NC Trojan

\ : :

/*HTTP/HTTPS\ /*ICMP /*ICMP \ Trojan : ; Trojan

CEH /D ata Hiding Hiding*. *.

:

;

Trojan

a

/*Dest /*Destruc ructiv tive**. e**.

: .

Trojan

:

/*Docu ment

!

Trojan

a

Types of Troj Trojans ans Various types of Trojans that are intended for various purposes are available. The following is a list of types of Trojans: 0

VNC Trojan

0

Proxy Server Ser ver Trojan

0

HTTP/HTTPS Trojan

0

Botnet Botne t Trojan Trojan

0

ICMP Trojan Trojan

0

Covert Channel Trojan

0

Command Shell Trojan

0

SPAM Trojan Trojan

0

Data Hiding Trojan

0

Credit Card Trojan

0

Destructive Destructi ve Trojan

0

Defacement Trojan Trojan

©

Docume Doc ument nt Trojan

0

E-banking E-banking Trojan

0

GUI Trojan

0

Notification Notificat ion Trojan

0

FTP Trojan Troj an

0

Mobile Trojan Trojan

0

E-mail E-mail Trojan Troj an

0

MAC OS X Trojan

0

Remote Remot e Access Trojan

Module 06 Page 865






C om m an d Shell Shell T rojans rojan s

CEH

J

Comm Comman and d she shell ll Tro Troja jan n gives gives remote remote cont control rol of of a comma command nd shell shell on a victim victim's 's mach machine ine

J

Troj Trojan an server server is is ins instal talled led on the victi victim's m's mach machine ine,, whic which h opens opens a port port for for attacker attacker to con conne nect. ct. The client is installed on the attacker's machine, which is used to launch a command shell on the victim's machine

Command Shell Trojans The command shell Trojan gives remote control of a command shell on a victim's machine. The Trojan server is installed on the victim's machine, which opens a port for the attacker attack er to connect. The client is installed on the attack at tacker's er's machine, machine , which is used used to launch a command shell on the victim's machine.

C: > nc C: > nc - L - p - t - e cmd. exe exe FIGURE 6.10: Attacker launching command shell Trojan in victim's machine

Module 06 Page 866






C om m an d Shell Troj Tr ojan an:: N etcat

c:\>nc.exe

-h

[ 1.10 NT] conn ect to s canew h e r e : listen for inbound:

nc nc

options: -d

d e t a c h f r o m c on s ol e ,

- e pr p r og og - g g at at ew ew ay ay —G nu m -h -i 1

CEH

se se c s

] options] hostname port[s] [ports[ ... -1 -p por t [options] [hostname] [port] [port] s t eal th m od e

i nb nb ou ou nd nd pr pr og og ra ra m to to e xe xe c [ d a n g e r o u s ! ! ] s ou ou rc rc ee- ro ro ut ut in in g h o p p o in in t [s] , u p t o 8 so ur ce -r ou ti ng poi nte r:

4, 8,

12,

—

...

this cruft d el el ay ay in in t e r v al al fo f o r li li n e s se se nt , po p o rt rt s l i s t e n m o d e , fo fo r i n b o u n d c o n n e c t s

sc s c a nn nn ed ed

-L -n

listen harder, re-listen on socket close nu me ri c - o nl y IP a d d r e s s e s , n o DNS

-o f i le -p p o r t

h e x du m p o f t raffi c lo cal p o r t number

-r -a a d d r -t -u

randomize local and remote ports lo cal sour ce addr ess answer TELNET negotiation U D P m ode

- w s ec s -z

verbose [use [use twice to be more verbose] t im im e ou ou t f o r c o nn nn ec ec ts ts a nd nd f i n a l n et et r e a d s zero-l/O mode [used for scanning] scanning]

po rt nu mb er s ca n be individual or ranges: m n

[inclusive]

C:\>


C om m and Shel Sh elll Trojan: Trojan: Netcat Using Netcat, an attacker can set up a port or a backdoor that will allow him or her to telnet into a DOS shell. With a simple command such as C:\>nc -L -p 5000 -t -e cmd.exe, the attacker can bind port 5000. With Netcat, the user can create outbound or inbound connections, TCP or UDP, to or from any port. It provides for full DNS forward/reverse checking, with appropriate warnings. Additionally, it provides the ability to use any local source port, any locally configured network source address, and it comes with built-in port-scanning capabilities. It has a built-in loose source-routing capability and can read command-line arguments from standard input. Another feature is the ability to let another program respond to inbound connections (another program service established connections). In the simplest usage, usage, nc host port" creates cre ates a TCP connection to the given port on the given target host. The standard input is then sent to the host, and anything that comes back across the connection is sent to the standard output. This continues indefinitely, until the network side of the connection shuts down. This behavior is different from most other applications, which shut everything down and exit after an end-of-file on the standard input. Netcat can also function as a server by listening for inbound connections on arbitrary ports, and then doing the same reading and writing. With minor limitations, Netcat does not really care if it runs in client or server mode; it still moves data back and forth until there is none left. In either mode, shutdown can be forced after a configurable time of inactivity on the network side.

Module 06 Page 867






Features: 0

Outbound or inbound connections, connectio ns, TCP or UDP, to or from any port

0

Full Full DNS for forward ward/re /revers verse e checking, checking, with appropri appr opriate ate warnings

0

Ability Abilit y to use use any local local source port

0

Ability Abilit y to use use any locally locally configured netwo rk source address address

0

Built-in Built-in port-scannin port-scanning g capabilities, with randomizer

0

Built-in Built-in loose source-routing capability capabil ity

0

Can read command-line arguments from standard input

0

Slow-send mode, one line ever ev ery y N seconds

0

Hex Hex dump of transmitted transm itted and received receive d data

0

Optional ability to let another anoth er program service establish connections connectio ns

0

Optional Opti onal telnet-o tel net-optio ptions ns respo re sponde nderr using the comman co mmand d nc -I -p 23 -t -e cmd.exe cmd.e xe

0

W h ere er e 23 is is the port for telnet, teln et, -I option opti on is to listen, -e option optio n is to execute, exe cute, -t -t option optio n tells Netcat to handle any telnet negotiation the client might expect

Netcat is a utility used for reading and writing the networks that support TCP and UDP protocols. It is a Trojan that is used to open either the TCP or UDP port on a target system and hackers with the help of Telnet gain the access over the system. Command Prompt c: \ >nc. exe exe - h [vl.10 NT] connect to somewhere : listen listen for for inbound: inbound: options: -d -e p r o g at ew ewa y -g g at -G n u m -h - i se c s -1 -L -n - o f i le P port -r -s a d d r -t -u -v - w se c s -z

nc [-opti [-options] ons] hostna me port[s] [ports] [ports] ... nc -1 -p port [op [opti tion ons] s] [host [hostna name me] ] [port] detac h from console, console, stea lth mode i n b o u n d p r o g r a m to ex ec [d [dangerous!!] s ou ou rc rc ee- ro ro ut ut in in g h op op po po in in t[ t[ s] s] , u p t o 8 s o u r c e - r o u t i n g pointer: 4, 8, 12, ... this cr uft d e l a y int er v al f or lin es s en en t, t, p o rt rt s sca n n ed listen mo de , for inbound connects listen harder, harder, re-listen on socket close numeric-only IP addresses, no DNS hex dump of traffic loca l po rt numb er r a nd o m iz e loc a l a n d re m ot e p o r t s l oc a l so u r ce addre ss answer TEI2 TEI2JE JET T negotia tion UDP m od e verbos e [use twice to be more verbose] verbose] t i m e o u t f o r c o n n e c t s a n d f i n a l n e t r ea d s z er o - l / O m o d e [ [u us e d f or sc a n n i n g]

por t n umbe rs can b e ind ivid ual or ranges: m- n

[inclusive]

C:\>

FIGURE 6.11: 6.11: Netcat screenshot

Module 06 Page 868






G UI U I T r o ja ja n : M o S u c k e r

MoSucker 3.0 Selected Server:

|z:\C&tv8Module 06Trojans and Backdoors\Trojans Type Server Serv er ID: Cypher Key: Victim's Name: Server Serv er Name(s): Extension(*): Cormecbon-eort:

[

£

Close

]

O

15017MQWEY3C:4264 7MQWEY3C: 4264200TPGNDEVC TWQPCUL25873IVFCSJQK137 TWQPCUL25873IVF CSJQK13761

1

|vk:t m

]

kerne!32,msc0nfig,vvinexec32,netconfig exe,p!f t>at,(i,jpe,com,bpq,xtr,txp,

0

|4288|

W Preve nt same server multHnfecbons (recommended)

You may select a windows icon to assooate with your custom file extension/s.

Sead

Save


GUI Trojan: MoSucker Source: http://www.dark-e.com

MoSucker is a Visual Basic Trojan. MoSucker's edit server program lets the infection routine be changed and notification information set. MoSucker can auto load with the system.ini and/or the registry. Unlike any other Trojan, MoSucker can be set to randomly choose which method to auto load. It can notify cell phones via SMS in Germany only. MuSucker's edit server can gain X number of kilobytes (X is either a static number or it is random each time). The standard error message for MoSucker is "Zip file is damaged, truncated, or has been changed since it was created. If you downloaded this file, try downloading again." Here is a list of file names MoSucker suggests to name the server: MSNETCFG.exe, unin0686.exe, Calc.exe, HTTP.exe, HTTP.exe, MSWINUPD.exe, Ars.exe, NETUPDATE.exe, and Register.exe. Server Features: 0

Chat with victim

Q

Clipboard Clipboar d manager manag er

© Close/remove Close/remov e server e

Control mouse

9

Crash Crash System File Manager Manag er

Module

06 Page 869

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil




0

Get passwords entered enter ed by user, system info

0

Hide/Show Hide/Sh ow start button, system tray, taskbar

0

Keylogger

0

Minimize all all windows wind ows

0

Open/close CD-ROM CD-ROM drive

0

Ping server

0

Pop-up Pop-up startmenu

0

Process manger

0

Shutdown/Reboot/Standby/Logoff/Dos Shutdown/Reboot/Standby/Logoff/Dos mode server

0

System keys on/off

0

Wind ow manager manager About

| Opti Option ons s | S3

_

£ Nt Q

Misc stuff Information File related System

5

' /

f t ;

Spy related Fun stuff I

version 3.0

Fun stuff II Live capture capture

u iw i u .m a s u c k c r . t h

FIGURE 6.12: 6.12: MoSucker screenshot

Module 06 Page 870






*

MoSucker 3.0 Selected Server

|z:\CEHv8 Module Module 06 Trojans and Backdoors\Trojans Backdoors\Trojans Type

Name/Port Password Autostart

Server ID: Cypher Key:

Notification 1

Victim's Name:

Notification 2

Server Name(s): Name(s):

Options

Extension Extension(s):

Events Bind Files Keylogger

Connection-gort:

C cl

Close

|

O

1501704QWEYX:4264200TPGNDEVC TWQPCUL25873IVFCSJQK13761 Victim kemel32 msc0nfigrwinexec32,netconfig exe,pif,bat,dli jpe comrbpq,xtr,txp, 4288|

[/ Preve Pr event nt same server ser ver multi-infec multi-infection tions s (recommended) (recommended)

Plug-ins/Kill Fake Error

<

>

You may select a windows icon to associate with your custom file extension/s.

File Properties Icons

Read

Save

Exit

FIGURE FIGU RE 6.13: 6.13: MoSucker MoS ucker showing victim's victim' s name and and connection port

Module 06 Page 871






GUI GUI Troja Trojan: n: Jum per an d Biod ox

CEH


GU I Trojan: Trojan: Ju m pe r an d Biodo Bio dox x Jumper Jum per is a malicious malware mal ware program program that performs many functions to download malicious malware from the Internet. Attackers use this jumper Trojan to get sensitive data like financial information from the user's system. It also downloads additional downloads for the attacker to be able to access the system remotely. Generally, the BIODOX OE Edition.exe file should be in the C:\Windows\System32 folder; if it has been found elsewhere, then it is a Trojan. Once the computer gets infected by the Biodox, the system performance decreases. The screensaver gets changed automatically. Continuous annoying advertisement pop-ups appearing on the computer can be treated as one of the symptoms of this Trojan.

Module 06 Page 872






ftodox Open Source t *ID 0 4 432 soc 544 li-Jcsss-eie 552 m y* r ■■ MO 628 MO 648 J 'r e . S36 U svO w s teJie w e 1 |*•.cfcott tx t 992 UtI svetwst n r 1016 3r.cN>st ext 244 296 SjUtoc*. _Jr.ch0it tx t 360 L-J [system pr. D umm

,

Status -weerufuly

System Sy»tem System System System System System System System System System System System System System System System

" "0 V 0 0 929792 5*01632 7430144 4t496*« 6287360 7188480 10*21*32 4612800 641*432 7192576 9965568 7016448 33181696 12562432 12091392

»

,

. 1

a

• Non* Normal Norm*

Normal Norm■ Norm* S0rr\» Norma( Norm* Norm* Norm■ Norm■ Normal

M

Clear Applicator Lh t

FIGURE 6.13: Screenshots showing Biodox and Jumper

Module 06 Page 873






D ocum ent Trojans VIA LETTER John John Stev Stevens Royal Communications Company 445 152thStree hStreett S.W. Washington Washington,, DC 20554

FecEx September 2, 2012

CEH CEH !B e !

Attacker

RE: Fedex Shipment Airwa Ai rway y Bill Number: 867676340056 Dear Mr. Stevens St evens: We have have received recei ved a packageaddressed to you at the value val ue of USD 2,300. The custom duty has not been paid for this t his shipment which is listed li sted as Apple iMac 24 Computer. Please Please call us at Fedex at 1800-234-446 Ext 345 or e-mail me at m.roberts@fedex.com regarding this shipment. Please visit visi t our Fedex Package TrackingWebsite Websit e to see more details about this shipment and advice us on howto proceed. The website websit e link is attached with this letter.

Attacker embeds Trojan into a Word document and infects victim computer

Victim's Package

Trojan embedded in Word document document

Sincerely, MichelleRoberts CustomerService Ser vice Representative Internatio International nal Shipment and Handling Fedex Atlanta Division Tel: Tel: 1800-234-446 Ext 345 http://www.fedex.com m.roberts@fedex.com

System

Trojan is executed as victim opens the document and clicks on Trojan package


D o c u m e n t T r o j an an s Most users usually have the tendency to update their operating system but not the application they use regularly. Attackers take this opportunity to install document Trojans. Attackers usually embed a Trojan into a document and transfer it in the form of an attachment in emails, office documents, web pages, or media files such as flash and PDFs. When a user opens the document with the embedded Trojan assuming it is a legitimate one, the Trojan is installed on the victim's machine. This exploits the application used to open the document. Attackers can then access sensitive data and perform malicious actions.

Module 06 Page 874






Attacker

m Attac ker embeds Trojan into a Word document and infects victim computer

® !!!

s

m Trojan is executed executed as victim opens the document and clicks on Trojan Trojan package FIGURE 6.13: Attacker infecting victim's machine using Document Trojan

An example of a Trojan embedded in a Word document is as follows: VIA LETTER John Stevens Stevens RâlC^muniraUonsCompany RâlC^muniraUonsCompany 445 152thStreet 152thStreet S.W . Washington, DC 20554

FecEx Septem ber 2, 2012 r

RE: Fedex Shipment Airway Bill Number: 867676340056 Dear Mr. Stevens: W e have recei ved a package addressed addressed to you at the value of USD 2,300. The custom duty has not been paid for this shipment which is listed as Apple iMac24' Computer. Please call us at Fedex at 1800 1800-2 -234-446 34-446Fxt 3450r e-mail e-mail me at m.robcrts(S>fed m.robcrts(S>fedex.com ex.com regarding this shipment. Please visit our Fedex Package Tracking Tracking webs ite t o see more details about this shipment and advice us on howto proceed. The website link is attached attached w ith this letter.

'•--* PackaQe

Trojan embed em bed ded in W ord document

Sincerely, Michelle Roberts Roberts Customer Service Representative International Shipment and Handling Fedex Atlanta Division Tel: 1800-234-446 1800-234-446 Ext Ext 345 http://www.fedex.com m.rohertsgOfpdex.com

Module 06 Page 875






FIGURE 6.14: An example of Trojan embedded in a Word document

E-m ail Troj Troj an anss

CEH

J

Attacker gains gains remote control control of a victim victim computer computer by by send sending ing email email messa messages ges

J

Attacke Attackers rs can can then then retri eve files files or folders by sendin sending g command commands s throu through gh email email

J

Attacker Attacker uses uses open open relay SMTP server server and and fakes fakes the email's email's FROM field field to hide hide origin

Instructions are sent to the victim through emails emails

/ \

- \ 7

Any commands commands for me?

Send me :\creditcard.txt file and launch calc.exe

Here is the requested file

mt

Email

Attacker

' ( m y

Calc.exe executed

Internet

Firewall

Victim

Copyright G by EG-GtlMCil. All Rights Reserved. Reproduction is Strictly Strictl y Prohibited.

Email Trojans spread through bulk emails. Trojan viruses are sent through attachments. The moment the user opens the email, the virus enters the system and spreads and causes a lot of damage to the data in the system. It is always recommended that users not open emails from unknown users. Sometimes email Trojans may even generate automatic mail and send send it to all the contacts co ntacts present pr esent in the vic tim's tim 's address addr ess book. Thus, Thus, it is is spread through the contact list of the infected victim. Attackers send instructions to the victim through email. When the victim opens the email, the instructions will be executed automatically. Thus, attackers can retrieve files or folders by sending commands through email. The following figure explains how an attack can be performed using email Trojans.

Module 06 Page 876






Instructions Instructions ar• sent to the victim through emails

Any commands for me?

\aradi tcard. tcard. txt Send me : \aradi file and launch calc.exe


J p ?

Email

j !

; Cdk.exe j ex ec ut ed

I

*

* y rl• Attacker

Internet

Firewall

Victim

FIGURE 6.15: Illustrating the attack process using email Trojans

Module 06 Page 877






E-m ail Troja Tro jans ns:: Rem oteBy M ail

C EH

C«dseMecUed 0 Ertvai: :«nr

0

Next eavjrf check 000900 Nov* ctociung

POP patswad

lastitspow

SMT P Mfv«r

$t«t• No co«*tt ton

Avaijfatewrnnand

10/tjeAaoxn Aulherticaton| Aulherticaton| Sanew anew POP

lo .« .«eaa eaa

j]

SMTPuter

Piogrmt

SMTP pa«wad p*t*
SoltPwf e (»c«pod*0t c«pod*0t olip#<* • canl

r

----

__

......

uMnVo**[*•*•**00

•><»s»np»ecQn»

d*

m>w

»•

_____ » y uteri mai»* «* 0!.

•

6

_


Em Trojans : ARemoteBy Mail A I I Uail A A Trojans: A A \ S JV & A L 1 9 ■ V V I I I V / I V A / Jf A f ia ii U RemoteByMail is used to control and access a computer, irrespective of its location, simply by sending email. With simple commands sent by email to a computer at work or at home, it can perform the following tasks: 0

Retrieves Retrie ves list list of files and folders folder s easily

0

Zips Zips files automati auto matically cally that are to be transferred transfe rred

0

Helps to execute programs, programs, batch files, or opens files

This is is an easier way to access files or to execute programs on a computer comp uter remotely. remot ely. The main screen displays information that the program has received and processed: 0

Start Server: Ser ver: Click Click the Start Server icon icon for RemoteB yMail to begin the process process and and receive email email

0

Stop: Click the Stop icon to stop stop the application applicat ion at any time

0

Check now: Checks Checks for next scheduled email

0

Statistics: Statis tics: Displays program information informatio n

0

Listening to Accounts: Accou nts: Displays Displays accounts and associated email addresses

Module 06 Page 878






0

Emails received rece ived:: Displays Displays email list list containing commands the program program has has received receiv ed

0

Command Comman d queue: Displays commands the program has has received receive d but not yet processed

0

Outgoing emails: Checks Checks for processing processing email

0

Emails send: send: Displays Displays list of email sent by Remo Re moteB teByMa yMail il

RemoteByMail accepts and executes the following commands: 0

HI: Used Used to send email with the content "Hi" to your email address

0

SEND: Sends files located on the host computer comp uter to your email address

0

ZEND: Zips Zips and and then sends sends files files or folders located on the host computer comp uter to your email address. To open a Zip attachme atta chment nt after afte r you receive, en ter the password you chose when you created the account

0

EXECUTE: EXECU TE: Executes programs or batch files on the host's computer comp uter

0

DIR: Sends Sends the directory directo ry of a drive or folder fold er to your email address

N» Accor• Too•

©

^ 0.0

Ujf>

D*•

ficm

C#•

>o>

3 Cm* imo M 0 E«m* mr* 0 Nerf«ooicr«d »C9CC Hw c.'Kirg rg

9w

POPtm!■ wig SMTPMfv PMfvw

IwHp IwHpwh whcq cqnn

SMTP *

A»
LMWtr Om

To

•

I

SMTP9$mm* SMTP9$mm*

C1«MaM*ct«gM ifim

J

{*oJ&tyaMttCi•'*•*

itft

• nv.'/.'xn w n /sm r m

**« :fw' fw 'tng mk«I r

, v««

f*.0 * u+nnt* (,*mac**

✓0* ✓0* I

Xi w !

7 b* |

FIGURE 6.16: RemoteByMail screenshots

Module 06 Page 879






D e f a c e m e n t T ro roj a n s

CEH

Defa cem ent Troj Trojan anss Defacement Trojans, once spread over the system, can destroy or change the entire content present in the database. This defacement Trojan is more dangerous when attackers target websites; they physically change the entire HTML format, resulting in the changes of content of the website, and even more loss occurs when this defacement targets e-business activities. It allows you to view and edit almost any aspect of a compiled Windows program, from the menus to the dialog boxes to the icons and beyond. Resource editors allow you to view, edit, extract, and replace strings, bitmaps, logos, and icons from any Windows program. They apply target-styled Custom Applications (UCAs) to deface Windows applications. Example of calc.exe defaced:

Module 06 Page 880






You Are Hacked! I !!!

View

Help ~~0.

Defaced calc.exe

E Calculat Calculator or

1 |6acfctfrace| |

YouAieHeckedtlll! View heto

I

I b k * 1m < « | i

0

q

it

ce

z ip

0

■ 7]

^ 1 i i ; . [ >]

CE

|[ ~ C

0

c

0 1 E

IZ]

jn -j

0 0

0 0 0

0

FIGURE 6.16: An example of calc.exe defaced

Module 06 Page 881






Defacement Trojans: Restorator Source: http://www.bome.com Restorator is a versatile skin editor for any Win32 programs. The tool can modify the target interface of any Windows 32-bit program and thus create target-styled Custom Applications (UCAs). You can view, extract, add, remove, and change images, icons, text, dialogs, sounds, videos, version, dialogs, and menus in almost all programs. Technically speaking, it allows you to edit the resources in many file types, for example .ocx (Active X), .scr (Screen Saver), and others. The attacker can distribute modifications in a small, self-executing file. It is a standalone program that redoes the modifications made to a program. Its Grab function allows you to retrieve resources from files on a target's disk. Restorator is the Borne flagship product that allows you to do resource (resources are application-dependent data that the respective programmer includes in the program) editing. It is a utility for editing Windows resources in applications and their components, e.g., files with .exe, .dll, .res, .rc, and .dcr extensions. You can use this for translation/localization, customization, design improvement, and development. This resource editor comes with an intuitive target-interface. You can replace logos and can control resource files in the software development process. It can intrude into the target's system and its working programs.

Module 06 Page 882






storator 2007 Trial -C:\Software\Softpedia.exe File

Resources

Viewer

Edit

Tools

Help

a - a a o o ,

Res Viewer

H

B

*

•3•

1

Resouice Tree a ]§) Softpe Softpedia dia.ex .exe e S Strin String g S O Q IS

mmmm Saving Delphi/C++ Builder Forms

2 Neutr< tr< R CD CDat a □ 11111 I co con □ MAIN MAINI

Q 1C) Version

□ 1 B t j Manife ifest

1 □ 1

Codepage Shell Integration Viewer Text Editor File Browser RC Files Advanced

1*1 Sho w T ooKips [default] 0 Allow multiple ultiple Restorator instances 0 Show splash screen on start Keep Restorator Window always on top 0 Ask for Folder, when assigning/extracting ing/extracting all [default] [default] Number of recently used files in file menu:

10 ^

Number 01recent 01re cently ly found files in file menu:

20

2> 0K 19 20 21 22 23

String\4089\Neutral

654 26 654 27 27 654 28 654 29 654 30

In t e g e r o v e r f l o w I nv nv al al id id f lo lo at at in in g p oi oi nt nt o pe pe ra ra ti ti on on F lo lo at at in in g p o in in t di di vi vi si si on on by by z er ero F l o a t i ng ng po po in t ov ov e r f l o w F lo lo at at in in a p o in in t u n de de rf rf l ow ow

String

1 open file file

FIGURE 6.17: 6.17: Restorator Screenshot

Module 06 Page 883






B o t n et et T r o j a n s 0

CEH

J

Botnet Troj Trojan ans s infect infect a large large numbe numberr of compute computers rs acro across ss a larg large e geogr geograp aphic hical al area to create a network of bots that is controlled through a Command and Control (C&C) center

J

Botnet is used used to launch launch various various attacks attacks on on a victim victim includ including ing denia denial-o l-off-se servi rvice ce attacks, spamming, click fraud, and the theft of financial information

,0

0

0 .

Website

Botnet Server Copyright © by EG-GlDDCil. All Rights Reserved. Reproduction Reproducti on is Strictly Strictl y Prohibited.

Cl

Botnet Botne t Tro jans

soft ware re robots r obots (worms, (wo rms, Trojan horses, horses, and and backdoors) --- A botnet is a collection of softwa that run automatically. It refers to a collection of compromised machines running programs under a common command and control infrastructure. A botnet's originator (attacker) can control the group remotely. These are computers (a group of zombie computers) infected by worms or Trojans and taken over surreptitiously by attackers and brought into networks to send spam, more viruses, or launch denial of service attacks. This is a computer that has been infected and taken over by an attacker by using a virus/Trojan/malware. Botnet owners usually target educational, government, military, and other networks. With the help of botnets, attacks like denial of service, creation or misuse of SMTP mails, click fraud, theft of application serial numbers, login IDs, credit card numbers, etc. are performed.

Module 06 Page 884





Botnet C&C C& C Server Serve r FIGURE 6.18: Illustrating the process of infecting company's website using Botnet Trojans

It has two main components: 0

Botnet

0

Botmaster

They target both businesses as well as individual systems to steal valuable information. There are four botnet b otnet topologies. topologies. 0

Hierarchal

0

Multi Server

0

Star

0

Random (Mesh) (Mes h)

Module 06 Page 885

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil





Botnet Troja Trojan: n: Illu sio n Bot and NetBot Attacker

Reload

pdM dM* creMBOTBNOTirO1

11Ho•* ’( U 01

Pat

2 j j

f\*

ho* ho* 1aaa1

6567 6667

Char ttctvsn P*»: *e *

Chan #ch*n

IJHotf

21

Po»t

Dd«J mnxn

4

Safci .pat

R

* Sock:5oat

R

HP. PC*

R

Random tanpe

2001

Bindttwi. port

RCAo c i m

ixccvcro

MD5 C«ypt

* * ° OP* W a r IRC IRC charrel charrel ,/ |Rr ,

CdrcMicc

* — ! . *. ■*, 1 “ •MW

OyMJSXP SP2 FbtdVduw


Botnet Trojan: Illusio n Bot an d NetBot A ttack er Illusion Bot is a clear GUI tool for configuration. When this bot starts, it checks the OS version and if it detects Win98, it calls the Register Service Process API to hide the process from the Task Manager. The bot then proceeds to install the rootkit component. If the installation fails, the bot tries to inject its code inside the explorer.exe process. Illusion Bot is a GUI tool. Features: 0

C&C can be managed over ove r IRC IRC and HTTP HTTP

0

Proxy functionali functi onality ty (Socks4, (Socks4, Socks5) Socks5)

0

FTP service servi ce

0

MD5 support for passwords

0

Rootkit

0

Code injection

0

Colored IRC messages

0

XP SP2 Firewall bypas bypass s

0

DDOS capabilities capabili ties

Module 06 Page 886






NetBot Attacker provides a simple Windows Ul for controlling a botnet, reporting and managing the network, networ k, and and commanding attacks. It installs in to the systemin systemin a very ve ry simple simpl e way wa y such as RAR file with two tw o pieces: an INI INI file (see the following, partially editedan editedand d obscured) and a simple EXE. EXE. The original NetBo Net Bott Attack er is is a backdoor; thistool thistool retainsthat retainsthat capability capabi lity and lets you update the bot and and be a part of the rest of the botnet.

9 Br^ry

C \Doajmem and 5«tngs \Wmu»' Pa«5c^ cio/ABOT6INARY E>t —

Retoad

IRCAdnrabtfion

1 01>Jme hosts flltac* Atea Collective order Ute 11

1| Hot* 10 10001

Poll 66 6667

Chan BeHsn

Pats 4*$r

21 Horf 10001

P o ll 6667

Chon Uchan

Pa w

WE B A<*nrct140n 1| Most

Port

Paih

21 Host

Port

Path

F e lt e s hlf w

i sec

r * * j » mmc « Socfc*4. pot♦

R

* $ock»5. pott

R

FTP 00<

R

« Random larnj?

2001

■ 3000 R

Bndshel port

IRC Acc* 1 t BOT PASSWORD O0km *•t et*N et *N D1»v#t * lot *•t S*v#

*•*•n ipgn'if

+ C ot oc dR C nreuages

MDSDypt

<**ny

+ A140 0P admn onlRC ehannri

* IRC tmvH tmvH

+ Irp ct cod• |rfdnvat rfdnvat fWc|

* Bypat tXPSP2F«**al FbodV^jat

« Add to autoload Ext

|

Sava

paiwwtd

About

FIGURE 6.18: Illusion Bot and NetBot Attacker Screenshots

Module 06 Page 887






P r ox ox y S e r v e r T r o j a n s Proxy Trojan

,an

W

Trojan Proxy is usually a standalone application that allows remote attackers attackers to use the victim's victi m's computer as . a proxy to connect to the Internet

Hidden Server

Proxy server Trojan, when infected, starts a hidden proxy server on the victim's computer

Infection

Thousands Thousands of machines on the Internet In ternet are infected with proxy servers using this technique

| p •aS © 1®'i Attacker

Victim (Proxied)

Process

Target company

Internet


Proxy Server Trojans A proxy server Trojan is a type of Trojan that customizes the target's system to act as a proxy server. A proxy server Trojan, when infected, starts a hidden proxy server on the victim's computer. The attacker can use this to carry out any illegal activities such as credit card fraud, identity theft, and can even launch malicious attacks against other networks. This can communicate to other proxy servers and can also send an email that contains the related information.

4 ! P Attacker

■ Victim (Proxied)

Internet Inter net

Target Company

FIGURE 6.19: Attacker infecting Target company's system using Proxy Server Trojans Trojans

Module 06 Page 888






Proxy Server Serv er Trojan: Trojan: W3bPrOxy Tr0j4nCr Tr0j4nCr34t0 34t0rr (Funny N am e)

J

W3bPr0xy Tr0j Tr0j4n 4n is is a proxy proxy server se rver Trojan which support multi connection from many clients and report IP and ports to mail of the Trojan owner


Proxy Server T rojan: W3bPrO xy Tr0j4nCr34t0r Tr0j4nCr34 t0r (Funny Name) W3bPrOxy Tr0j4nCr34t0r is a proxy server Trojan developed in order to access systems remotely. It supports multi-connections from many clients and reports IP and ports to the email of the Trojan owner.

Module 06 Page 889






Listening Ports [Separate [Separ ate ports ports with a slmicolon(;)] (; )] 10;Zl;Z2;80;81;135;l36;«lM12;666;H33;1434;2012|

ZHTectm

%[Mndows system]

few f V o S f • We kom c to W3bPr0xy TrOHn Cr34IOr Cr34IOr V . 1 . D

FIGURE 6.20: W3bPrOxy Tr0j4nCr34t0r detecting IP address

Module 06 Page 890






FTP FTP Trojans Tro jans

CEH

Send me \ c r e d i tc tc a r d . t x t f ilile

(FTP Server installed in the the background)


Victim

06/02/2012 09/06/2012 08/24/2012 05/21/2012 05/21/2012 06/04/2012 08/11/2012

1,024 rod 0 abc.tzt <0IR> AdventHet 0 AUTOEXEC .BAT 0 COBFIG.SYS <0Ht> Data <0IR> Documents

FTP Trojan: TinyFTPD FTP Trojans install an FTP server on the victim's machine,

£53 Comm and Pro mpt C : \ D o c w e n t s a n d S e t t i n gs gs \ A t M 1 n\Desktop\TinyFTPD 21 55555 test test c:\ win98 all RHLCD

which opens FTP ports

Tiny FTPD VI. 4 By WinKggDrop

An attacker can then connect to the victim's machine using

Bi nd Po rt : Us er Na ae :

FTP port to download any files that exist on the victim's computer

FTP Server Is Started ControlPort: 21 55 555 t es t

P as sw ord:

t es t

BaaeDir:

c:\win96 all

Al lo vd IP: L o ca ca l A d dr dr es es s: s:

1 92 92 . 16 16 8. 8. 1 68 68 . 16 16

R e a dA c ce ss :

Yes

Wn te Ac c es s: LIstAccess:

Ye s Ye s

CreateAccess: D e le le t eA eA cc cc es es s: s: E xe xe cu cu te te Ac Ac ce ce ss ss : UklodcAcoess: Ano nya ous Acc ess

Ye s Y es es Y es es No No

Check Tise Oat Thread Created Successfully *************** 0 C o n n ec ec t i o n Is Is I n Us Us e

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

FTP Trojan s An FTP Trojan is a type of Trojan that is designed to open port 21 and make the target's system accessible to the attacker. It Installs an FTP server on the target's machine, allowing the attacker to gain access to sensitive data and download/upload files/programs through the FTP Protocol. Further, it also installs malware on the targets system. Credit card information, confidential data, email addresses, and password attacks can also be employed where only the attacker gains access to the system. FTP Server

Send me c : \ c r e d i t c a r d . t x t fi f i le

(ft

95V*• Hacker

(FTP Server installed in the background)

Here is the requested f ile

Victim

V u l u nc nc I n d r i v e C h a s n o l a b e l . V o1 u n e S e r i a l N u n b e r i s D 45 45 E -9 -9 FR FR E D i r e c t o r y o f C : \ 06/02/2012 1,024 -rnd 09/06/2012 0 abc.txt 08/24/2012 AdventNet

05 /21 /20 12 0 AUTO AUTOEXE EXEC.B C.BAT AT 0 5 /2 1 /2 0 1 2 0 C ONFIG.SYS 06/04/2012 Data 08/11/2012 Documents and

FIGURE 6.21: Attacker infecting victim's system using FTP Trojans

Module 06 Page 891






FTP Trojan: TinyFTPD

Command Prompt C: \ Document ent s and Set Set t i ngs\ ngs\ Admi n\ Deskt op\ op\ Ti nyFTPD nyFTPD 21 5555 55555 5 t est t est c: \ wi n98 al al l RWLCD Ti ny FTPD FTPD VI . 4 By By Wi nEgg nEggD Dr op FTP FTP Server Server I s St St art ed Cont r ol Por t : 21 Bi ndPo ndPorr t : 55555 User Name: t est Passw Password: t est Hom eDi r : c: \ wi n98 n98 Al l owd I P: al l Local Addr ddr ess: 192. 192. 168. 168. 168. 16 ReadAccess: Yes Wr i t eAccess: Yes Yes LI st Access: ccess: Yes Yes Cr eat eAcces eAcces s: Yes Yes Del eteAccess: eteAccess: Yes Yes Execut eAcces eAcces s: Yes Yes Unl ockAccess: ockAcces s: No AnonymousAcc ous Acces ess s : No Check heck Ti me Out Thr ead Cr eated Successf Successf ul l y ******** ****** * wai t i ng For For New New Connec nnectt i on 0 Conne onnect ct i on I s I n Use

FIGURE 6.22: TinyFTPD Screenshot

Module 06 Page 892






CEH CEH

VNC Trojan Tro janss VNC Trojan starts a VNC Server daemon in the infected system

It connects to the victim using any VNC viewer with the password "secret

i

Since VNC program is considered a utility, this Trojan will never be detected by anti virus

Command and control instruction

f Attacker

t

Victim

VNC Server


VNC VNC Trojan s VNC Trojans allow attackers to use the target's computer as a VNC server. These Trojans won't be detected by antiviruses after they are run, because VNC Server is considered a utility. Performs the following functions when it infects the system: 0

Starts VNC Server Ser ver daemon in the background when infected

0

Connects Connects to the target using using any VNC view er with the the password "secret "

Command and control Instruction

VNC Traffic

Attacker

Victim

VNC Server

FIGURE 6.23: Attacker uses victim's computer as VNC server using VNC Trojans

Module 06 Page 893






VNC Trojans: WinVNC and VNC Stealer E M

Incoming Connections

Itk.ul IUcIm

®

OK

f? Accept Socket Connecti Connections ons Display Number [~

imttiM

VNC Stealer

WinVNC W in in VN VN C: C: C ur ur re re nt nt U se se r P rro o pe pe rt rt ie ie s

- _ |

I? Auto

OS

Cancel Apply

Password:

r* Accept CORBA Connect.':.'! r

Disable Remote Keyboard & Pointer Pointer

r

Disable Disable Local Keybo Keyboard ard & Porte*

Ftp•Settings •Settings Host:

Update Handing Pol Consoie Windows Only Only

l~ Poll Ful Screen Screen f? Pol Fore Foregr grou ound ndWindow Window F

T

^

Pol Wrtdow Wrtdow Unde Underr Cuso Cusorr


VNC VNC Trojan s: WinVNC an d VNC VNC Stealer WinVNC and VNC Stealer are two VNC Trojans.

WinVNC WinVNC is used for a remote view or to control a Windows machine so this becomes a threat as attackers are able to inject a Trojan into the system and then they are able to access the target's system remotely.

VNC Stealer VNC Stealer is a Trojan written in Visual Basic. VNC.EXE has been used to perform the following behavior: Q The process is packed and/or encryp enc rypted ted using a softwa sof tware re packing process Q

Creates system tray pop-up pop-ups, s, messages messages,, errors, and and security warnings

Q Adds products to the system system registry 9

Writes Wri tes to another Process's Process's Virtual Memo ry (process (process hijackin hijacking) g)

9

Executes Execut es a process

0

Creates new folders on on the system

Module 06 Page 894






9

This This process deletes delete s other processes from a disk disk

9

The process hooks code into all all running processes, processes, which could allow it to take control of the system or record keyboard input, mouse activity, and screen contents Registers a Dynamic Link Library File

WinVNC

VNC Stealer

WinVNC: Current User Properties Incoming Connections

OK

!7 Accept Socket Socket Conne Connections ctions Cancel

Display Number: [~

Apply

Password: P Accept Accept C0R8A C0R8A Conne Connector!: ctor!:

r~

Disable Remo» Remo»e Keyboard I Pointer

T Disable Local Keyboard Keyboard i Ponte* Update Handkng Handkng r

Pol Pol Ful Ful Screen creen

(7 Pol Foreg oregro roun und d Window 1“

n

Pol Console Windows Only

T

R^ Cw JOr t v

Pd Wn do w Under nder Cusor

FIGURE 6.23: 6.23: Screenshots showing WinVNC and VNC Stealer

Module 06 Page 895






H T T P /H /H T T P S T r o j a n s

CEH

The child program appears to be a user to the firewall so it is allowed to access

Spawn

HTTP Trojans can bypass any firewall and work in the reverse way of a straight HTTP tunnel

W /

the Internet They are executed on the

internal host and spawn a child at a

predetermined time

^

HTTP request to download a file

Trojan passes through


HTTP/HTTPS Trojans HTTP/HTTPS Trojans can bypass any firewall, and work in the reverse way of a straight HTTP tunnel. They use web-based interfaces and port 80. These Trojans are executed on the internal host and spawn a child every day at a certain time. The child program appears to be a target to the firewall which, in turn, allows it to access the Internet. However, this child program executes a local shell, connects to the web server that the attacker owns on the Internet through a legitimate-looking HTTP request, and sends it a ready signal. The legitimatelooking answer from the attacker's web server is in reality a series of commands that the child can execute on the machine's local shell. All traffic is converted into a Base64-like structure and given as a value for a cgi-string, so the attacker can avoid detection. The following is an example of a connection: Slave: GET/ ET/ cgi - bi n/ or der der ? M5mAej TgZ TgZdgYO dgYOdgl dgl OOBqFf VYTgj YTgj FLdgxEd FLdgxEdbl bl He7kr e7kr j HTTP/ TTP/ 1. 0

Al f bknz Master replies with: gSm The GET of the internal host (SLAVE) is just the command prompt of the shell; the answer is an encoded "Is" command from the attacker on the external server (MASTER). The SLAVE tries to connect daily at a specified time to the MASTER. If needed, the child is spawned because if the shell hangs, the attacker can check and fix it the next day. In case the administrator sees connections to the attacker's server and connects it to himself, the administrator just sees a

Module 06 Page 896






broken broken web server serv er because there is a token (password) in the encoded cgi cgi GET request. request. W W W proxies (e.g., squid, a full-featured web proxy cachel) are supported. The program masks its name in the process listing. The programs are reasonably small with the master and slave programs, just 260-lines per file. Usage is easy: edit rwwwshell.pl for the correct values, execute "rwwwshell. "rwww shell.pl pl slave" on the SLAVE, SLAVE, and and run run rwwwshell. rwww shell.pl" pl" on the MASTER just before before it is the time at which the slave tries to connect.

FIGURE 6.24: Victim's system infected with HTTP Trojans

Module 06 Page 897





HTTP T ro roja jan: n: HTTP RA RAT Infect the victim's computer with s e r v e r . exe and plant plant HTTP HTTP Trojan Trojan The Trojan sends an email with the location of an IP address

Connect to the IP address using a browser to port 80

e

Displays ads, records personal data/keystrokes

»

Downloads unsolicited files, disables programs/system

© Floods Intern et connection, connection , and and distributes threats © Tracks browsing activities and hijacks Internet browser 6

Makes fraudulent claims claims about spyware detection and removal

Copyright © by EG-GMMCil. All Rights Reserved. Reproduction Reproductio n Is Strictly Strictl y Prohibited.

HTTP Tro jan : HTTP RAT RAT RATs are malicious programs that run invisibly on host PCs and permit an intruder remote access and control. A RAT can provide a back door for administrative control over the target computer. Once the target system is compromised, the attacker can use it to distribute RATs to other vulnerable computers and establish a botnet. The RAT enables administrative control and makes it possible for the attacker to watch all the target's actions using keyloggers or any other spywares. An attacker can also implement credit card fraud, identity theft using confidential information, and can remotely access web cams and video recordings, take screenshots, format drives, and delete, download, and alter files. It can't be detected as it works like genuine programs and it is not easily noticed.

Module 06 Page 898





□

HTTP RAT 0.31

r• 'bJ r iIxk XMkdoor TTP TTPWebserver RAT Webserve r /b y zOmb zOmbie ie

vfl.31

Infect the victim's computer with

<*>

KM xr nlM

iWngi

ser ver . exe exe and plant HTTP Trojan The Trojan sends an email with the location of an IP address

& tend noM1c*hon wtfh p •ddrett 10 rnal

©

SMTP t a w 4 servin serving g mat u c4n specrfyt«v« 4l s « w t detntfod Mrih .

I B S H S B S S 8 S S 9 ---y o u « m d « t t *1 s (you@mad ca n

P cteeFwWA cteeFwWA

<2>

Connect to the IP address using a browser to port 80

t»ve»portf86

Victim

A

Generates |

ser ver .exe .exe : using HTTP HTTP RAT :

w»kom» 2 HTTP_RAT infected computer >:]

«I'ynr I'ynrwgmtiiM tiiMl

rti rti hi■1 »«l

mhi. m1»nn■ml

Attacker FIGURE 6.25: Attacker infecting Victim's system using HTTP RAT

Module 06 Page 899






Shttpd Trojan - HTTPS (SSL)

CEH

0

0

J

SHTTPD SHTTPD is is a sma small ll HTTP Server that that can can be embedd embedded ed inside inside any any program

J

It can can be wrapped wrapped with a genuin genuine e program program (gam (game e chess .exe), when executed it will turn a computer into an invisible web server

0

0

Normally Firewall allows you through port 443

Attacker

Encrypted Traffic

Victim IP: 10.0.0.8:443

IP: 10.0.0.5:443

Connect to the victim using Web Browser

Infect Infect the the victi victim's m's computer computer with with c h e s s . ex e

http://10.0.0.5:443

S h t t p d should be running running in in the backgroun background d listening on port 443 (SSL)


Sh ttpd T ro ja n - HTTPS (S (SSL) o -fr-a -fr-a

Shttpd is a small HTTP server that can easily be embedded inside any program. C++ source code is provided. Even though shttpd is not a Trojan, it can easily be wrapped with a chess.exe file and it can turn a computer into an invisible web server. 0

Infect the target's computer with chess.e chess.exe. xe.

0

Shttpd Shttp d should be be running in in the background listening li stening on port 443 (SSL).

0

Connect to the target usin using g a web browser: bro wser: http://10.0.0.5:443. http://10.0.0.5:443.

Attacker

Normally Firewall allows you through port 443

6 Encrypted Traffic

IP: 10.0.0.5:443

Victim

IP: 10.0.0.8:443

Connect Connect to the victim using using Web Browser http://10.0.0.5:443

Infect Infect the victim's computer with chess . ex e Shttpd should be running in the background listening on port 443 (SSL)

FIGURE 6.26: Attacker infecting Victim's system using Shttpd Trojan Module 06 Page 900






ICMP Tu nneling nneli ng J

Co ve rt c ha nn els are me tho ds in w hic h an att ack er ca n hid e t he dat a in a pro toc ol

47)

that is undetectable J

Th ey rely on t ec hn iqu es call ed tu nn elin g, wh ich all ow on e pro toc ol t o be car rie d over ano ther protocol protocol

J

V

IC M P tu nn eli ng uses IC M P e cho -re que st a nd repl y to ca rr y a pa ylo ad and stealthily access or control the victim's machine

ICMP Client (Command:

ICMP Trojan: icmpsend

ICMP Server (Command:

i cmpsend psend ) &

i cmpsrv - i nstal stal l )

Command Prompt

0

C:\Documents and Sett»>gs\Adm1n1strat0f.VIND0WS\Deskt0p\l CMP Backdoor Win32>1cmp Send 127 0 0 1 —( ICMP-C md vl .O b eta , by gx iso ne ]— -i

—{ —{

E-mail E-mail::

g^ grK tf hotmail.wm w m ]2012/B/15 2012/B/151— 1—

Us Usag ag e: icmp sen s en d Remo telP telP CtrHC or Qfq to Quite H/h for help 1c1ap-caco>H

[http://127.0.0.1/hack,exe e xe =admin exe] 32> [psltst] [pski■ [pski■ ID] ID] Co mman d

Commands are sent using ICMP protocol

Command Prompt

C:\Docunwnts and Settilngs\Admlnlstrator.VINDOWS\Desktop\ICMP Backdoor Wln32>kmp

—{

ICMP-Cmd vl.O beta, by gxlsone }—

-i

2012/»/15 2012/»/15

b~

Usage: Icmpsrv -in stall kmpsrv -remove Transmitt ing FUa- Success I Creating ng Service - Success I Starting Service _ Pending _ SuccessI C:\Documents and SettingsVWmln»str«tor.VINOOWS\DesfctopVlCMP SettingsVWmln»str«tor.VINOOWS\DesfctopVlCMP Backdoor Win32

Cbpyright © by EC-CMICil. EC-CMICi l. All Rights ^gServed. Reproduction Reproduct ion is Strictly Stri ctly Prohibited. Prohibit ed.

ICMP Tunneling The concept of ICMP tunneling is simple since arbitrary data portion of ICMP_ECHO and ICMP_ECHOREPLY packets is contains a covert channel that can be destroyed due to tunneling. the contents of ICMP_ECHO traffic, making the use of this channel

information tunneling in the possible. ICMP_ECHO traffic Network devices do not filter attractive to hackers.

Attackers simply pass them, drop them, or return them. The Trojan packets themselves are masquerading as common ICMP_ECHO traffic. The packets can encapsulate (tunnel) any required information. information. Covert channels are methods in which an attacker can hide the data in a protocol that is undetectable. They rely on techniques called tunneling, which allow one protocol to be carried over another protocol. A covert channel is defined as a vessel through which the information can pass, and it is generally not used for information exchanges. Therefore, covert channels cannot be detected by using standard system security methods. Any process or bit of data can be a covert channel. This makes it an attractive mode of transmission for a Trojan, since an attacker can use the covert channel to install the backdoor on the target machine.

Module 06 Page 901






ICMP Trojan:

ICMP Client

ICMP Server

icmpsend

(Command:

(Command:

icmpsend Cvictim ip>)

icmpsrv -install)

Command Prompt

Command Prompt

C:\Documents and S«ttlngs\Admlnistrator.VINDOWS\Desktop\l CMP Backdoo r Win32>i Win32>icmp cmp Send 127.0.0.1 =====w«ico«ne to ww>v.hachgrxfil*s.n«====== —[ ICMP-Cmd v1 0 beta, by gxisone J— —{ E-mail: l:

Commands are sent using ICMP protocol

qxisone@hotmail com ]—

—C

Command ICMP-CMD

—

-Welc ome to to www.tiat www.tiat ketxfiles.net—— — —

— [

ICMP-Cmdvl.O beta, bygxisone ]—

— [

F-mdil: gxisone@hotmail.com

-[

[http:/n 27.0.0.1/hack.exe =admin.exe] [pslist]

Srv -install

2012/8/15]—

Usage: icmpsend RemotelP Ctrl+C or Q^q to Quite H/h for help ICMP-CMD>H

[pskill ID]

C:\Documents and Settiings\Admini3trator.VVJDOWS\De9ktop\ICMP Backdoor Win32>icmp

2012/8/15

]—

J---

Usage: Ian Ian psrv- install Icmpsrv -re move <1.0 remov e service> Transmitting File .Success I Cieating Service _. Success I starting Serv ice... Pending... success! c:\Docum ents and Settings\Admi nistrator. v!Ntx)Wb\Desk v!Ntx)Wb\Desktop\1C top\1C M’Backdoor

FIGURE 6.27: ICMP Tunneling

Module 06 Page 902






R em ote A ccess T rojan s

CEH 1 1 1

Attacker gains 100% I_______ (complete) access to the system _________

Rebecca Victim Infected with RAT Trojan Trojan

J

This Troja rojan n work works s lik like e a remote remote desk desktop top access

1.

Infect (Rebecca's) compu ter with server.exe and plant Reverse Connecting Trojan

J

Hack Hacker er gains ains comp complet lete e GUI GUI acc acces ess s to the remote system

2.

The Trojan Trojan connects to Port 80 to the attacker in Russia establishing a reverse connection

3.

Jason, the attacker, attacker, has comple te control over Rebecca's machine


Rem ote Access Trojans 1 —1 — Remote Rem ote access Trojans provid pr ovide e full contro con troll over ove r the targe tar get's t's system syst em to attacker atta ckers s and enables them to remotely access files, private conversations, accounting data, and so on in the target's machine. The remote access Trojan acts as a server, and listens on a port that is not supposed to be available to Internet attackers. Therefore, if the target is behind a firewall on the network, there is less chance that a remote attacker would be able to connect to the Trojan. Attackers on the same network located behind the firewall can easily access the Trojans. Examples include the Back Orifice and NetBus Trojans. Another example, the Bugbear virus that hit the Internet in September 2002, installed a Trojan horse on targets' systems, giving access to sensitive data to the remote attackers. This Trojan works like a remote desktop access. The attacker gains complete GUI access to the remote system. The process is as as follows: 1.

Infects (Rebecca (Reb ecca's) 's) computer comput er with server.exe and plants Reverse Connecting Trojan.

2. The Trojan connects to Port Po rt 80 to the attacker atta cker in Russia Russia establishing a reverse connection.

Module 06 Page 903






3. Jason, the attacker, has complete compl ete control over ove r Rebecca's machine.

Jason Attac Attacker ker Sitting in Russia

Attacker gains 100% (complete) access to the system

Rebecca Victim Infected with RAT

FIGURE 6.28: Attacker infecting victim's machine using Remote access Trojans

Module 06 Page 904





R e m o t e A c c e s s T r o j a n : RAT D a r k C o m e t a n d A p o c al a l y p se se hSodi

D

r c ll 1z .

E?

7> Wan/Qian]: Port

11 1668 MctnwF. ctnwF. . . 92G VicbmesF. . L 9CC VictmejF... . YlcomesF.. IU1012■viamesF. . . Uctme*F. . . 132•* \pm«F... u 18C4 V
u1:128 \
•

■ 59/[192.1... 5.154 5.154 f [192... ♦2.43/[192... ♦2.43/[192... LSC60T-HI / C<*is3'2 *6.142 / [192... .. • 27/ [192.1. . 0IIV2/SYSTEM 138/[:92.... AfJTHOHYLOPSZ f 5ys.. . PC-OESHCLGO/Sho... •6. 136/] 192.... ANTHONYLOP YLOPEZ / u *. .. • 150 150/] 192.... SNAKE-E7D71CD4A I f . . . DIV2 / Acrr»n>itr*t*ur 27/ ] 192.1... PC■0CSHXEX3/ Sho... •6.28/] 192.... • ♦2.43/] 192... PCOS-MOI / rxx • 55/] 192.1... SNAKE137CO-PC/« ** .. . PC0 6 •A •ALEX / AL ALEX .07/ [192.1... TTANCtM TTANCtM / Adnrwf r«... - m *4/[192.16... L5C0OT-III 0OT-III / SYSTEM tm .46.142 /[192... DAMJEN-PC 1 d*n*c • • 172 172/] 78.2... •

-

• •

Windows Wndore Wndov•1 Window windows windows Window* Wrtdows W«do/tt Windows Wndo v* V fe fe do do w• w• W*d0W WHdOWS

23/] 192 ..

•

• •

- • Sl/[192.1... .07/[192.1...

Wndo%*ff99 Window S Wndo. »

OAVIDOURS-PC/ D *v . PC-OC-AlOC/ SYSTEM

moo

?*1

v
Trr ». • D»t

D

IP WAN/&.AN] : Pert Pert

19:14c37/:2/03/2010 19:14•38/: 2/03/20:0 19; 14.•0/: 2/03/20:0 19:14:44/12/03/2010 19:14t 19: 14t44/12/03/20:0

VKQmesf... VKQmesf... • V1
vtcomesF... VkbfnesF... Lpdat* Lpdat*

• • * • •

I■ • * - ^

tm%•

• •

• •.

] Status: Status: Kt*rtng. Kt*rtng.

Copyright © by EC-ClllCil. All Rights Reserved. Reproduction is Strictly Prohibited.

Rem ote A ccess Trojan: Trojan: RA R A T D arkC om et and Apocalypse DarkComet is a tool that allows you to remotely access the administrative controls and privileges of an infected machine without the user's knowledge or permission. It provides you with access to processes, registry, command prompts, webcams, microphones, applications and can even provide a keylogger whenever you use the system.

Module 06 Page 905




t DarkComet•RAT v 2 j0 RC3 •Uset(s): 21

IPWan/lL /lLan]: Port C0"t>ut*r Htm Htmt/j t/jtvU tvU... OS .Vr^5Ses«o [7600] *• • * 59/(1921... S0RAr*5/$y»t*me /164. ... K0 C4tAC^/5r5T»r wnd»* a - 192] /164. nd»**vataSarvica... wmoorteV«USarvKt... t... • 4:.43/[l»2. 4:.43/[l»2..... ^C-OC-MOI/SYSTCV $e v>ceP.. eP.... • — at.143 143/(*2 /(*2.... .SOOOT-Xn/daee*42 vvw!d»M« $ev .VrxS>.SX .SXPSer..-ce ceP... P... •a•• 27/(1921... DIMZ/SOTM • • 136/[192.... ANTWa0PK/Sy* PK/Sy*... ... •..•n .•ndoA«Sr.«n A«Sr.«n [7600] Wndov«v«staServe*... •6.28/] 192 .. ?Ct€ SH(XOt3/Sfo... • « 136/ [192.... AWTHC^YL0P€2/utl.. tl.... \Mndb \Mndb«S «Se*n e*n[7600] P.. . • • 150/[192.... SNAKE■C7071C04Aif... Vrx»A5XPS«r,ic*P... A4rrv*»?ete1r e•• e• • %27/ [1921 [1921... ... 5IMT/ A4rrv*»?ete1r XPSert-c ert-ce F... -5.28 /[192— 9C-0e-5HOtEXJ/»a... ..' ..' vata Servtca*. *.> >0... v.rxtoA'Svata Service... /bo wometf. tf. • 42.4 .433/[1 /[1M... ?C-O -OE-MOI bo 55/(1921... 1... S*iAc».. • .07/ .07/(1 (192 921. 1... .. ^C06*A^X/ Ai£X u'n&r;* vat»Se -ceP... ... vomesF. esF. - • 444/ 4/[1 [192 92.1 .16. 6..... TITANnx/ Ad Tr**fa... Tr**fa... Y.Vxto jvsx? Ser.-c vorxsF. • - 6. v.rxÂi x? Se . ce P... 6.142/[192... .S080T-m/SYST& .VrxJa -Se5 .»T1]7600[ McOmaaP. « « • 172/[ 172/[78 78.2... 5AV»iPC.'dan«r vvtimeeP. - aa %51/(192.1... DAVZXXftS^C ^ ... • ^. sS e. t« [7600] vscttmeaP. aa • v07/ [192 1... ... 9C-0EA^X v.nd»Ac*. Sev>c*.. 9C-0EA^X// SYSTS4 ^ 0 ^ »48 UV«4vKVO(any*S tân m tm e>0/ • tâ IPWAN/ILAN]:P0rt TweyOate ID 19: 14:37/12/03/2 /03/2010 VXtjmesF... - - :3490 i* ” 34» 19: 14:38/12/03/2010 Vg... OoanPort(•) Q SendOrder* t So*

1 1668 M 920 100 J 100 .4 M .4 MO 111012 n»44 v 1924 . 1040 I 11076 11076 i 1104 . 13*0 .. 1092 1 1 1030 1 11116 i 1344 » 564 M !!260 260 i 11240 I ■1129 . 4 *cton

10 vyomwF. VKCmuP. vxomeeP. vkemeaP. WOmesF. VmesF. vxtmwP. VKtmejP.

A. X X X X X X X X X X X X X X X X X X V

C Png :09*5 X 94MJ x :66 N, x 93M* 78Ms 343NS x 173* 360M* 47MJ 93Mj x 93Ms x :33.VS 79Mj x 63M5 171M* x 93MS x :72M» 07*■ Mf X :25MS

ActiveCaptMn 0. * 21294s 69 IS 8747* Progam 5274* Proga 4730* 340365 1S45S1 81s 142* 4731* 15456s avast1 •Avertasemeot ertasemeot 719s avast1 153Is ■•> DIDIERRIOLCCXRT. 3415 DI __ __ __ 36305 SRO.Oent S2305 Lacreca^ eaVye( ... 05 0• Total Conma«der 7.5 .50. 0..... 76S01S an Act%«Cap6 «Cap60n DIUIERRI0UC0URT<» • 8hotma<.com> WO.Oent :at :at

»•*> ^•®notma<.fr> lare < •/ »•*>^•® ' Toia Commander 7.50pubfcbe cbe.o6 .o6 M»d»etMetth.. ■ 1

FIGURE 6.29: RAT DarkComet Screenshot

Apocalypse Remote Access Trojan is a tool that allows you to modify the entire registry and allow .dl files to run executables. This runs in invisible mode when it is executed.

Ap oca lyp se Rem ote Ad m in is tr ati on Tool v l .

4.4 1 -

V let ton Onl ine

A ~ Connections

Brooded Brooded .j Settngj ettngj / Bulder X* SUtsbcs About a O Irtformahcn tformahcn Coinputer er Name Username Server© Wan f | PCWormebon 0 4 p0 p0crfypse_8C9C6S15 ECC273FF53A.. Hectors Hectors . . Server WornMbon Instale InstaleddAppfcattons ActivePorts ctive Ports >< Message Hoi Server K) apOcalypse C C b . . . . U X a 5) Accessories M«1*9«Bo . Uniag- Lai RemoteDesktop 41 MessageIcon Icon JK JKr,-. WebcamCapture ■4 ®OK C' Rw-y Cancol O ym. no > AucfcoCapture :ajKaytoggar 0«C4rc^ OY« No Cvcol O M>o» Rrty Ignc. Orkie Orkie Keylogger 0 Offtne Offtne Keytoggat 0 Mwmim■ I * CofWMvabon* 8 Jp Chat Server © SandMessage B ^Managers Me Manager 3 MeSearch Search Imtall ed Applications Server V : *pOcolypte BC9C6b1b 1 )1 0 0 t H O 0.1 fTi fTi f& y ) RemoteO oteOowrtoed Pegstry Edtor DisplayName Version UrmstelStmg * Opboard OpboardManager c:\ProgramFies\CommonM OAtfabeAB( AdobeSystems SystemsInc ClpboardTex ClpboardText AlchemyRemote £>ecutor *C:\F»o^ :\F»oârr>FtasVA arr>FtasVAkhemyR fie ClpboerdMat Ij Update far wndomXP(1*911164) l“ Mcroaoft Corporation rporation O StaticManager ticManager )3.4.0 (arHJS C:\PtogramF«es\MuAaFeel IMh Service ServiceManager TrWSQlyog 8.55 ) 55 C\P»ogramMes\SQlyogTri es\SQlyog Tri WabyogSoftworfePvt.Ud. C\P»o Process ProcessManager ModJes 0 Romanfrxsd anfrxsdon on (Rotas) *c:\wempVjransOOO.exe* “ WindowManager C:\PtogranPtes\w»P<**1 C:\PtogranPtes\w»P<**1* Tectnoioges es 4.1.0-2001 CACETectnoiog CommandPrompt ■ C:\Pro* C:\Pro*an Ffes\w*RAAUs C VlAnRA AnRARactever O Explorer Sattngs jWebttfr ttfrsX sXP Mcrotoft crotoft Corporation .S . S -, B * * f%jgr xe/I{AC766Ad6-7 AdobeSystems Incorpora.. Incorpora.... MsCxec.exe/I * J Adobe Raader . PasswordManager s* PasswordM MaF 10 f a a n HAIMTTTMI9 ,HAM« AM«Aft

12700.1

?

8961127 001912700.1

r

2.0.3.13070 M0ilaFre#0 ilaFre#0■(3 60)

S

F^Shif *4

a O Contact Us Webste £

93.3

90723

rwtale^ppkahor^êcerê^

I About NoConnecbon

FIGURE 6.30: 6.30: Apocalypse Screenshot

Modu le 06 Page 906

Ethical Hacking and Counte rmeasu res Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

93.3 .

1% »



C overt C h an n el T rojan: CCTT I C EH J

Covert Covert Channe Channell Tunne Tunneling ling Tool ool (CCTT (CCTT)) Troj Trojan an presen presents ts variou various s exploit exploitatio ation n techniqu techniques, es, creating arbitrary data transfer channels in the data streams authorized by a network access control system

J

It enables enables attack attackers ers to get get an an external external server shell shell from from within within the intern internal al network and and vice viceversa

J

It sets sets a TCP/UDP/HTT TCP/UDP/HTTP P CONN CONNECT ECT | POST channel allowing allowing TCP TCP data data stream streams s (SSH, SMT SMTP, P, POP, POP, etc...) between an external server and a box from within the internal network

Client

Proxy Chain

CCTT Server

Copyright O by by EG-Gllincil. All Rights Reserved. Reserved. Reproduction is Strictl y Prohibited

Covert Ch ann el Trojan: Trojan: CCTT The Covert Channel Tunneling Tool is a hidden channel tool. It provides you with many probable ways to achieve and allow arbitrary data transfer channels in the data streams (TCP, UDP, HTTP) authorized by a network access control system. A Covert Channel Tunneling Tool (CCTT) Trojan presents various exploitation techniques, creating arbitrary data transfer channels in the data streams authorized by a network access control system. It enables attackers to get an external server shell from within the internal network and vice versa. It sets a TCP/UDP/HTTP CONNECT|POST channel allowing TCP data streams (SSH, SMTP, POP, etc...) between an external server and a box from within the internal network.

Client

Target Services

FIGURE 6.31: Covert Channel Trojan Module 06 Page 907




E -ba -b a n k in ing g Troj a n s

CEH

imttiM

tUx* l NmIm

E b a n k i n g T r o j a n s E-banking Trojans are very dangerous and have become a major threat to the banking transactions performed online. This Trojan is installed on the victim's computer when he or she clicks the email attachment or clicks on some advertisement once the target logins in to the banking site. The Trojan is preprogrammed with a minimum range and maximum range to steal. So it doesn't withdraw all the money from the bank. Then the Trojan creates screenshots of the bank account statement; the victims aren't aware of this type of fraud and thinks that there is no variation in their bank balance unless they check the balance from other systems or from ATM machines. Only when they check the balance will the differences be noticed. The following diagram explains how the attack is carried out using E-banking Trojans.

Module 06 Page 908




Malicious advertisements published among the legitimate websites

Uploads malicious advertisements

User access to infected website

Malware Server '

‘ W User redirects to malicious exploi exploitt kit kit

^

The website is redirected redirected to —• • the maNciou maNciousex sexplo ploit it kit kit 4 W

Legitimate Websites

Trojan reports for a new bot Sends instructi on to the Troj,

s.

^0

The User's PC PC exploited

^ Trojan reports user activities

Attacker

’*

r

9# !

$ | JI] |

w Instruction to manipulate banks transactions

User access bankA/C

Manipulates Manipulates user's user's bank bank transaction

■>2#

Control and Command Server A

Reports about successful/failed transaction

Financial Institution FIGURE 6.32: illustrating the attack using E-banking Trojans

Here the attacker first infects the malicious advertisements and publishes publishes these advertisements among genuine websites. When the victims access the infected website, it automatically redirects him or her to a website from where the exploit kit gets loaded onto the victim's system. Thus, the exploit kit allows the attacker to control what is loaded in the victim's system and used for installing a Trojan horse. This malware is highly obfuscated and can only be detected by few anti-virus systems. The system of the victim is now a botnet from where the Trojan easily sends and receives instruction from the control and command server without the knowledge of the victim. When a victim access his or her bank account from the infected system, all the sensitive information, i.e., used by the victim in accessing account information such as login credentials (user name password), phone number, security number, date of birth, etc. are sent to the Control and Command Server by the Trojan. If the victim is accessing the transaction section of the banking website for performing online transactions, then the data that is entered by the victim on the transaction form is sent to the Control and Command Server instead of to the bank website. The control and command server system analyzes and decodes the information and identifies suitable money mule bank accounts. The Trojan receives instructions from the control and command server to send the latest transaction form that is updated by the control and command server serv er to the bank for transferring transferr ing money to the mule account. Confirmation from the bank about successful/failed transaction of the money that was transferred is also reported by the Trojan to the control and command server.

Module 06 Page 909




B anki an king ng Trojan A n a lysi ly siss

I

CEH

(•rtifwtf (•rtifwtf

e

Trojan Trojan intercepts valid entered by a user

0

It replaces the TAN TAN with a random number that will be rejected by the bank

ItkNjI Nm Iw•

I

Q Attacker can misuse the intercepted TAN with the user's login details

Trojan creates fake f ake form fields fi elds on e-banking e-banking pages Additional fields elicit extra information such as card number and date of birth Attacker Attack er can use this information informati on to impersonate and compromise victim's account account a

Trojan Trojan analyses POST requests and responses to victim's browser

a

It compromises the scramble pad authen ticatio n

a

Trojan Trojan intercepts scramble pad input as as user enters Customer Number and Personal Access Code

Copyright © by EG-G*ancil. EG-G*ancil. All Rights Reserved. Reproducti on is Strictl y Prohibited.

B anking T roj rojan an Analysis Analysis A banker Trojan is a malicious program that allows obtaining personal information about users and clients using online banking and payment systems. A banking Trojan analysis involves the following three basic types: Tan Gabbler: A Transaction Authentication Number (TAN) is used for authenticating the online

banking transaction, which is a single-use password. The banking Trojan explicitly attacks the target's online banking services that depend on the TAN. When the TAN is entered, the Trojan grabs that number and changes that number with any random number that is incorrect and rejected by the bank. The content is filtered by the Trojan and the incorrect number is replaced in order to satisfy the target. An attacker can misuse the intercepted TAN with the target's login details. HTML Injection: This type of Trojan creates duplicate fields on the online banking sites and

these extra fields are used by the attacker to collect the targets account details, credit card number, date of birth, etc. Attackers can use this information to impersonate and compromise the target's account. account. Form Grabber: This is an advanced method of collecting data from the Internet available on the

various browsers. This is highly effective in collecting the target IDs, passwords, and other sensitive information.

Module 06 Page 910




E b a n k i n g T r o j a n : Z e u S a n d S p y E y e J

The main objective of ZeuS and SpyEye Trojans is is to steal bank and c redit card acc ount informatio n, ftp data, and other sensitive information from infected computers via web browsers and protected storage

J

SpyEye can automatically and quickly initiate an online transaction

C EH

ZeuS Control Panel Builder Configand loader tuldn g Sou c9corfig file:

SpyEye

' :i Hnri !rents and and

|

Edit conFg

] (

Bjild l d corFi corFijj

]

M

o

^^J J fl flnO nO WO

jl

Statist Stati stiic

Setti Setti ngs ngs

J

Output L00dr>3 conFlg fromfilo 1 C:\D C:\D00 jrnorts jrnorts ond aemnQSl K 0 bayaih\ Destt op\ rr oyanoJ »j: »j : AZeu5\ bM l \ ccnf 1Q. M Loodng succoododl

craacinol oader fi e\ :\ l >0: :urrentsar1c

Soltlngs\Koboya5h\DosW:op\rrovano ZouSVdr.oxo1.

bol neHMAINI

trr»r_ccnfig-3SOCOOO, 60000 tm sr J 0as-*>ui)ui). touuu trror_ 5tate- 60000 ,200000 /203.H 2.10.2/
( ’pJNMtvJa t hr! ', /*vox miorrtoft-Anvlowi 0

Ooyou*••) *anrtoMrm
CK

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

E b a n k i n g T r o j a n : Z eu euS S a n d SpyE ye ZeuS Source: http://www.secureworks.com ZeuS is a latest threat for online banking transactions as it uses both form grabber as well as keystroke logging. It is mainly spread through drive-by downloads and phishing schemes. The ZeuS botnet targets only Windows. New version of ZeuS even affects Windows Vista. It has evolved over time and includes a full arsenal of information stealing capabilities: © Steals Steal s data submitte subm itted d in in HTTP for forms ms 0

Steals account credentials stored in in the Window s Protected Storage

Q Steals clientclient-side side X.509 X.509 public key infrastructure infrastru cture (PKI) certificates certifica tes 0

Steals FTP and POP account accoun t credentials credent ials

Q Steals/ Ste als/del deletes etes HTTP HTTP and Flash cookies cooki es 9

Modifies the HTML pages pages of target websites for information stealing stealing purpos purposes es

9

Redirects targets from target targe t web pages pages to attacker attack er controlled contro lled ones

Q Takes screenshots screensho ts and scrapes HTML from target sites sites

Module 06 Page 911




9

Searches Searche s for and uploads files from the infected computer comp uter

9

Modifies the local local hosts hosts file (%system (%syste m root%\system32\drivers\etc\hosts) root%\system32\drivers\etc\hosts)

9

Downloads and executes arbitrary arbitr ary programs

9

Deletes crucial registry keys, keys, rendering the computer unable to boot into Wind Wi ndow ows s &» ZeuS Control Panel Builder Config and loader building Source config file:

IBuilder Logs decoder

1

C:\Documents and Settings\Kobayash \Desktop\ \Desktop\Troyano_ZeuSV [ Browse... Browse ...

Edit config

| |

Build config

| |

|

Build loader

Output Loading config from fie fi e 'C: \Documents and Setthgs\Kobayashi\Desktop\Troyano_ZeuS\ZeuS\local\config.txt'... Loading succeeded1 Creating loader file 'C:\Documents and Settngs\Kobayashi\Desktop\Troyano ZeuS\ldr.exe'... botnet«[MAIN] timer_conf!g-3600000, 60000 timer Jogs-60000, 60000 timer_stats timer_s tats-120 -1200000, 60000 url_config-http://203.14 url_config-http://203.142.10.2/~ytxjrtrav/web/cfg.bin url_comp!p=http://what smyp.com/ smyp.com/ Buld succeeded!

*

1

FIGURE 6.33: ZeuS Screenshot

SpyEye r

SpyEye is malicious software that is used by the attacker to steal targets' money from online bank accounts. Actually, this is a botnet with a network of command-and-control servers. This automatically triggers when the target starts his or her transaction and can even block the bank's transactions.

Spy Eye O **2009 133120

^

12/79

1 Statistic

Find INF INFO

221:

Settings

1 L I «•

Get statistic Get hosts D«V for

:

*

t

CTp»Hk*m m* http//www.m!crosoft w
9009k.c 0m ) ?

Do you really really

to ban th« hotf (wwMr. (wwMr.

OK

w.d«lm(H«*nung ■com

[

Ot m o m

]

431 427 342

•X •X •X •X •X •X •X »x •X •X

FIGURE 6.34: SpyEyeScreenshot

Module 06 Page 912




D estruc tive Trojans: M4sT3r Trojan destructive ty pe of Trojan Trojan

This Trojan Trojan formats all local and network drives drives

When executed, this Trojan destroys destroys the operating system

The user will not be able to boot the Operating System

M4sT3r is a dangerous and

C EH

Format USB Drive, network network Driv e ....

Format C:\ C:\ E:\ F: \

....

Copyright © by EG-G(Uncil. All Rights Reserved. Reproduction Is Strictly Prohibited

r

D e s tr t r u c ti ti v e T r o ja ja n s: s : M 4 s T3 T 3 r T r o ja ja n

The M4sT3r Trojan is exclusively designed to destroy or delete files from the victim's computer. Files are automatically deleted by the Trojans, which can be controlled by the attacker or can be preprogrammed like a logic bomb to perform a particular task on a given time and date. When executed, this Trojan destroys the operating system. The victim cannot boot the operating system. This Trojan formats all local and network drives.

Format USB Drive, network Drive

.....

Format C:\ E:\ F :\

.....

M4sT3r Trojan

FIGURE 6.35: Attacker using M4sT3r Trojan for deleting or destroying files

Module 06 Page 913




N otificatio otific atiorr Troj ans an s ■ Notification Trojan Trojan sends sends the location location of the victim's IP address to the attacker B

Whe neve r the victim's victim's computer computer connect connects s to the Internet, Internet, the attacker attacker receives receives the notification

Notification Types ■>

SIN Notification

Directly notifies the attacker's server

■>

ICQ No Notification

Notifies the attacker using ICQ channels

»

PHP Notification

Sends the data by connecting to PHP server on the attacker's server

■>

E-Ma E-Mail il Noti Notifi fica cati tion on

Sends the notification through email

Victim

}■

>

Net Send

Notification is sent through net send command

Infected with Trojan

j.

.»

CGI Notification

Sends the data by connecting to PHP server on the attacker's server

•>

IRC IRC notifi notificat cation ion

Notifie Notifies s the the atta attacker cker usin using g IRC IRC chan channe nels ls

Copyright © by EG-Gouncil. All Rights jie$erv6
N o t i f i c a t i o n T r o j a n s Notification Trojans send the IP address of the victim's computer to the attacker. Whenever the victim operates the system, the notification Trojan notifies the attacker. Some of the notifications include: © SIN Notification: Directly notifies the attacker's server 0 ICQ Notification: Notificati on: Notifies the attacker using using ICQ channels 0 PHP Notification: Sends the data by connecting to PHP server serve r on the attacker's server 0

Email Notification: Sends the notification through email

0 Net Send: Notificati on is sent through net send command © CGI CGI Notification: Notifi cation: Sends the data data by connecting connectin g to PHP serveron serveron the attacker's server © IRC notifica noti fication: tion: Notifies Noti fies the attacker attac ker using using IRC channels chann els

Module 06 Page 914




C red re d it Card Car d Troj Troj a n s

CEH UrtifW

Credit card Trojans steal victims' credit card relate rel ated d data such as card no., no., CVV2, and billing details

Attacker A

itkMl lUckw

:

Credit card Trojans trick users to visit fake ebanking websites and enter personal

w

information

<

Victim A

Trojan servers transmit the stolen data to remote hackers using email, FTP, IRC, or other

VISA

methods

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited

C r e d it it C a r d T r o j a n s Credit card Trojans, once they are installed on the victim's system, collect various details such as credit card numbers, latest billing details, etc. Then, a fake online banking registration form is created and they make the credit card user believe that it is genuine information from the bank bank.. Once the user enters the required information, attackers collect the information and use the credit card for personal use without the knowledge of the victim. Credit card Trojans steal victims' credit-card-related data such as card number, CVV2s, and billing details. These Trojans trick users into visit fake e-banking websites and entering personal information. The Trojan servers transmit the stolen data to remote hackers using email, FTP, IRC, or other methods.

Module 06 Page 915




FIGURE 6.36: Attacker stealing credit card information of victim's using credit card Trojan

Module 06 Page 916

Ethical Hacking and Counte rmeasu res Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.



D ata Hiding Trojan s (Enc rypted Trojans) Encryption Trojan encrypts

Attackers demand a ransom

data files in victim's system and renders information

or force victims to make purchases from their

unusable

online drug stores in return

"Your computer computer caught our

for the password to unlock files

software while browsing browsing 'Do not not try to search

illegalp o m pages, pages, all your your

for a progr program am that

docu docume ment nts, s, textfiles, databas databases es in the folder

k

/

M y Documen Documents ts was wa s encrypted with complex password."

Confidential Documents

Company Database C♦♦source ♦so urce code Personal Information

Financial Information Important Files & Folders F

(S - -

w

encrypted your

™ >information - it ' simply does not exists inyou our hard disk anymore," pay pa y us the money to

unlock the passwor password d

Copyright © by EC-CMICil. All RightsJte$erv fei;Rep roductio n is Stric tly Prohibited.

D ata H iding iding Trojans (Encryp ted Trojans) Troj ans) Encryption Trojans encrypt the data present on the victim's computer and renders the complete data unusable: "Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was encrypted with complex password." Attackers demand a ransom or force victims to make purchases from their online drugstores in return for the password to unlock files: "Do not try to search for a program that encrypted your information - it simply does not exists in your hard disk anymore," pay us the money to unlock the password." This can be decrypted only by the attacker, who demands money, or they can force the user buy from a few websites for decryption.

Module 06 Page 917




OS X Trojan Trojan:: C r is isis is B

CEH

OSX.Crisis is a Trojan horse horse that steals steals potentially confidential informatio n and opens a back door on the compromised computer When the Trojan is executed, executed, it creates the following directories and files: /System/Libra /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server. xpc/Contents/MacOS/com.apple,mdw orker_server /System/Libra /System/Library/Frameworks/Foundation.framew ry/Frameworks/Foundation.framework/XPCServices/com.apple.nndworker_server.xpc/Conten ork/XPCServices/com.apple.nndworker_server.xpc/Contents/Resources/ ts/Resources/ $HOME/Library/LaunchAgents/com.apple.mdworker.plist $HOME/Library/Preferences/jl3V7we.app $HOME/Library/ScriptingAdditions/appleHID/Contents/lnfo.plist $HOME/library/ScriptingAdditions/appleHID/Contents/MacOS/IUnsA3Ci.Bz7 SHOME/Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

Crisis Crisis may perform the following actions:

1--------------------------- V Monito r Skype Audio traffic

Record conversations in MS Messenger and Adium

Monit or Safari or Firefox Firefox to record websites and capture screenshots

Send files to the command and control server

_

J i


■

mi

OS X Tro jan: C risis

OSX.Crisis is a Trojan horse that steals potentially sensitive information that is on the victim's system and opens a back door on the compromised computer (victim's system) for future attacks. When the Trojan is executed, it creates the following directories and files:

/ Syst em/ Li br ar y/ Fr amewor ks/ Found Foundat at i on. on. f r amewor k/ XPCS PCServi er vi ces/ com. app appl e. mdwor ke r _ ser ver .xpc/ Cont ont ent ent s/ MacOS/ com. app appl e. mdwor ker _s er ver / Syst em/ Li br ar y/ Fr amewor ks/ Found Foundat at i on. on. f r amewor k/ XPCS PCServi er vi ces/ com. app appl e. mdwor ke r _s er ver ver .xpc/ .xpc/ Cont ent s/ Resour sour ces/ ces/ $HOME/ Li br ar y/ Laun LaunchA chAgent ent s/ com. app appl e. mdworke or kerr . pl i st $HOME/ Li br ar y/ Pr ef er ences/ ences/ j 13V7we.ap e.app $HOME/ Li br ar y/ Scr i pt i ngAddi t i ons/ appl eHI D/ Cont ent s/ I nf o. pl i st $HOME/ Li br ar y/ Scr i pt i ngAddi t i ons/ app appl eHI D/ Cont ent s/ MacOS/ l UnsA3 sA3Ci .Bz7 .Bz7 $HOME/ Li br ar y/ Scr i pt i ngAddi t i ons/ appl eHI D/ Cont ent s/ Resour sour ces/ ces/ appl eOsax. sax. r The following are the actions performed by the OSX.Crisis: 9

Monito r Skype audio traffic

Q

Monito Mon itorr Safari or Firefox to record websites and and capture screenshots

0

Record conversations conver sations in in MS Messenger Messenge r and Adium

9

Send files to the command and control server

Module 06 Page 918




MAC OS OS X T rojan: rojan : DN SC han hanger ger

c EH (•rtifwtf

ithnai Nm Im

jan uses uses social social engineering engineering techniques to make make user users s download download the the progra program m and and run run maliciou malicious s code code

The malware modifies the DNS settings of the active network. The users are forced to download codecs or other movie downloads through QuickTime, etc. Once the download is finished, then the Trojan is attacked, resulting in slow access to the Internet, unnecessary ads popping up on the screen of the computer, etc. This Trojan uses social engineering techniques to make users download the program and run malicious code.

FIGURE 6.37: Attacker injecting MAC OS X Trojan in victim's system through downloads and prompt

Module 06 Page 919




MAC OS XTrojan: DNSChanger (C o n t’d )

Q £H UrtifM ifM| IthKJi lU ckM

MAC OS OS X Trojan : D N SC hang er (C ont’ ont’d d) After the user downloads the false codec, the process of tricking and retrieving the user's information continues as follows: 0

DNS settings: Local machine's DNS settings are changed to attacker's IP address

0

Afte r the fake codec is installed, a video is played so as not not to raise Playing a video: After suspicions

9

HTTP message: A notification is sent to the attacker about the victim's machine using an

HTTP post message 9

Hackers take complete control of the victim's MAC OS X computer Complete control: Hackers

Module 06 Page 920




M ac OS X Trojan: Hell R aiser

C EH (■WM

I

■

HMu Mul Had■•

Hell Raiser allows an attacker to gain access access to the victim system and send send pictures, pictures, pop up chat messages, messages, transfer files files to and from the victims system, completely mon itor the victims operations, etc.

Chat interface U6CT nAXQftO «

DC

DC

Victor's parameters parameters ;17*S

(________ OSCONNtCT________

* 1HI to■ ►•*•dlXh •finng< 1(1to• p«n«m n 0 0 1 •»»!•

— 5.it

.

...

----•jt

----

Note: The complete coverage of MAC OS X hacking is presented in a separate module Copyright 0 by IG Council. All Rights Reserved. Reserved. Reproduction is Strictly Prohibited

M ac OS X Trojan: Hell R aise r Hell Raiser is malware that gets onto the victim's system when clicked on, the user it is an innocent file. Once access has been gained to the victim's system, the attacker can send pictures, pop-up chat messages, can transfer files to and from the victim's computer, and even can turn ON and turn OFF the system from a remote location. Finally, victim operations can be completely monitored.

Modu le 06 Page 921

Ethical Hacking and Counte rmeasu res Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.



Troj a n A n aly sis: F lam e

CEH

Flame, also known as Flamer, sKyWlper, or Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system The malware is used for targeted cyber espionage in Middle Eastern countries Flame can spread to other systems over a local network (LAN) or via USB stick It can record audio, screenshots, keyboard activity, and network traffic The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices

Copyright O by E6-6« ncil . Ail Rights Reserved. Reproduction is Strictly Prohibited.

& gN

O

> Tro jan A nalysis: nalysis: Flam e Source: http://www.kasperskv.com

Flame, also known as Flamer, sKyWlper or Skywiper, is modular computer malware that attacks computers running the Microsoft Windows operating system. This malware is used for targeted cyber espionage. It can spread to other systems over a local network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity, and network traffic. It also records Skype conversations and can turn infected computers into Bluetooth beacons that attempt to download contact information from nearby Bluetooth-enabled devices. The following diagram depicts how an attacker succeeds in installing Flame on a victim's system.

Sends data to attacker

«»

Attacker

o ©

©

Sets command and control center

Redirects to malicious server .................

J © Malware Server

©

* ••

©

Downloads a malware

Provides a i nstruction to get data

@>

Command and Control Center

f) U

M

■ m

3

©

Infects other hardware in LAN.

Infected Hardware in LAN

In order to inject a Trojan onto the victim's system and to gain sensitive information, attackers first set a command and control center and a malware server. Next, the attacker sends a

Module 06 Page 922




phishing email to the victim's system and lures him or her to open the link. Once the attacker opens the link, he or she is redirected to the malicious server. As a result, the malware gets downloaded onto the victim's system and the system is infected. This infected machine infects the other hardware connected on the LAN. Thus, the commands from the control and command center are sent to and received from the infected hardware LAN. According to the received commands, the infected hardware LANs send the data to the control and command center.

Module 06 Page 923




Troj a n A n aly sis: F lam e

c gh

(C on t ’d)

The Flame C&C infrastructure, which had been operating operating for years, w ent offline immediately after Kaspersky Lab disclosed the discovery of the malware's existence last week

Currently there are more than 80 known domains used by Flame for C&C servers and its related domains, which have been registered between 2008 and 2012

During the past 4 years, servers hosting the Flame C&C infrastructure infrastructure moved between multiple locations, including Hong Kong, Turkey, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom, and Switzerland

The Flame C&C domains were registered with a list of fake ident ities and with a vari ety of registrars, registrars, going back as far as 2008

*- —

According to Kaspersky Lab's sinkhole, infected users were registered in multiple regions including the Middle East, Europe, North America, and Asia-Pacific

0

B B

The Flame attackers seem to have a high interest in PDF, Office, and AutoCad drawings

The data uploaded to the Flame C&C is encrypted using relatively simple algorithms; stolen documents are compressed using open source Zlib and modified PPDM compression

Windo ws 7 64 64 bit, which we previously recommended as a good solution against infections infections with other malware, seems to be effective against Flame

htp://www.kaipersky.com Copyright O by E6-6« ncil . Ail Rights Reserved. Reproduction is Strictly Prohibited.

Tro jan A nalysis: nalysis: Flam e (C ont’ ont’d) d) Source: http://www.kasperskv.com Kaspersky Lab summarizes the results of the analysis about Flame as follows: 9

The Flame C&C infrastructure, which had been operating for years, went offline immediately after Kaspersky Lab disclosed the discovery of the malware's existence recently.

9

Currently Curre ntly there are more than 80 known domains used used by Flame for C&C servers and its its related domains, which have been registered between 2008 and 2012.

9

During the past four years, servers hosting the Flame C&C infrastructure infrast ructure moved between betwe en multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom, and Switzerland.

9

The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008.

9

According to Kaspersky Lab's sinkhole, infected users were registered in multiple regions including the Middle East, Europe, North America, and Asia-Pacific.

9

The Flame attackers seem to have a high interest in PDFs, Office, and AutoCad drawings.

9

The data uploaded to the Flame C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression.

Module 06 Page 924

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved, Reproduction is Strictly Prohibited.

Ethical Hacking and Counterm easures Trojans and Backdoors

Exam 312-5 312-50 0 Certified Ethical Hacker

Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame.

Module 06 Page 925




F l a m e C & C S e r v e r A n a l y s is is

CEH

(«rt 1fw4

It kNjI lUilwt

Flame's C&C Server was running on 64-bit Debian 6.0.x OS under OpenVZ and using PHP, Python, and bash programming languages with MySQ L database on Apache 2.x 2.x web server

JW«PP«

*!..■► •*.

with self-signed certificates It was accessible over the HTTPS protocol, ports 443 and 8080 The document root directory was /var/www/htdocs/, which has sub-directories joaa joaa'itl 'itl 'jgff»»PTOt Maa4e»X

and PHP scripts An infected machine was controlled using a message-exchange mechanism based on data

Contents of the /var/www/htdocs/ne wsforyou/ directory Control !*unci

containers files

l » •

* :V

•' •

UaM »*-

Donmlonil da l j

Control panel interface http://w w w.kasper sky.com

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited

S p Flam e C&C C &C Server A nalysi nalys i s Source: http://www.kaspersky.com Flame's C&C Server was running on 64-bit Debian 6.0.x OS under OpenVZ and using PHP, Python, and bash programming languages with MySQL database on Apache 2.x web server with self-signed certificates. This server configuration was a typical LAMP (Linux, Apache, MySQL, PHP) setup. It was used to host a web-based control panel as well as to run some scheduled fully automated scripts in the background. It was accessible over the HTTPS protocol, ports 443 and 8080. The document root directory was /var/www/htdocs/, which has sub-directories and PHP scripts. While the systems had PHP5 installed, the code was made to run on PHP4 as well. For example, /var/www/htdocs/newsforyou/Utils.php has the "str_split" function defined that implements the "str_split" function logics from PHP5, which was not available in PHP4. The developers of the C&C code most likely implemented compatibility with PHP4 because they were not sure which one of two major PHP versions would be installed on the C&Cs.

Module 06 Page 926



Module 06 Page 927





F l a m e C & C S e r v e r A n a ly l y s is is

r

(Cont’d)

u

Certified ified | ttfcxjl »U*b« »U*b«

0 C&C can understand several communication protocols including OldProtocol, OldProtoco lE, SignupProto col, and Red Protocol to talk to different different clients clients codenamed SP, SPE, FL, and IP

C O M M A N D A N D C O N TR TR O L S E R V E R FL (Flame) PROTOCOLS

t>

L

OldPRotocol

•->

OldProtocollE

RedProtocol Not yetimplem lemented ted

CLIENTS

1

HTTP, HTTPS

i :

i

■f> SignupProtocol

____ is__ ____ ____ ____ __

Clients and Protocols relations found in this Flame C&C

http://w w w .kospersky .com

Copyright © by EG-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Flam e C&C C&C S erver A nalysis (Cont’d (Cont’d) Source: http://www.kaspersky.com C&C can understand several communication protocols including OldProtocol, OldProtocolE, SignupProtocol, and RedProtocol to talk to different clients codenamed SP, SPE, FL, and IP. A typical client session handled by the C&C started from recognition of the protocol version, then logging of connection information, followed by decoding client request and saving it to the local file storage in encrypted form. All metadata about files received from the client was kept in a MySQL database. The C&C script encrypts all files received from the client. The C&C uses a PGPlike mechanism to encrypt files. First, the file data is encrypted using the Blowfish algorithm in CBC mode (with static IV). The Blowfish key is generated randomly for each file. After file encryption, the Blowfish key is encrypted with a public key using asymmetric encryption algorithm from the openssl_public_encrypt PHP function.

Module 06 Page 928




COMMAND COMMA ND AND CONTRO CONTROL L SERVER FL (Flame) PROTOCOLS OldPRotocol

SP CLIENTS

— RedProtocol Not yet implemented



|

SPE

IP



G I

■>

OldProtocollE OldProt ocollE

Internet: HTTP, HTTPS

■>• SignupProtocol

FIGURE 6.39: Clients and protocol relations found in this Flame C&C

Module 06 Page 929




Trojan A n alys al ysis is:: SpyEye J

CEH

The Trojan mak es use of use r m ode roo tkit te ch niq ue s to hide both its re gis try key located \ns\deHKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\Current configuration on Version\Run and the folder containing the Trojan executable and the configurati file config.bin

J

The fol de r is u sual ly loca ted in th e roo t dir ec to ry of t he dr ive wh er e t he ope rati ng system is located

SpyEye is able to inject code in running processes and can perform the following

iri •A C YWflHXAV e4|* bl)|WlNINt I CVw»CKM5\5»xccr0:^#l0Cw0!458|\s lNINET dlH11PS0nJl.dllN >Jl. dllNlQuw|On lQuw|On*ctcn *ctcnFU FU C\^»JW^5 \wt«22«^nk>ooaoxc(&<0ir*dl.dllN(Ro0ir«Tlro:d C \W*MXM\^l« *G\*nbpm.x (UO] (U O] rMI r MI p1rncli.(< C V1 n00w s\^<1»n32l», nlooor1axc(&40] CPrPT CPr PT 32.dl'FF>:lnpor1C F> :lnpor1C©11$tCfe C\ÎNOOw/S\1yatefnX^nb C\ÎNOOw/S\1y atefnX^nboor\exfl oor\exfl &*Clj USER32 dl 11aruto!eMe*M0; C VW*C»ON'/S\jv*1»r..S2V^r1lt»yc»rw#x*{&*0)WS2_32dl ivr d CV.vlfJOOWSNMWttiS^nbooaaxeiEÔjv/ININEr.dlllrttoiiwtQuooOoiiwtf -V/!ylHOCN -V/!yl HOCNVj\ty5lB1n^V»nbgQrvexe{fciOJWINIME Tdi ll litf-fJprt1f l1*|1*?1W CVWt®Ow S\^t S\^ter erH H 2^ nbgor^x»{&*01WINIMEr.dllHK1/vjtPtq^«HB. C V/»» OWS\»y«le1»32\>»nbo0f\exc(6
functions: © Capture network traffic t> Send and receive network packets in in order order to bypass application firewalls e Hide and and prevent access to the startup registry entry e Hide and and prevent access to the binary code

//H/ l'iA Ud/ n *POBAEBXB EBXB 772118D68Bv<09J M& 06/£E29t

7C90D9TC0 Byte* WPO&tDKSB

7C30C-F9E8B*■*. JMP0 &E2D C2

7C90E4$c9 B*ec

»'P:BAP50^

?D30E 5D9 B Bytoi jMP 0B*O7: CS 7C30E9758 JkFC8«2E78

WJMPC PCBA0n3JI 7&3)2?7 8ByWJ

77DnfEB0n>r, JMTT^&r^n 77AEF74B8 S/ « J KF: BW E8 > 77D48f:ll 0f:y*-. JMPQBA0930: 7lAB42a&8B,«.v .KP<»*£AS5 77IB81A788*et J»«F C8*E?8«D 771C4ACSBB>*e1 MP0B4£/Asa 771C54CA8B,t»r .HP<*Oi>S33 771C61DC8Byle1 JMP0F /C9415 771C?68B5 0/h [EB. 01.C\ 01.C\ E5 E5 7 77IC768E2B *et )•1.941&XH G E _

API functions hooked by the Trojan within the winlogon.exe virtual address space

© Hide the own process on injected processes e Steal information information from Internet Explorer Explorer and Mozilla Firefox

http://techblog.avira.com Copyright © by EG-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

A

T ro r o ja ja n A n al a l y si sis : S p y E y e Source: http://techblog.avira.com

The Trojan makes use of user mode rootkit techniques to hide both its registry key located inside HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Run and the folder containing the Trojan executable and the configuration file config.bin. The folder is usually located in the root directory of the drive where the operating system is located. SpyEye is able to inject code in running processes and can perform the following functions: 9

Capture network traffic

0

Send and and receive network netwo rk packets in order to bypass application applicat ion firewalls firewa lls

Q

Hide and prevent prev ent access access to the startup registry entry

Q

Hide and prevent prev ent access access to the binary code

9

Hide the own process process on injected processes

e

Steal information from Internet Inte rnet Explorer and Mozilla Firefox

Module 06 Page 930




The following API functions are hooked by the Trojan within the winlogon.exe virtual address space: text text text text text text text .text text text text text .text text text text text text

C:\WINDOWS\System32Salgexel4681WININETdllMnternetReadFileExA C:\WINDOWS\Sys tem32\alg exe[468] WININET dlllHttpSendReq dlllHttpSendRequestW uestW C: \WI N D 0 WS \sys tem32\winlogon. exe[840) ntdll dll! N tE numerateV numerateV alueKey alueKey C: \WI N D 0 WS \sys tem32\winlogon. exe[640j ntdll. dll! dll! N IQuetyD irectotyFile irectotyFile C:\W I N D 0W S\system32\w1nlogon exe[640j ntdll dll! N tR esumeT esumeT hread hread C: \WI N D 0 WS \sys tem32\winlogon. exe[640j ntdll dll! N tS etl etl nformationFile nformationFile C AWIN D 0 WS \s ystem32\winlogon. exe[640] ntdll. dll! dll! N tVdmContro tVdmControll C: \WI N D 0 WS \sys tem32\winlogon. exe[640j kernel32. dll! dll! Flushl Flushl nstructionCache C:\W I N D 0 WS \sys tem32\winlogon. exe[640] A DVA R 32. dll! CtyptE CtyptE ncrypt C:\W I N D0 WS \sy stem3 2\winl ogon. ex e[840] CRYPT 32. dll! dll! PFXI PFXI mportCertS mportCertS tore C:\W I N D0 WS \sys tem32\ winlo gon. exe[ 640] US ER 32. 32. dll!T ranslateM ranslateM essage C:\W I N D 0 WS \sys tem32\winlogon. exe[640] W S2_32. dll! send send C: \WI N D 0 WS \sys tem32\winlogon. exe[640] Wl NIN E T. dll! dll! I nternetQ nternetQ uetyO uetyO ptiorA C:\WIND0WS\system32\winlogon. exe[840] WININET dll! H ttpO penR equestA C:\WIND0WS\system32\winlogon. exe[840] WININET dll! H ttpAddR equestH e. .. C:\W I N D 0 WS \sys tem32\winlogon. exe[640] W l NIN E T dll! I nternetCloseH andle C:\W I N D0 WS\sy stem32\winlo gon exe[640) Wl NIN ET dll! HttpS endR equestA C:\WIND0WS\system32\winlogon. exe[640] WININET dll! HttpSendR equestA .

771F7E9A 8 Bytes Bytes JMP 0BAEB2E6 77211808 8 Bytes JMP 0BAEE296 7C90D97G 8 Bytes J MP 0BAD769B 7C90DF5E 7C90DF5E 8 Bytes JMP 0BAE2DC2 7C90E45F 8 Bytes J MP 0BAF1507 7C90E5D9 8 Bytes Bytes JMP 0BAD73E5 7C90E975 8 Bytes Bytes JMP 0BAE2E78 7C839277 8 Bytes JMP 0BAD7831 77DF15 58 8 Bytes J MP 0BAEA0E1 77AEF748 8 Bytes JM P 0BADE8QA 77D48BCE 8 Bytes JMP 0BAD930C 71AB428A 8 Bytes JMP 0BAEA9B5 771B81A7 8 Bytes JMP 0BAE7B9D 771C4AC5 8 Bytes JMP 0BAE7A88 771C54CA 8 Bytes JMP 0BADA638 771 CGI CGI DC 8 Bytes JM P0B AE8 415 771C76B8 5 Bytes [EB. 01, C3. E9. 7. 771C76BE 771C76BE 2 Bytes Bytes [92, 94] {XCHG E

FIGURE 6.40: 6.40: API functions hooked by the Trojan within the winlogon.exe virtual address space

Module 06 Page 931




Trojan Trojan A nalys na lysis: is: SpyEye

CEH

(Cont’d)

After execution the Trojan connects to a pu s h push push pu s h pu s h le a pu s h push push call leaue retn

server and sends sends some information abo ut the system to the server like: © MD5 of the executed sample 6 Operating system version © Computer Co mputer name 9 Internet Explorer Explorer version version 8 Username © Version number of the malware

□ □ □ ^

sv svchost exe svchoste svchostexe xe svchost exe System stem System Z ] Syste System ^ System stem System ^ wn wniogon exe

1096 1272 1052 4 4 4 4 4 660

UDP UDP UDP TCP TCP TCP UDP UDP UDP TCP

eax i*i*6547i*Bh 4969h 3367h 5 047h e c x , [ e b p - 1C 1C h ] e cx d u o r d p t r [ebp-OCh] duord ptr [ebp-10h] sub 42F851

Malware is packed with UPX and a polymorphic decryptor

00e5f6a15 00e5f6e15 00e5t8a15 00e5f$al5 00e5#6a15 00e5#6a15 00e5f6a15 00e5t6a15 00e5t6a15

1034 1900 1032 nettxos-ssn rwcfosoftck netb»os-«$ netb*os-dgm rmcjosottds 1083

■ 00e5f$a15 00e5f6a15 ■

0 0 ■

■ reve*se-mtl-76-76-98-82gogax 8-82gogax com

■ https https

USTENING USTENING

sy n . s e n t

Malware injected piece of code within winlogon.exe virtual address space

http://techblog.avira.com ----------

Copyright © by

EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Tro jan A nalysis: SpyEye (Co nt’ nt’d d) Source: http://techblog.avira.com After execution, the Trojan connects to a server and sends some information about the system to the server such as: 0

MD5 of the executed sample

0

Operating Operatin g system version

0

Computer name

0

Internet Explorer version

0

User name

© Version number of the malware malwa re 3 □ □ ID 3

svchost exe sv svchost exe svchost.exe System System stem System ^ System stem ^ System stem ^ winlogon exe

Z3

1096 1272 1052 4 4 4 4 4 660

UDP UDP UDP TCP TCP UDP UDP UDP TCP

00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15

1034 1900 1032 netbios-ssn mciosoft-ds netbios-ns netbios-dgm rmciosott-ds 1063

 ■ ■ 00e5f6a15 00e»6a15 ■ ■ reve»se-mtl*76-76-9882 gogax co com

" " 0 0 “ " " hltps

USTENING USTENING

SYN_SENT

FIGURE 6.41: 6.41: Malw are injected piece of code within winlogon.exe virtual virtual address space

Module 06 Page 932




Malware is packed with UPX and a polymorphic decryptor. In the code snippet that follows, you can see a call to another routine after the end of the usual UPX decryption: call sub 42F851. push push p us us h push push push le a push p u sh sh p us us h call leaue retn

eax 4 4 65 1 *7 4 Bh 4969h 3367h 5 047 h ecx, [ebp-1C h] ecx dijord p t r [ e b p -O -O C h ] d u or or d p tr tr [ eb e b pp - 10 1 0 h] h] s ub u b J *2 * 2 F 85 85 1

FIGURE 6.42: 6.42: Malw are is packed with UPX and a polymorphic decryptor

Module 06 Page 933




T rojan A na lysis: lysi s: Zero A ccess

CEH

(«rt1fw4

itfcwal NmIm

ZeroAccess, also known as "Smiscer" or "Max++ rootkit," is a malicious Windows threat used to generate revenue primarily through pay-per-click fraud It arrives through various vectors, including web exploit kits and social engineering attacks, and uses low-level rootkit functionality to remain persistent and stealth ZeroAccess downloads fake security software, performs click fraud and search engine poisoning

SSSE39

jwon:

lcclearn ■Uddtot Novkt

Example advertisement for the Clicklce payper-dick network

I-Ortt

*v»x *v»xi5

U

• ckklic Pay Per dtk Dear sirs! W* proud to armour*.• 4 ••* modem tokAum h• POC 04ffc.. 04ffc.. caf ed Cfecklc* PPC clickicocom CMcklce Teamncfcides professionals of vanous lie kJs. who are woriong ever y day to make th« PPC eve n better t or you. Apart fromgenerous bids. Cbddce P K offers you tf*e fo*o*nng: 1. Advanced f*«d vvrwon 2. Our 2. Our admnntratrve nter faee m rixies a number or uOMies for traffic proeesartg. S. To *•irjjlify your work «Mth 6tat *tK t, >t * pouAitv to choo•• CMf-baMd lira• »Uft for it. 4. An entire eoaecttcn of feeportcan be reached via ICQ. live Chat, e*mal or ticket system.

Just give ve it a try try and then then make an informed decis decision. ion. :) dcbce.com

http .//w symantec.com //w ww.syman Copyright © by EG-G*ancil. All Rights Reserved. Reproduc tion Is Strictly Prohibited.

Tro jan A nalysis: nalysis: ZeroA ccess Source: http://www.symantec.com ZeroAccess, also known as "Smiscer" or "Max++ rootkit," is a malicious Windows threat used to generate revenue primarily through pay-per-click fraud. ZeroAccess uses low-level rootkit functionality to remain persistent and stealth. It arrives through various vectors, including web exploit kits and social engineering attacks. Although ZeroAccess contains generic backdoor functionality that could be used for multiple purposes, it has been observed downloading fake security software, performing click fraud, and searching engine poisoning. Click Click fraud schem e

Upon infection, ZeroAccess will install additional payload modules, downloaded through its back door. Generally, this is an executable that performs click fraud. This click fraud scheme has been observed to utilize more than one pay-per-click affiliate network. Advertisers sign up with ad networks that in turn contract website owners who are willing to display advertisements on their websites in exchange for a small commission. The ad networks charge the advertisers for distributing and displaying their ads and pay the website owners a small commission each time a visitor views (pay-per-view) or clicks (pay-per-click) on the ads.

Module 06 Page 934




• d c k l c e P a y P e r C f ck ck Dear Srs!

We are proud to announce a new modem solution for PPC traffic, caled Ckcklce PPC clickice.com CUcklce Team includes professionals of various fields, who are worlung every day to make this PPC even better for you. Apart from generous bids, Clicklce PPC offers you the folowrx): 1. Webmasters Advanced feed version. 2. Our administrative administrative interface includes a number of utihbes for tra ffic p rocessng. 3. To swnplify your work with statistics, it is possible to choose GMT-based dme shift for it. 4. An entire collection of feeds is provided (Php feeds, Pubfcc Feeds, Image feeds, JavaScript and XML feeds). 5. Databases of specialized keywords are provided; it is also posstole to obtavi mche-specific customized keyword bases free of charge based on webmaster's cnteria. 6. Our support can be reached via ICQ, Live Chat, e-mail or tick et system.

Just give it a try and then make an informed decision. :) cbck 1ce.com

FIGURE 6.43: Example advertisement for the Clicklce pay-per-click network

Module 06 Page 935

Ethical Hacking and Counte rmeasu res Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.



T r o j a n A n a l y s is i s : Z e ro ro A c c e s s (Cont’d)

J

In addition addition to generating revenue through through pay-per-click networks, ZeroAccess hijacks user's searches

C EH Urt1fw4

ilhi ul

lUtbM lUtbM

An example of returned HTML can be seen below

When an infected user searches in popular search engines, (including google.com, bing.com, icq.com, yahoo.com, ask.com, and aol.com), ZeroAccess sends an additional GET request similar to the following:

f uncti uncti on Form FormatRed atRedii rect( ref , t i t l e) { body body = " > " + t i t l e + " " ;

http: //suzu //suzuki 111x 111 [ . ] an/r/re an/r/redir direc ect. t.php ?Xd=9de5404ac67a404a0ela775f212cd210 &u=198&cv=150&sv=15&os=501.804.x86 86

AddPage("w AddPage(" www.googl .goo gl e. com co m. hk/ sear ch?q=car &hl =zh- CN&sour ce= hp& hp&gbv= gbv=l ", 2, 2, nul l , 0, "HTTP/ "HTTP/ 1.1 200\r 200\r \ nConn onnect ect i on: on: cl ose\r \ nCach nCachee- Contr Contr ol : nono- cache cache\\ r\ nPragm nPragma: no- cache\ cache\ r \ nCon nContt ent ent Lengt Lengt h: " + body.l ength ength + "\ r\ n\ r\ n" +bod +body);

This causes an additional pop-up window or tab to be created, the new window or tab will contain search results for the original search query with hijacked links or additional content

} Format Redi edi r ect( "kozanekozasea "kozanekozasearr chsys t er n. com/ ?searc ?s earc h=car &subi d=198& 198&key=4 15db60c8aa81c 0bed€8", "car ") ;

http://www.symontec.com Copyright © by

EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

ggjj T rojan A na lysis: Ze roA ccess (C on t’d) t’d) Source: http://www.symantec.com In addition to generating revenue through pay-per-click networks, ZeroAccess hijacks users' searches. When an infected user searches in popular search engines (including google.com, bing.com, icq.com, yahoo.com, ask.com, and aol.com), ZeroAccess sends an additional GET request similar to the following: http://suzukimxml . lcn/r/redirect.php?id=9de5404ac67a4 lcn/r/redirect.php?id=9de5404ac67a404a0ela775f212cd210&u=19 04a0ela775f212cd210&u=198&cv=l 8&cv=l 50&sv=15&os=501.804.x86 This causes an additional pop-up window or tab to be created. The new window or tab will contain search results for the original search query with hijacked links or additional content. An example of returned HTML can be seen as follows.

Module 06 Page 936




1:

f unct i on Fo For mat Redi r ect( r ef , t i t l e) { body = " ad> " + t i t l e + " head> " ; AddPage("w AddPage("www. googl googl e. com. hk/ s ear ch?q= ch? q=car &hl =zh- CN&sour ce= hp& hp&gbv=l " , 2, nul l , 0, " HTTP/ TTP/ 1. 1 200\ r \ nConnect i on: cl ose\ se\ r \ nCach nCachee- Cont ont r ol : no- cach cache e\ r \ nPr agm agma: no- cache\ cache\ r \ nCont ont ent ent Len Lengt h: " + body. l engt h + " \ r \ n\ r \ n" + body) ;

4:

}

For mat Redi edi r ect (" kozan kozanek ekoza ozasea searr chsys t em. com/ ? s ear ch=car &s ubi d=l 98&key= key=4 15db60c8aa81c 0bed6 ed68" , " car ); FIGURE 6.44: An example of returned HTML

Module 06 Page 937




T r o j a n A n a l y s is i s : Z e ro ro A c c e s s

(Cont’d)

| f5 f5 ET ET / o a n p 9 1 l c m / ? 4 H T T P / 1 . 1 Host: lovrru3tard.org yL U s e r -A -A g e n t : H o s i l l a / 5 . 0 A c c e p t: t: t e x t / x m l , a p p l i c a t i q A c c e p t - L a ng ng u a g e : e n - u s , e n ; q = 0 . 5 A c c e p tt- E n co c o d i ng ng : g z i p , d e f l a t e Accept-Charaet: ISO -8859 -1,utf8 ;q-0.7,*;q*0.7 Keep-Alive: 300Connection: keep-alive

Main Attack URL

Ie1n, tet eUxS;St; / hr vt ms l .l8; .q1*.01 .39), t Ge xe ct /p/kpol/2/2a 0i n0 8; q030301. 18

•chtxnlxbodvxd iv id - ' w a g 'x / d i v x d i v i d - lat x / d i v x d l v < a ! v l d = r a j > < / d lv lv xc x c l 1 v| v| ^ T W ^ S b 2 7 ^ t; u , . a , c t , o , . k , , , h , i . e . a c c e p t -e -e n c o d l n g : p a « _ ' 1 -1 1 .1 content-type: appii 0 ; q < h ; q + + ) ( o + - p ; c f . c h a r js e r -A g e n t: m __ o z i111 11 aa/ 4 . 0 C ( j / a ) ; k - p a t . s e I n t ( c , 1 6 ) ; « H o s t : l o v r f n u s t a rd rd . o r ! A c ce p t:t: t e x t / h t m l , ? m a g e /g /g i (a m p , fid ); K a fb Q 3 L k Y7 8 Y « f ' ; lei■ i■ 7 ;ab s= cu n(p ya ,leic o n n e c t i o n : k e e p - a l i v e

11

( ^H fertifM | EUkj I IlMkM

Fire fox /2.0.0.13 ,lm age/png,»/ ;q-0.5

1x/div; i d - ’ £rv ' x / d i v x d i v i d - fu fu d ' x / d i v x d i v i d - ’h a g 5 5 60 60 4 ^6 ^6 01 01 0 0 0 ;! ;! 0 . : 5 5 5 2 0 6 5 1 ; .' <05 51 .,| H T T F / 1 .1

Second Stage Exploits

200

U o p . a v e ) ; u m » - ' Q IP IP 5 b 5 79 79 0 h t t p / 1 - 1 ok [ o u l ] ; f u n c t i o n s h h ( u ) ( r e j a t e : T u e. e. 2 5 O c t 2 01 01 1 1 5 : 1 9 : 2 0 GMT v , p , » , £ , r ; a - ' P t d 8 E a m l l E 4 ; e r v < > r : A p a c h e / 2 . 2 . 1 7 ( U n i x ) p h p /5 .2 .1 ? k p h p / po w er ed -B y: 5 . 2.17 Jun ction 3 ay(v,w,k) (var .ontent-Length: 4096 (v,y) > functio ion 0 rc(0 )(vajr| -orrtep ‘ - . ' - ■ ■ 1/^15Vce4c^T84r3r 52 dO c 5 7 0 7 0 4 5 e 02 02 5 4 5 4 0 1 0 7 5 c 5 0 0 3 ; 1 ; 52 54 4cr {SW5^ fT^ 7 0 1 0 2 O dO (g,4) ;ca a' 'cl)an g 261n '; d r u 61n T ° " t ! |u | u 5 e r A g en en t : m 071 1 7 1 1 W 4 . 0 ( * 1 m i aw aw 5 xp xp 5 . 1 ) i l l [x ]; a ■ ♦ ■ ♦ )( If (q C 1 ! (b a r[a [a j [ < - c a c ô s t :: T d . org \ 10o w u s t a rrd. 1/ 3 , s , k , r , a ; 1 - '0 '0 5 7 5 0 0 7 76 76
ZeroAccess Download Download

m ,a;9 ;9'■L d 8 E m 6 Q v, k , z, x ,v, 3, h ,1 ' “ ,51•K (» ,8 );d -m Y 9 g 4 a 5 b 8 a t 3 I d w . iff(w (w )(vac k ,y ,s,n ,u,r, z *

(r, 3);

m p Tue, / 1 • 1 25 20 0Oct0K 2 0 1 1 1 5 : 4 9 : 2 1 GMT :>ate: 3 s e r v e r : A p a c h e / 2 .2 .2 . 1 7 ( u n 1 x ) p h p / 5 . 2 .1 .1 7 •• <-P0wered B y : p h p / 5 . 2 . 1 7 : o n t e n t L e n g t h : 2 4 3 37 7 1 2 - Q9PE430I08LPtfe < Z o n t e n t - D i s p o s i t i o n : i n l i n e ; f i 1 en en a m ee- em em g d E8 E8 v 64 64 •° : o n t e n tt - T y p e : a p p 1 1 c a t 1 o n / 0 c t e t - s tr tr e a m 8.. 8F *-pad: avoid browser bug ..pk . <_cache: miss from doma n.com J . E . . < e e p - A l 1 v e: e: t i m e o u t - 1 - L- c o n n e c t i o n : K e e p - A l i v i a ET ET ph p >w=19 .e82 &f 44 4 f a 78 M 4 4 di 5 « Wi 62 4 « & 6 c 4 a- i 3 *ost: exezkzla.cn , , s e r - A g e n t : o p e r a / 6 ( w in in d ow ow s mt 5 . 1 ; u ; L a n g i D - 4 0 9 ; x 8 6 ) Connection: close

•Y

1

ZeroAccess Download Download

.

Exploit kit dropping ZeroAccess

http://www.5ymantec.com


Trojan Analysis: ZeroAccess (Cont’d) Source: http://www.symantec.com ZeroAccess can also be installed through web exploit kits. The user is often falsely given the impression they will be installing an update for an application, such as Adobe Flash player. This use of various exploit kits to install ZeroAccess is likely simply a byproduct of its authors attempting to evade IPS rather than an indication of ZeroAccess being sold to other distributors.

Module 06 Page 938




SET / 0snp91i cm/ ?4 HTTP/ 1■ 1 P/1.1 Hose: ose: l owmust ard. org Userser- Agent: gent: Hozi l l a/5. 0 - US: r v: 1. 8. 1. 13) Gecko/ ecko/ 2008 200803 0311 11 Fi r ef ox/ 2.0. 0. 13 Main Attack URL ■1en 1/ t ext ext / html ; q- 0. 9, text / pl ai n; q-0. 0, i mage/pn age/png, g, */*; q- 0.5 Accep ccept: t ext/ xml ,app ,appl i cati cati Accept- Langua Language ge:: en- us, en; q=0. 5 Acceptccept- Encod Encodii ng: ng: azi p, def def l ate Accept ccept - Char har set: I SO- 8859 859- 1, utr - 8; q-0. 7, ; q-0. Keep Keep-- Al i ve: ve: 300C 300Connect onnect i on: keep keep-- al i ve c h t ml x bo bo dv dv x di di v i d=' wa g' g' x / d i v x di di v i d=' l a t ' x / d i v xd xdi v i d* ' f r v ' x / d i v x di di v i d=' f u d' d' x / d i v x di di v i d= d=' ha ha a1 a1x / d i v 0snp? >11an7, ~H^5027aeebF56a: ! dl 05ei eS60905 5604 5c6801 5c6801 uC 01 uc5 5! 1 5 6 5 1 0' 51 11505. htt p, /1.1 r r o n t _ o n rn r n H 1 n n ■ 1 / 1 /H P _ n u, u, a, q, o, z, k,c, j,h, 1 ,c, accept-encoding: pack2 content-type: ajpplicat 0; q
; k pa r s el el nt ( c , 1

6

Second Stage Exploits 1mage/;)pe 1mage/;)peg, g,

q=.2,

q=.
( 10p, ave) ; umm=' QI P5&5790 5790 HTTP/1.1 200 OK [oul ] ;f uncti uncti on shh( shh( u) {re Dat e: Tue, 25 Oct 2011 2011 15:4 9:20 GMT GMT v, p,w, p,w, f , r; w=' Ptd8 Ptd8Ea1rl l E4 Server: Apache/2.2.17 (Unix) PHP/5.2.17 f unct nct i on j ay(v,m, k) fvar fvar x-Powered-By: PHP/5.2.17 (v, (v, y) ) f unct unct i on orc( o) (v«Jôntent-Length: 4096 onTejG ET~ V □snp'91 91i cm/^'l5Vc e-e 6 8 ‘5a f 3 ? 5 5 4 4 2~J2' 2~J2'5T851 V f 5 70102OdOc 570704 570704 5e02 5e02 54 5401075c 5003: 1: (g, (g, 4) ; c=' cl kmg26m g26m' ; d=r unconte unco nte UserAqen t: Mozi 11 a/4 .0 (windows x p 5.1) [x] ; a++) {i f ( q(l ] ( bar [a] [a] [ x-cac Host: lc'Mnustard.ora l j , z, k, r , a; l - ' G575G 575GQ776 776 Keep- Accept: Text/html, image/gif, image/jpeg, ZeroAccess Download Download [k] ; ++) ( t ry( z =neu neu Act i v: °nne °nne connection: keep-alive in, in, a;r o- 9 Ld6Em6Q' ; a* cun ( ^ HTTP/1.1 200 OK w, fc, z, x,v, 3 , h, 1, d; d; z* ' bl e K-* K-* . . Da te: Tue, 25 Oct 2011 15 :49 :21 GMT (w, 8) ; d- »Y9g4a5b8 »Y9g4a5b8at at 3 I da, . ser ver : Apache/2.2.17 (un ix) ph p /5.2.17 (w) {va {varr k, y, s, n, u, c2 r• ••X-Powered-By: PMP/5.2.17 i n (w 109* 09* 3;( 3, )PE43 )PE430I 0I 08LPtf 08LPtf e ■G. '.Y. Content-Length: 243712 ____

.0 . . .

con tent- Disp ositio n: in lin e ; f i lena lenam me=em e=emgd gdE8 E8\/ \/6. 6. ontent-T/pe: ontent-T/pe: app licat ion/octet-stream

8. . 8F x Pad: avoid browser bug

ZeroAccess Download Download . .PK. x-cache: m i s s from domain.com >. E.. Keep-Alive: timeout=1! connection: Keep-Aliv
0 444

444 565 41054 66 -13

....................................

FIGURE 6.45: Exploit kit dropping ZeroAccess

Module 06 Page 939




T r o j a n A n a l y s is i s : Z e ro ro A c c e s s

(Cont’d)

( ^H (•rtifwd | tt kKJi NmIm

Upon execution, ZeroAccess selects a random

The Trojan then creates the following registry

driver driver alphab alphabetic etically ally between between % Sys tem %\ D r i v e r s \ c l a s s p n p . s y s a nd nd

entries to ensure the newly infected driver serves as the main load point for ZeroAccess:

% S y s t e m % w i n 3 2 k . s y s a nd nd o v er er w ri ri te te s th th e

e HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont rolSet\Services\[FILE n a m e OF INFECTED DRIVER]\ I m a g e Pa t h = "\*

driver with its own code The original clean driver is stored in a hidden

HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont rolSet\Services\[FILE NAME OF INFECTED DRIVER]\"Type" = "1"

encrypted NTFS volume using the file name

%Sys t em%\ conf co nf i g\ S>

O HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont rolSet\Services\[FILE NAME OF INFECTED DRIVER] DRIVER] V'Start" = ”3"

The hidden volume is used to store the original clean driver as well as additional components and downloaded payload modules

Code is then injected into services.exe through an

The volu me is rough ly 16 MB in size size and is is

APC which encrypts the data stored in the hidden NTFS volume under \??\ACPI#PNP0303#2&da

accessed through the file system device name: \\??\ACPI#PNP0303#2&dala3ff&0

m

t '

°R y

la 3 ff & 0 \ U and and also also creates creates an an altern alternate ate data data st re re am am fi fil e % S y s t e m D r i v e % \ 2 3 8 5 2 9 9 0 6 2 : 230 226 827 3 . exe and execut executes es it These main loader components ensure the additional payload files stored in the hidden NTFS

\P

volume are loaded and executed

h ttp:// www.symantec.com www.symantec.com Copyright © by


^ Tro jan A nalysis: nalysis: ZeroA ccess (Con t’d t’d) Source: http://www.symantec.com Upon

execution,

ZeroAccess

selects a random driver alphabetically between %Syst em%\ Dr i ver s\ cl asspn ass pnp. p. sys and %Sys t em%wi n32k. n32k . sys and overwrites the driver with its own code. The original clean driver is stored in a hidden encrypted NTFS volume using the file name

%Syst Sys t em%\ conf i g\ TERS>. The hidden volume is used to store the original clean driver as well as additional components and downloaded payload modules. The volume is roughly 16 MB in size and is accessed through the file system device name:

\ \ ?? \ ACPI #PNP0 PNP030 303# 3#2&dal dal a3f a3f f &0 For example, the original clean driver is stored at:

\ \ ? ? \ ACPI #PNP03 PNP0303 03# #2&dal a3f f &0\ L\ [ EI GHT RANDOM CHARACTER TERS] . This file system of the hidden volume is encrypted using RC4 with the following 128-bit key:

\ xFF\ xFF\ x7C x7C\ xFl xFl \ x64 x64\ xl 2\ xE2 xE2\ x2D x2D\ x4D x4D\ xBl xBl \ xCF\ xCF\ x0F\ x0F\ x5D x5D\ x6F\ x6F\ xE5 xE5\ xA0 xA0\ x4 9 The Trojan Trojan then creates the following registry entries to ensure the newly infected driver serves as the main load point for ZeroAccess:

Module 06 Page 940




©

HKEY_L EY_LO OCAL_ MACHI NE\ SYS SYSTEM TEM\ Cur r ent ent Cont ont r ol Set \ Ser vi ces\ [ FI LE I NFECTED FECTED DRI VER] VER] \ I magePat h = " \ *

NAME

OF

©

HKEY_LO EY_LOC CAL_M L_ MACHI NE\ SYSTE YSTEM M\ Curr ur r ent ent Cont ont r ol Set Set \ Ser Ser vi ces\ [ FI LE I NFECTED FECTED DRI VER] VER] \ Type1 Type1"" = "

NAME

OF

©

HKEY_LO EY_LOC CAL_M L_ MACHI NE\ SYSTE YSTEM M\ Curr ur r ent ent Cont ont r ol Set \ Ser Ser vi ces\ [ FI LE I NFECTED FECTED DRI VER] VER] \ Start3" = "

NAME

OF

Code is then injected into services.exe through an APC. The injected code encrypts the data PNP0303 03# #2&dal a3f f &0\u stored in the hidden NTFS volume under \ ?? \ ACP1#PNP03 &0\u and also creates Sys t emDr i ve%\ 23852990 2385299062: 62:23022682 2302268273. 73. exe exe and executes it. an alternate data stream file %Syst These main loader components ensure the additional payload files stored in the hidden NTFS volume are loaded and executed.

Module 06 Page 941




Tro Troj an A n a ly s is is:: D uq uqu u Duqu is a sophisticated Trojan that acts as a backdoor and facilitates the theft of private information

CEH

UrtifWtf IthKJi lUikM

Code section, Duqu payload DLL 10001000 C++ Standard Templat e Library functions

.100042SO Native C++ code with STL

1000C2C9

The code section of the Payload DLL is common for a binary consists of "slices" of

Payload Other Language C framework

/

code that may have been initially compiled in separate object files before they were linked in

No C++

a single DLL

10023878 10028F2C

(STL) functions, run-time library functions, and user-written code, except the biggest slice that

1002EAD1

contains most of C&C interaction code

+

Nativ e C+ code with STL

Most of them can be found in any C++ program, like the Standard Template Library

Run-Time library code

100MOM

Native C code for injection API thunks. Exception handlers

http://www.securelist.com Copyright © by EG-G*ancil. All Rights Reserved. Reserved. Reproduction is Strictly Prohibited

£

3 ^

Trojan rojanAnalys nalysiis: Dut*u Source: http://www.securelist.com

Duqu is a sophisticated Trojan that acts as a backdoor and facilitates the theft of private information. The code section of the Payload DLL is common for a binary that was made from several pieces of code. It consists of "slices" of code that may have been initially compiled in separate object files before they were linked in a single DLL. Most of them can be found in any C++ program, like the Standard Template Library (STL) functions, run-time library functions, and user-written code, except the biggest slice that contains most of C&C interaction code.

Module 06 Page 942




Code section, Duqu payload DLL .loooitxio C++ Standard Tem plate Library functions .100042 SO Native C++ code with STL .1000CZC9

Payload Other Language Language / C framework No C++

.10023878 Native C++ code with STL -10028F2C Run-Time Run-Time library code •1002EAD1 .100300A4

Native C code for injection API thunks. Exception handlers

FIGURE 6.46: Duqu Tool Screenshot

Module 06 Page 943




Trojan Analysis Analysis:: Duqu Framewo Fram ework rk D u qu qu F r a m e w o r k Code Properties S

Everything is wrapped into objects

S

Function table is placed directly into the class instance and can be be modified after construction

S

There is is no distinction between utility utili ty classes (linked lists, hashes) hashes) and user-written code

S

Objects communicate communicate using using method calls, deferred execution queues, and event-driven callbacks

S

There are no references to run runtime library functions; native Windows API is used instead

CEH

E v e n t D r i v en en Framework Event objects, based on native Windows API handles Thread context objects that hold lists of events and deferred execution queues M

Callback objects that are linked to events Event Eve nt monitors, monitors, created by each thread context for monitoring events and executing callback objects Thread context storage manages the I list of active threads and provides provides access to per-thread per-thread context objects I

http://www.securelist.com Copyright © by EG-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

r ^ 1—

Trojan Analysis: Analysis: Duqu F ram ew ork Source: http://www.securelist.com This slice is different from others, because it was not compiled from C++ sources. It contains no references to any standard or user-written C++ functions, but is definitely object-oriented. It is called the Duqu Framework. Duqu Framework Code Properties

The code that implements the Duqu Framework has several distinctive properties: 9

Everything Everyth ing is wrapped wrap ped into objects

9

Function table is placed directly into the class class instance and can can be modified after construction

9

There is no distinction betwe b etwe en utility uti lity classes classes (linked lists, lists, hashes) and user-written code

9

Objects communica commu nicate te usin using g method calls, calls, deferred defer red execution queues and event-driven callbacks

Module 06 Page 944



9


There are no no references to run-tim run-time e library functions; native Windo ws API is used used instead

Event-Drive Event-Driven n Framework The layout and implementation of objects in the Duqu Framework is definitely not native to C++ that was used to program the rest of the Trojan. There is an even more interesting feature of the framework that is used extensively throughout the whole code: it is event driven. There are special objects that implement the event-driven model: 9

Event objects, objects, base based d on native Wind Wi nd ow ows s API handles

Q Thread context objects that hold hold lists lists of events event s and and deferred execution queues Q

Callback objects that are linked to events

© Event monitors, created create d by each thread thr ead context conte xt for monitoring events and and executing executing callback objects © Thread context storage manages the list of active threads and provides access to perperthread context objects objects

Module 06 Page 945




Trojan A nalysis: nalysis: Event Driven Framework

C EH 0

J This event-driven model resembles Objective C and its message passing features, but the code does not have any direct references to the language, neither does it look like compiled with known Objective C compilers

0

0

Object 2

Object 2

*L--- X---

Event Object

...........

Monitor H -Event -- * ---

...........

•>

Event Object

Event Monitor

Callback Object

Callback Object Thread Context: Event and Call Call Queue

Object 1

Object 1

Thread Context: Event and Call Queue

* Thread Context Storage

Thread Context Storage

http://www ttp:// www..securelist, securelist,com Copyright © by


Trojan Analysis Analysis:: Event D riven ri ven Fram ew ork Source: http://www.securelist.com The event-driven model resembles Objective C and its message passing features, but the code does not have any direct references to the language, neither does it look like it is compiled with known objective C compilers.

Object 2

Object 2

y Event Object

Event Monitor ---------

Callback Object Object 1

4

*

Event Object

Event Monitor ---------

--------

Thread Context: Event and Cali Queue

Callback Object ...........

Object 1


»

*

---------

Thread Context: Event and Call Queue


FIGURE 6.47: Event Driven Framework

Module 06 Page 946




M odule Flow Flow So far, we have discussed how a Trojan infects a system and the types of Trojans available. Now we will discuss how to conduct Trojan detection. Trojan detection helps in detecting the presence of Trojans on an infected system and thus helps you in protecting the system and its resources from further loss.

Tro jan Concepts

, •

Co u nte rm e a su re s

Trojans Infection

f|j||

^— v—

Types Types of Troja Trojans ns

^

f ^

Trojan Trojan Detection

■ 4


1 Penetration Testing Testing

This section focuses on Trojan detection using various techniques or methods.

Module 06 Page 947




Scan for suspicious OPEN PORTS

Scan for suspicious STARTUP PROGRAMS

> 4

Scan for suspicious RUNNING PROCESSES

Scan for suspicious FILES and FOLDERS

Scan for suspicious REGISTRY ENTRIES

Scan for suspicious NETWORK ACTIVITIES

9

0

Scan for suspicious DEVICE DRIVERS installed on the computer

Scan for suspicious modification to OPERATING SYSTEM FILES

9

0 Run Trojan SCANNER to detect Trojans

Scan for suspicious WINDOWS SERVICES

9

0

Cbpyright © by

EC-CMMCil. All Rights Jte$ervfed' Jte$ervfed'.;Reproduction .;Reproduction is Stric tly Prohibited.

How How to to D etect Trojan s Trojans are malicious programs that masquerade as a useful or legitimate file but their actual purpose is to take complete control over your computer, thereby accessing your files and confidential information. In order to avoid such unauthorized access and to protect your files and personal information, an antivirus product has to be used, which automatically scans and detects the presence of Trojans on your system or you can also detect the Trojans installed on your system manually. The following are the steps for detecting Trojans: 1. Scan Scan for for suspi suspicio cious us OPEN PORTS PORTS 2. Scan Scan for suspic suspiciou ious s RUNNING RUNNING PROCESSES PROCESSES 3. Scan Scan for suspic suspiciou ious s REGISTRY REGISTRY ENTRIE ENTRIES S 4. Scan for suspicious DEVICE DRIVERS installed on the computer 5. Scan Scan for susp suspic iciou ious s WIN DO WS SERVICES SERVICES 6. Scan Scan for for susp suspic iciou ious s START STARTUP UP PROGRAMS 7. Scan Scan for suspic suspiciou ious s FILES FILES and and FOLDERS FOLDERS 8. Scan Scan for for suspic suspiciou ious s NETWORK ACTI ACTIVITIE VITIES S 9. Scan Scan for susp suspicio icious us modifica modification tion to OPERATING OPERATING SYSTEM FILES FILES 10. Run Trojan SCANNER to detect Trojans Module 06 Page 948




S

Trojans open unused ports in victim mach ine to to connect back to Trojan Trojan handlers

B

Look Loo k for the connection established to unknown or suspicio suspicious us IP addresses addresses

C:\Windows\syste m32\cmd.exe

S i

x

J:\ Us er s\ Ad m irO ne ts ta t -an|

Ictive Connections Proto TCP TCP TCP TCP TCP TCP

Local Address 0.0.0.0:135 0.0.0.0:445 0.0.0.0:554 0.0.9.0:1025 0.0.0.0:1026 0.0.0.0:1027

t pp

n n 0 a: 10 9 ft

T CP CP

0 .0 .a.0:10243

T CP CP

127 .0.0.1:12080

T CP CP

127 .0.0.1:12000

TCP

127.0.0.1:12110

TCP TCP TCP TCP TCP TCP

State

LISTENING

L I S T E N IN IN G

LISTENING LISTENING

LISTENING

LISTENING I.IQTPNINH

0.0.0.0:1029 0.0.0.0:206? 0.0.0.0:5357

LISTENING

0.0.0.0:22350 127.0.0.1:12025

LISTENING LISTENING

LISTENING

LISTENING LISIENING

LISTENING ESTABLISHED

127.0.0.1:12080

LISTENING

<

> r 5 i 8 8 'J:rSIJ8 r S i 8 8 ' I : TS TS 88 88 8 J S A* 88 ' I :I S08H

:

a

0

□

System Administrator

ESTABLI SHED SHED

(nrin cN J S V 8 8 T:238 T:2382S 2S IS.V H'N 'I ‘2382 ‘23828 8 . _.fj

r iZ iZ lE lE MI MIH C KldBriZHE D E2IWBn 2HED ■Copyrif ;ht © by

EG-Gouncil. All Rights Jteservfed.;Reproduction Jteservfed.;Reproduction is Strictly

Prohibited.

Scann ing for fo r Suspicious Ports

Trojans open unused ports on the victim's machine to connect back to the Trojan handlers. These Trojans can be identified by scanning for suspicious ports. Scan for suspicious ports and look for the connection established to unknown or suspicious IP addresses. 31

C:\Windows\system32\cmd.exe

C: \ Users\ Adni n' net net stat - an Connect ect i ons ons Act i ue Conn Prot o TCP TCP I CP TCP TCP I CP I CP CP I CP I CP TCP TCP I CP TCP TCP I CP I CP I CP I CP I CP CP I CP CP TCP TCP

Local Address ddress 0. 0. 0. 0: 135 0. 0. 0. 0: 445 0. 0. 0. 0: 554 0. 0. 0. 0: 1025 0. 0. 0. 0. 0. 0: 0: 10 1026 0. 0. 0. 0: 102? 0. 0.0. 0:102 0:1028 0. 0. 0. 0: 1029 1029 0. 0. 0. 0: 2869 0. 0. 0. 0: 5357 5357 0. 0. 0. 0: 10243 0. 0. 0. 0: 22350 12? . 0. 0. 1: 12025 127. 0. 0. 1: 12080 127. 0. 0. 0. 0. 1: 1: 12 12080 127. 0. 0. 0. 0. 1: 1: 12 12080 127. 127. 0. 0. 1: 12110 12110

For ei gn gn Addr es s 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0. 0. 0: 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 127. 0. 0. 0. 0. 1: 1: 53 53850 127. 0. 0. 0. 0. 1: 1: 53 53852 0. 0. 0. 0: 0

St at e LI STEN STENI NG LI SI ENI NG LI STENI NG L I SI ENI NG LI STEN STENI NG LI SI ENI NG LI SI ENI NG LI SI ENI ENI NG LI SI ENI NG LI SI ENI ENI NG LI SI ENI NG LI STENI NG LI SI ENI NG LI STENI NG ESTABLI SH SHED ESTABL I SH SHED LI STENI NG

Type n e t s t a t

—a n

in command prompt

System Administrator

FIGURE 6.48: Scanning for Suspicious Ports

Module 06 Page 949




Port Po rt M on itoring To Tool ols: s: TCPVi TCPView ew and CurrPo rt rtss CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer

TCPView is a Windows program that will show detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections

TCPView - Sysintemals: www.sysintemals.com

THO TH O

gr

Fie Opticns Piocesi View Hdp

-!ml-Pt

CurrPorts

| F*e Ed* V!cw Option? Hdp

x a i % V V -J S' « 0 3 t :;>*»<»Pfry:

0

TCP m tcp 772 tcp 772 TCP 772 TCP 772 TCP 772 TCP 77} TCP 773 TCP 773 TCP 773 TCP >1X0 TCP •3*0 cp 3576 TCP . t cp 1B7S TCP 876 TCP 3876 TCP 3676 TCP 31*6 TCP

€ c*« c*«cre»9

C c**re»« C !e

3668 644 S44 516

TCP TCP TCPV6 TCP

Rerwte 123.17S32U7 123.17S32U7 123.17 17S3?1<7 123.17 17532.133 123ITS 3?1 123.17 17632.15 153 f 13953 ISMf rt

LocdAddesi w>« winfm infm»W1.«M1 wnnv? »W1.«k41 wnm?«leMk41 wnmv«lf**k41 mv«lf** k41 m mw:lcMk4l wnmw*>*k4l

41^4« 1*

1

wp11MOInvl rp. N?> 123.175]?.14/ 75]? .14/ Ntp m/wVl1111• rf «V I Ntp miWl 111ft rr fi V I WINMSiELCf.4K (1 WWMSSEICMK 0 loedhotf 105? ! . fllhMf 1051 h3»HB91 HB91«IOO tapi r f.V I Ntpi m/vfl fl3116-«W* |p 11!’ mWUll&•(><.! I•... Ittpi

WlNWiOCir

WNMSSEICMK WNMrîmK

WNMr.nrK4K m1u l£kU41 m«m»*eUUk41 Mnfim-kV.4141 mn-imnlcMMI

un-fis -fi st* t*W W.
Remote Port Sm* N
Nv aosc.w,»iT Nv

4262 3026 3026 102$

I... Itto WINMSSELCWK .0 whmewlck4k4 k4k41 0 WUJMSSELCMK 0

r?T*«jy-(rr» r - *n1 .rrr>

I »H4B. » H4B. •l-i !• tSHrtJ44D

11*11 L«SI€ I€H 1rg&

5 »4*^ <

EST«Mjy4(D

Proem N*

Procn. rocn... ..

Plot lotocol ocol Loca Local Por

local Po*... . .. Loca Local Add mi

♦ ♦ • « • ♦ ♦ ♦ • •

864 1940 1940 900 1375 BM 47• 1376 1040 1940 1940 900

UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP TCP TCP

it t kmp :5dp wi -di t co co... wi-dmo. wvdt oco... ■ptec• llmnr

Syjtcr• Syjtcr• $y««m Sytte Sytten n S> S>ll*m Sy*fT Sy*fT Syihm hm SjTMm Sytten Sytten Sytte Sytten n Sytlr Sytlrm m

• Sy Syitcm ♦ Syaem • Unknown known 0 Un Unknown ® Unknown ♦ Un Unknown C Unknown

t s t a n , 4 i :!:! [Siettjy-tfD

LlSIENIUi LISTEMI3. l«TEW\3

0

0 0 0 0

500 1900 3702 3702 3702 45C0 5355 51225 59293 $9294 62058 62060 49244 4924S 492S2 49253 49254

< Eflabfehe* 22 Listening: 28

53Total Ports, R&n ou Connections, 1Selected

[::]:500 [C111900 [::1:3702 [::]:3702 [::]:3702 [::]:4)00 [1:1:5355 [::]:5122S [l«d0!:b9M:d01.H [::1JS9294 [ ::]:62056 [::1:62060 10.00.12:49244 10.00.12:49245 10.00.12:492*2 10.00.12*9253 10.00.12*9254

Remote...

Remote ote _ A

80 ao ao 80 80

http http http http Wtp

*

> NirSott Proevyare. mtt »vrww.rur*ottn

http://technet.microsoft.com

http://www. ttp:// www.nirsoft. nirsoft.net

Copyright © by EG-CMMCil. All Rights ^pS'ervfed'.;Reproduction is Strictly Prohibited.

Port M onitoring Tools: Tools: TCPVie TCP View w and C urrP orts TCPView Source: http://technet.microsoft.com TCPView is a Windows program that shows detailed listings of all TCP and UDP endpoints on the system, including the local and remote addresses and the state of TCP connections. On Windows NT, 2000, and XP, TCPView also reports the name of the process that owns the endpoint. It provides a more informative and conveniently presented subset of the Netstat program that is shipped with Windows. It works on Windows NT/2000/XP and Windows 98/ME. When TCPView runs, it enumerates all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions. On Windows XP systems, TCPView shows the name of the process that owns each endpoint. By default, TCPView is updated every second. Endpoints that change state from one update to the next are highlighted in yellow; those that are deleted are shown in red, and new endpoints are shown in green. The user can close established TCP/IP connections (those labeled with a state of ESTABLISHED) and save TCPView's output window to a file as well.

Module 06 Page 950

Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.



\ JMft F il il e

Q

LJ O x I

TCPV iew - Sysinternals: www.sysinternals.com O pt pt io io n s

a

P ro ro c es es s

V ie ie w

H el el p

-< H

Process P ID ' [System Pro c... c... 0 fg chrome.exe 772 ch rome.exe 772 772 fg ch rome.exe 772 (• ch rome.exe ch rome.exe 772 (? ch ch rome.exe 772 ch rome.exe 772 chrome.exe 772 772 G ch rome.exe chrome.exe 772 3 380 g oo L^^Booaletdk exe 3688 googletalk.exe 3688 a “ l sass .ex e 644 I “ I sass exe 644 ” services.exe services.exe 636 ■ 1— ----------

t) f1t)) <

Endpoints: 69

P io l o c o l T CP T CP T CP T CP TCP T CP TCP T CP TC P T CP TC P T CP TC P T CP TC P T CP TCP T CP CP T CP CP TCP T CP CP T CP CP TCP T C PV 6 TCP

L o c a l Address w in msselck4k41 win-msselck4k41 W1rvmsselck4k41 win-msselck4k41 W1n-msselck4k41 win msselck4k41 w i n m s s e lc k 4 k 4 1 win-msselck4k41 win-msselck4k41 win-msselck4k41 W1n msselck4k41 W IN - M S S E L C K 4 K W l N -MS S E L C K 4 K .. W IN - M S S E L C K 4 K W l N -MS S E L C K 4 K .. win-msselck4k41 win*msselck4k41 win-msselck4k41 w in in -m -ms se se lc lc k4 k4 k4 k4 1 win-msselck4k41 win-m:; elck4k41 win-msselck4k41 W IN - M S S E L C K 4 K win-msselck4k41 WIN-MSSELCK4K

L o c a l Port 4277 4164 4250 4251 4252 4274 4275 4276 4278 4279 4280 12121 12122 1051 1052 1082 4033 4266 4271 1195 4281 4282 1028 1028 1029

=

V ]"<

III

E s t a b lis h e d : 22

«N

State Remote Address Remote Port 123.176.32.147 http T IM E W A I T 123.176.32.147 http ESTABLISHED 123.176.32.138 ht http E S T A B L IS H E D 123.176.32.138 http E S T A B L IS H E D 123.176.32.153 ht http E S T A B L IS H E D r-199-59-150-9. twt... ht http C L O S E W AI A IT v ip l 3 Ib40 lond. c o . .. http E S T A B L IS H E D v ip l 3. Ib40. lond. c o . .. ht http E S T A B L IS H E D 123.176.32.147 http E S T A B L IS H E D maa03s16-in-f27.1... http E S T A B L IS H E D maa03s16-in-f27 1... http E S T A B L IS H E D W l N -MS S E L C K 4 K . .. 0 L IS T E N IN G W I N - M S S E L C K 4 K .. . 0 L IS T E N IN G localhost 10 1052 E S T A B L IS H E D localhost 1051 E S T A B L IS H E D hg-in-f189.1e100.... ht https E S T A BL BL I S H ED ED maa03s16-in-f maa03s16-in-f22.1... https ESTABLISHED maa03s16-in f4.1e... ht https E S T A BL BL I S H ED ED maa03s16-in-f2.1 e .. ... https E S T A B LI LI S H ED ED ni in f125.1 e100. net 5222 E ST ST AB AB LI LI S HE HE D SYN SENT 74.125 236 189 http maa03s16-in f29.1, . http S Y N SE SE N T W I N •MS S E L C K 4 K . .. 0 L IS T E N IN G w in msselck 4k41 0 L IS T E N IN G W I N ■MS S E L C K 4 K . .. 0 L IS T E N IN G

L i s t e n in g : 28

T im im e W a aiit : 1

C lo s e W a aii t : 1

I FIGURE 6.49: 6.49: TCPView Tool Screenshot

CurrPorts Tool Source: http://www.nirsoft.net CurrPorts allows you to view a list of ports that are currently in use and the application that is using the ports. You can close a selected connection and also terminate the process using it, and export all or selected items to an HTML or text report. It displays the list of all currently opened TCP/IP and UDP ports on the system. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, etc.), the time that the process was created, and the user who created it. It allows you to close unwanted TCP connections, kill the process that opened the ports, and save the TCP/UDP ports information to HTML file, XML file, or tab-delimited text file. CurrPorts

& Fit•

Edit Vimw Oplioni

H iP

Proutt N«

PlOC« PlOC«..

Proto Protoco coll

Locj I Port

O System O System O System 0* System O System O System O Sy System O System O System ® System O System O System 0 Unknown O Unknown O Unknown ® Unknown Unknown

864 1940 1940 90 1376 864 476 1375 1940 1940 1940 9W 0 0 0

UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP

5C0 190: 3702 3702 3702 450: 5355 51225 59293 5929a 62056 6205C 4924a 49245 49252

0

TCP TCP

49253 4925a

53 Total Por t* I Remote Conneetions, 1 Seleeted

l c« c«*i Pc i. sakmp dp W5*SCO_ as

l oc oc 4l 4l Ad d' d' au

R*n1

[::1500 ]:: [:1900 [::>3702 [::>3702 [::>3702 [::>3702 [: :>4500 [: :>5355 [:: >53225 [f e80=b9ea: d01]:: <59294 [: :(62056 [:: >62060 10.0.0.1249244 80 10.0.0.1249245 60 1000 1249252 SO

R«mot •,•,.. A

_ _

-J sc o

•n-ifaca..

i psec-mdt Imnr

10.0.0 .0.0.1 .124 249253 1000124925a

60 SO

NxV.fl r>p.—

http ht tp ht t p http http

v 1

hMp-/'www.ni» » till .

FIGURE 6.50: CurrPorts Tool Screenshot

Module 06 Page 951




Scanning Sca nning for Suspicious Processes Trojans Trojans camouflage themselves as genuine Windows services or hide their processes to avoid detection

Process Process M onitor is a monitoring monitoring tool tool for Wind ow s that shows file system, registry, registry, and process/thread activity

UHU

Some Trojans use PEs (Portable Executable) to inject into various processes (such as explorer.exe or web browsers)

Processes are visible but looks like a legitimate processes and also helps bypass desktop firewalls

Process Monit or - Sysinternals: Sysinternals: vrww.sysinternals.com vrww.sysinternals.com £ile

L*

Edit

Event

Ll

P 0c«s3 Name 11:09: Explorer EXE Explow EXE ^ Explorer EXE^ 1:09:.. Explorer EXE*^ 11:09:.. jbc pk xw tXE ^ j Ewkxw.EXE* 11:09:.. • ctrx* tx ■ :09:.. cans .exe ^ : 09:.. ■ !cans.ece « e ■ : 09:.. c s n s « 11:09:.. csrss exe ” 1

: :.. :..

> ..

11 j j »_

Use process monitoring tools to detect hidden Trojans and backdoors

Filter

&

Troe

Trojans can also use rootkit methods to hide their processes

CEH

Tools

fiptions

V i ©

Help

I

I

£|a| ,,.l* .l *!

3ID Operation Path Resit 5572 ^Cr eateFi leMa... C:\Prcgram Hes *86)\N bz1ll8 hnefo SUCCESS 5572 rftRogOponKoy HKLM\Scftwaro\MIo HKLM\Scftwaro\MIo oooft\V/r »w SUCCESS' SUCCESS' 5572 RegGHjeiyValueHKLMvSOFTWAREWaoMft XMftn.. NAME NO 5572 StRegOcseKey HKLM\S0FTWARE\M1cro5of cro5of t\W n.. SUCC SUCCESS ESS 5572 CreateHie C:\Progran Hes X»6>\Nbz1lla hn to NAM NO 5572 ^ Qu ct y BasicInf.. .CAPregr APregraai Ties xDG)\Mjulla Ffcefo .. SUCCESS SUCCESS 548 &R #*d FI# C:\Window«\Syct* C:\Window«\Syct*m32\ m32\cxee cxee v dl SUCCESS SUCCESS 548 A Read Fie C :\Windows\System 32\csrs v dl SUCCESS 548 RegQueryYalusHKLM\S0 RegQueryYalusHKLM\S0 FTWARE\M1crosc FTWARE\M1crosc ft\Win. . SUCCESS 548 tjk ReadFie C:\Windows\Systefn32\sxs.dll SUCCESS 548 & ReadHe C:\W1ndows\System32 C:\W1ndows\System32\sxs.dll \sxs.dll SUCCESS >48 >48 rftRwQ ucrv Kcv HKLM SXCESS

Show ing 3S9,3T5 cf 662,305 events (54%)

Backed Backed by virtual mem ory

http://technet.microsoft.com Copyright © by


Scanning for Suspicious Suspicious P roce sses There are various symptoms that can indicate that our system has been infected. The system suddenly becomes slow, downloading speed becomes slow, and the Internet's speed also comes down drastically. Attackers use certain rootkit methods to make the Trojan hide in the system where it can't be normally detected by antivirus software. These Trojans and worms usually enter into the system through pictures, music files, videos, etc. that are downloaded into the system. Initially, everything seems to be good but slowly they show effect in various ways. By using process monitoring tools, we can easily detect hidden Trojans, worms, and backdoors. Hidden Trojans and other kinds of vulnerabilities or viruses can be detected by scanning for suspicious processes.

Pro cess M onito onitorr Source: http://technet.microsoft.com Process Monitor is a monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. It is used to analyze the behavior of spyware and dubious programs. Its features include rich and non-destructive filtering, comprehensive event

Module 06 Page 952




properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, etc. Process Monitor Moni tor File

Time

11:09

<

Edit

Event

Filter

Process Name (Explorer.EXE _ ,Explorer.EXE Explorer .EXE ^(Explorer.EXE ,Explorer.EXE ,Explorer.EXE 1 Explorer.EXE ■ 'csrss.exe 'csrss.exe ■ 'csrss.exe 'csrss.exe ■ 'csrss.exe 'csrss.exe ■ 'csrss.exe 'csrss.exe ■ 'csrss.exe 'csrss.exe ■ ' csrss.ex csrss.exe e

Sysinternals: www.sysinternals.com Tools

Options

Help

PID Operation Operation Path Result 5572 5572 ykCrea ykC reateF teFil ileMa. eMa... .. C:\Program Files fc86 fc86)\M )\M0 0zilla Firefo... SUCCESS 5572 5572 rftRegOpe rftRe gOpenKey nKey HKL HKLM\S M\Softw oftware\M are\Microso icrosoft\W ft\Windo indow... w... SUCC SU CCES ESS S 5572 5572 4 % RegQueryValueHKLM\SOFTW RegQueryValueHKLM\SOFTWARE\Microsoft\Win.. ARE\Microsoft\Win.... NAME NO 5672 5672 ^R eg Q os eK ey HKLM\ HKLM\SOF SOFT\VA T\VARE\M RE\Micro icrosoft\ soft\Win. Win... .. SUC CESS CES S 5572 5572 [^C [^ C reat re ate e File C:\Program Files fc86 fc86)\ )\M M0 zilla Firefo... NAME NO 5572 ykQuef> Basiclnf ..C:\Program Files fc86 fc86)\M )\M0 0zilla Firefo... SUCCESS 548 2 ^ Read File C:\WrKJcws\ C:\WrKJcws\Systern32 Systern32\sxssrv.dll \sxssrv.dll SU CC ESS ES S 548 ^ Read File C:\Windows C:\Windows\System \System32\c 32\csrsrv.dll srsrv.dll SU CC ESS ES S 548 & RegQueryValue egQueryValue HKLMXSO FTWAR FT WAR E\Microsoft\Win... E\Microsoft\Win... SUCC SU CCES ESS S 548 548 Read File C:\Windows\System C:\Windows\Sys tem32\sx 32\sxs s dll SU CC ES S 548 548 Read File C:\Windows\System32\sxs.dll C:\Windows\System32\sxs.dll SU C CE SS 548 rftReaQuer rftRe aQuervKev vKev HKLM SUCCESS _____________

III

Showing 359,375 of 652,305 events (54%)

>

Backed by virtual memory

FIGUR FIGURE E 6.51: 6.51: Pr oce ss Monitor

Module 06 Page 953




P roc ess M onitoring To Tool: W hat's Running J

e

Wh at's Running gives gives an inside look into your W in do ws operating systems

C EH

Microsoft

Inspect the processes processes and get performance and resource usage data such as memory usage, processor usage, and handles

e

Information about dlls loaded, services running within the process, and IPconnections associated with processes

Copyright 6 by EG-GtUIIC EG-GtUIICil. il. All Rights Reserved. Reproduction is Strictly Prohibited

Pro ce ss M onitoring Tool Tool:: W hat’s hat’s R unn ing ^

Source: http://www.whatsrunning.net

What's Running gives you an inside look into your Windows system, such as 2000/XP/2003/Vista/Windows7. It explores processes, services, modules, IP-connections, drivers, etc. through a simple-to-use application. 9

It inspects the processes and gives performance and resource usage data such as memory usage, processor usage, and handles. It gives all the details about dll:s that are loaded, services that are running within the process, and the IP-connections each process has

0

IP connections:

Processes:

It gives all the active IP connections in your system

Q S e r v i c e s : Inspects the services that are running and stopped Q

Modules:

Finds out the information about all dll:s and exe:s that are in use on your

system

Module 06 Page 954




Drivers: It finds out the information about all drivers, for running drivers you can inspect

the file version for finding the supplier of the drive System information: It shows crucial system information about your system such as

installed memory, processor, registered user, and operating system and its version —

What’s Running? 3.0 File

View

Startup

Help Processes 79 |

Snapshot

Q $ ake snapshot t j Load Snapshot from file

Compare snap with sa... © Upload Upload Snapshot Snapshot to ...

_

Processes

X

Start Process o

|□

Stop process

3 Select Process column columns View delta Icons Get nfo onlne & Open folder

, J- ihow processe processess in Tree Tree

A rs -

Ser Service vices s ■1701 1701Gl Modies349 | ^

Process Name Proces. User Name lsass.exe 616 SYSTEM wtnlogon.exe 564 SYSTEM dwm.exe 868 J explorer. rer.ex exe 600 Administrator igfxtray.exe 3908 Administrator hkcmd.exe 3936 Administrator igfxpers exe 4028 Admintstrator ! {f {f t edpr_server.exe 3140 Administrator 2224 Administrator Q WinFLTray.exe M FLComServDrl.exe 1036 Administrator J Snagit3 git32e 2exe xe 1396 Administrator TscHelp.exe 3268 Administrator SnagPriv.exe 3532 Administrator CSnagitEdrtor exe 4120 Admmstrator 4324 Admmstrator splwow64.e. U hrefox exe 4420 Admmstrator 4304 Admmstrator P j P0WERPNT.EXE P0WERPNT.EXE 4200 Administrator S mmc.exe vmconnect.exe 3372 Admristrator 3304 Administrator googletalk exe !rt| !rt| EME EMET_ T_notifi f ier e r exe 3404 Admintstrator © chrome exe 4708 Administrator w•:. ;1 ■■: - •:-,:i ^^ ^ ^ ■ ! 4872 Admintstrator chrome.exe chrome.exe 2700 Admmstrator ^ chrome.exe 5096 Admmstrator ^ chrome.exe 3600 Admmstrator (£ ) chrome.exe 2580 Admmstrator £ ) chrome.exe 2240 Admintstrator

1^1

CPU 0.0 0.0 * 0.0 0.0 00 00 00 00 00 * 00 * 00 00 * 00 00 00 00 00 00 m n * 00 0.0

IP Connections ■37 | * * Driver vers• 279 | Q Startup-16 |

Prod Prod KA ► ► ► 1 1 1 E F F c c c

► F ► ► ► C E C = C c c c 0.0 c 0.0 o

Item 3 Proc Proces ess s Properties es Process ID Process Name Parent Process ID CPU Target ® Process Process 0 Memory Page Fault Count Peak Working Set,. Working Set Size Quota Peak Page,.. Quota Paged Pool... Quota Peak Non . Quota NonPaged... Page Fie Usage Peak Page File Us... ® FileVersion 0 Time me Creation Time Kernel Time User Time

@I/O

System Info |

4856 chrome.exe 4708 0.0 Win32

58907 45948 K 37900 K 232 K 225 K 25 K 25 K 32364 K 37436 K

10/2/2012 5:4203 PM 00:00:00:390 00:00:03:853

(3 Ul Objects

,1 ^ Services Service s (0) B [ T Modules(46)

Update interval:! seconds

FIGURE 6.52: 6.52: What 's Running Running Tool Tool Screenshot

Module 06 Page 955

Ethical Hacking and Countermeasures Copyright © by EC C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.



P roce ro cess ss M onitoring on itoring Tools p

PrcView

i

http:/ :/'/www.teamcti.i.com

%

Winsonar

£•9

CEH

Secur ity Task Task Manager M anager

http://www.neuber.com

^

M

Yet Another (remote) Process Process Monitor

C

http://www.fewbyte.com

4)

HiddenFinder HiddenF inder

MONIT

http://www.wenpoint. t.com

http://mmonit.com

Autoruns for Wind ow s

Process Monitor M onitor


b F3

http://yaprocmon.sourceforge. e.net


KillProcess

OpManager

http://orangelampsoftware.com

http://www.manageengine.com

Copyright © by EG-G*ancil. All Rights Reserved. Reproduc tion Is Strictly Prohibited.

Pro cess M onitoring onit oring Tool To olss There are many process monitoring tools that you can use for the detection of Trojans installed on your system. These tools display a list of all the processes running or installed on your system. By analyzing the list you can identify the Trojans. These tools provide a comprehensive monitoring console for your entire network and IT infrastructure. They continuously and proactively monitor the entire IT system because of which any outages or performance degradations can be immediately identified and notified. In addition, it kills all the software that threatenss your computer, even if it is hidden. A few process monitoring tools are listed as follows: 9

PrcView available at http://www.teamcti.com

9

Winsonar available available at http://www.fewbvte.com

9

HiddenFinder available at http://www.wenpoint.com

9

Autoruns for Windows available at http://technet.microsoft.com

9

KillProcess available at http://orangelampsoftware.com

9

Security Task Manager available at http://www.neuber.com

9

Yet Another (remote) Process Process Monito r available at http://yaprocmon.sourceforge.net

9

MONIT available at http://mmonit.com

9

Process Monitor available at http://technet.microsoft.com

9

OpManager available at http://www.manageengine.com

Module 06 Page 956




Scan ning for Suspicious Fnivtac J

Windows automatically executes executes instructions in

e Run

e

Findsregis istry ryerrors, unneededregis istry ryjunk andhelpsin indetectingre registryentrie iescreated byTroja jans

RunSe unSerr vi ces

e RunOnce e RunSer unSer vi cesOnce cesOnce S HKE HKEY_CLA Y_CLASSE SSES_RO S_ROOT\ exef i l e\ shel l \ open\ open\ command

| N*ordrKteryX:C:«Vnd»w1\ir«trf rf»\{A {ACXa NRU81 >otherhat C:'LMer5\AJmr1SrabrOedctooVrtfoi Setui IS O.1j NRUattKr)1at1CÎ>e»VUmraM>ak»«aktopr«t«o>Sc«w>IS C1. NRUantio thertat therta t E:Vfepfcatont'Asctcason'f reb*Set«9.0.1re 1re NIKI trti ottw tat ta t F•\Aeptr»tnwVksplr»tar*' nwVksplr»tar*'FrH»» # 1re

"%1" %*. sections of registry J

Scanning registry values for suspicious entries may indicate the Trojan infection

J

Trojans insert instructions at these sections of registry to perform

http:// www.macecraft www.macecraft .com

malicious activities

Cbpyright © by EC-CMBCil. All RightsJte$e rvei;R eprod uctio n is Strictly Prohibited.

^23

Scann ing for Suspicious R eg istry istry En tries tries

— When Wh en a Trojan gets gets installed on on the victim's machine, it generates genera tes a registry regis try entry. entry . We can notice various changes; the first symptom is the system gets slower. Various advertisements keep popping up. So, scanning suspicious registries will help in detecting Trojans. Windows automatically executes instructions in the following sections of the registry:

© Run 9

RunS unSer vi ces

© RunOnce 9

Run RunSe Serr vi cesOnce cesOnce

Q HKEY_CLAS HKEY_CLASSES SES_ _ ROOT\ exef i l e\ s hel l \ open\ command " %1" % * Scanning registry values for suspicious entries may indicate a Trojan infection. Trojans insert instructions at these sections of the registry to perform malicious activities.

r |Jj k

jvl6 PowerTool PowerToolss 2012 012 -Registry Cleaner Source: http://www.macecraft.com

jvl6 jvl 6 Powe PowerT rToo ools ls 2012 is the ultima ultimate te regis registry try cleaner cleaner used to find registry registry errors and and unneeded registry junk and helps in detecting registry entries created by Trojans.

Module 06 Page 957




jv16 PowerTools 2012 [W8-x 64] - Registry Cleaner Fte Fte

Select

Iools

Key Entry’s name

Help HKCRV-ocal SettingsôftwareWicrcsoft\W1ndows\ShelV*mCa:he\ D: \CEH T:>0ls\Sal tyBee. Exe. Friendly AppName

Value

SaltyBee

Entry last modified

01.10.2012,05:02

Error seventy

25

Error descrip bon

MRU and other history data

Fie reference

D:\CEH-T30lsV5altyBee.Exe

ReasDn for detection Invalid file refer ence Tags Key /

Entry's name

Entry last modified Errcr severity

Value

Error desenpton

□ Q I n v a l i d f ile or d ir e c t o r y r e f e r e n c e □ HCCR\ ®

71 —

C:\Wi1 dows\Installer tallerYJAC76BA8 YJAC76BA820.09.2012, 07 :%

Fie or drectory C: C:\Wmdows\Installer',{AC76BA86-7AD7-1033-7B44-A95000000001>\XFDFFieJ

□ HtCR\ E:\Applicali Applicali0ns Intel_mul6-
NRU and other htst
□ HKG^C:VJsers\Admir Firefox

MRU and other hist( C:\Users\Administratorpesktopî \Administratorpesktopîrefox refox Setup 15.0. 15.0. l.exe

01.10.2012, 01.10.2012, 05:02

MRU and other hist( C:VJsers\Administratorpesktopîref 6x Setup 15.0. l.exe

□ HKCR^C: VJsers\Admir Mozilla

01.10.2012, 05:02

□ «< ? E:\Applications Firefox

01.10.2012, 05:02

25%

MRU and other hist« E:\Applications \AppliationsV=iref 6x Setup 9.0. Lexe

□ HKCRÊ:\Applications Mozilla

01.10.2012, 05:02

25%

MRU and other hish E:\Appiications \Applicationsîrefox Setup 9.0. Lexe

□ HKCR^C:\Program \Program File File Atelie Atelie Web Re mote Commander 01.10.2012, 05:02

25%

MRU and other hist( CiVôgram CiVôgr am Files (x 86)\Atelier Web Remote Commander Pro\awrcp.exe

□ HKCR^ C: \Program FileAtelieW eb Software

25%

MRU and other hist( CrVôgram Files (x 86)\Atelier WebVêmote Commander Pro\awrcp.exe

01.10.2012, 05:02

I KC R^ D:\CEH-Tools\S SaltyBee

01.10.2012,05:02 | other Ns& C: YJsers \Adm \Admm1stra tor downloa ds V.ostD00r_v 6\SaltyBee.Exe

□ HKCR\C:\Users\A HKCR\C:\Users\Admir dmirSaltyBee

01.10.2012, 01.10.2012, 05:02

25%

MRU and

□ HKCR\ D:\CEH-Tools\Cwireshark-win32-1.4.2.exe

01.10.2012, 05:02

25%

MRU and other hist(D:\CEH-T D:\CEH-T00ls\CEHv8 Module 10 Denial of Servi ce \Wireshark\w1reshark-vwn32-l. other hist( C:\Users\Admm1stratorpownloads\vs_premium.exe

□ HKCf^ C:\Users\AdmirMicrosoft Visual Studio Premium 0 1.10.2012, 05:02

25 %

MRU and

□ HKCR \C:\Users\Admir Microsoft Corporation

01.10.2012, 05:02

25%

MRU and

other hist(C: VJsers \Adm \Admm1stratordownloads\vs jxemium.exe

□ HKOA E:\A E:\Appl ppl1cations Intel.multiêvlce_A09_R30799 01.10.2012, 05:02 05:02

25 %

MRU and

other hist( E: \Appl1cabons^)ell j4028r lpisplay\Intel_multi-device_A09_R307992.exe

□ HKCU^C:\Users\AdmirFirefox

6%

MRU and

<

01.10.2012, 05:02 III

1

other hist( GVUsersVAdmmistratorVDesktopîrefox setup 15.0. l.ex e

Custom fix...

>

|f

Fix

Delete

Oose

J

Selected: 0, highlighted: 1 total: 1492

FIGURE 6.53: 6.53: j v l 6 PowerTo ols 2012 -Registry Cleaner

Module 06 Page 958




-X R egistry egistr y Entry Entry M onitoring onit oring To Tool ol:: PC Tools Tools Registry Registr y ^ M e c h a n ic Source: http://www.pctools.com PC Tools Registry Mechanic is an advanced registry cleaner that scans the registry values for suspicious entries created by Trojan infections. It fixes the Windows error and improves your system speed and maximizes software performance. It cleans up your system and secures your personal privacy. It keeps all your Internet and PC activities private and erases sensitive information permanently.

Module 06 Page 959




PC Tools | Registr y Mechanic

PC Tools | Regi str y Mechanic

FIGURE 6.54: 6.54: PC Tools Registry Registry Me chanic Tool Screenshot

Module 06 Page 960




R eg istry E ntry M onitoring To Tool olss 5

Reg Organizer Organizer

http://www.ch chemtable le.com

1

Irnm

Registry Shower

1____j ____j

http://www.devicelock.com

Comodo Cloud Scanner S canner

SpyM e Tools Tools

http://www.lcibrossolutions.com

htp://www.comodo.com

Buster Sandbox Analyzer

http://bsa.isoftware.nl

Regshot

http://regshot.sourceforge.net

&

All-Seeing Eyes

La\

http://www.fortego.com

MJ Registry Registry Watcher Wat cher

http tp://www.jacobsm.com

Active Registry M onitor

http://www.registryshower.com

I

CIE H

Registry Live Live Watch

http://leelusoft.blo logspot.in

& Copyright © by


R egistry egistr y Entry M onitoring onit oring Tools Tools In addition to jv l6 PowerT Pow erToo ools ls 2012 2012 - Registry Cleaner and PC Tools Registry Mechanic, there are many other tools that allow you to monitor registry entries and thus help detect Trojans installed, if any. A few of the registry entry monitoring tools that are mainly used for the purpose of cleaning the registry are listed as follows: 0

Reg Organizer available avail able at http://www.chemtable.com

0

Registry Registry Shower Showe r available at http://www.registryshower.com

0

Comodo Cloud Cloud Scanner Scann er available availab le at http://www.comodo.com

0

Buster Sandbox Analyzer available availab le at http://bsa.isoftware.nl

0

All-Seeing All-Seeing Eyes available availa ble at http://www.fortego.com

0

MJ Registr Registry y Watch Wa tcher er available at http://www.jacobsm.com

0

Active Registry Registry Monitor Moni tor available at http://www.devicelock.com

0

SpyMe Spy Me Tools Tools available at http://www.lcibrossolutions.com

0

Regshot available availa ble at http://regshot.sourceforge.net

0

Registry Registry Live Watch Wa tch available at http://leelusoft.blogspot.in

Module 06 Page 961




Scanning fo forr Suspicious Suspicious Dev ice Drivers

CEH

Trojan Device Driver

Scann ing for f or Suspicious Dev ice Drivers When device drivers are downloaded from various sources that are not trustworthy Trojans may also get installed on the system. Trojans use these devices as covers to hide but by using device driver monitoring tools, we can identify if there is any Trojan present. Trojans are installed along with device drivers downloaded from untrusted sources and use these drivers as a shield to avoid detection. Scan for suspicious device drivers and verify if they are genuine and downloaded from the publisher's original site.

Module 06 Page 962




Trojan Device Driver

cdrom.sys

Systeminformation M. M* *• . H■* Sy1t*nSt m vr 2 P«e>jrc*< ■[OTpcnwa - ScftHft Emvcmot Emvcmot Emorm tnl ViTMbkt

*P* i:p*x *rpoagr

Nrt*Cft C&vyflore

S4rac« Program V->up* *o?•m, OU R*9«tfJbCf• Wntort Iror *♦pertryj

*IptfKl

.jpUO •ncfca •1
Ovrrptor 3 W O KI CompInn*Hc« Jwif* W»Cf040«ACHCfMf MKTCfOdACUfcl OriVCf ACft Procvtt cr Aggr Aggr«o «o*or.. ACMfowt r Meter Dretr ACMWj kt AlwmCfr.t f adit «dâ *dptfca •dpotTO Xn ll«1j fuir to Clr.tr (0«._ H « ACf Br Brt f«cr 1M) Ki PtMM W Dnnr AN©►r®l«»»o»Dirr*' Dirr *' *f lxSuU *nvlibt

cyandowsMwsMc\*«nd0 c\*«nd0 * \*.c\w«t40wf\c.. CAwnaows'i.. c\v«ndowfi.c \ma40w*\sCVwtfowiUcWwviows's c\wan40wf\s~ e\w1ndow»\»~ rvw*«40v<\< CVnntowfS*.. c\v»ndcm\srVwmdowtH rVwmdowtH c\*nntfow»\» e\*m4av%\*

mo □ u » rf

<«Ug«ryOn*,

O

Tyr* M nH D rw rw i KcmHOnrfr K«mt<0*r.*r t<0*r .*r KcmH Dm t Ktmri Drwtr

Kemtl Dover K*»nrt Dnrff Kamri 0 « K«mrl O w KtmH Dnrft r#mMPm*( KimHOn■*• KtmH O rw rw K«m«l D*w* Ktrnr Ktrnri Otne n et K«mri Orw K«Ml Brt*

* NO NO VK m No No NO m No NO NO V»» NO No No NO No

v

UOM’ Wd

Go to Run > Type m s in f032

^ Software Environment > System Drivers Drivers

Attacker

FIGURE 6.55: Scanning for Suspicious Device Drivers

Module 06 Page 963




Device Drivers M onitoring onitoring Tool: DriverView J

CEH

DriverV iew utility displays the list of all all devic e dri vers currently loaded on system. For each driver in the list, list, additional information is displayed such as load address of the driver, description, version, product name, company that created the driver, etc.

DnverView

L

File Edit View Options Help fa eg •3J 8

d cdd.dti 9 TSDDDdll # winJ2k.sys 9 pa1sthtupe11e1.1ys ® vhdparsei.sys ® atyncmac syt » W PR0.4 IJ001 .jyj * wv.iyi yi ♦ srv2.syt ♦ vhdmp.tyl • Fj0epend1.sy* « > * 9•*(* ♦ wvneUys

■> d ' pdi.tyi » np npf.eyt O NIProbeMenvSYS O WnVDfdrvG.tys * HTTP.syt <>lunparsei.sy sys 3 eondrvsys # storpott.jys ys # WmVDEdrv.sys mrjsmbiOiVj

Address 0005X00X St-9000 000:0000X-ff 00X-ffOX OX 0000x 000P09000 000X 0X00000162000 0000x 0016»»00 0016»»00 0000x 00 t?t9 t?t90 000 0005X00 69DO 69 DOOOO 000x100016901000 0000x0016933000 0000X001& 01&9W000 000X000 16812000 000:000016900000 oooooootsfqooo

0000X001if9K)00 B»»W B»»W)' )'JI J IMOOO M OOO 000X000 1MUOOO 000X0001M 01MS7000 0000X00'5r4800C 0000X00'5r4800C 0000x0015H9000 0000X001£38000 000X000OICOOX 000x 000 isrooooo 0000X0015WEM0 000x0001 0 £0 0 0000x 001>D2yox

See tkOXttWOC CkOXJbOOC 010X09000 ChQXXtoOP1} (MnaOaOOG (kOCOOcOOO CttX tXOOcOOC

Load2 1 1 5 1 1 1 1 1 UOOOMOOO 1 o>axaoooc 1 0100012000 2 * 00012000 j (WXOCfcOOO 1 O0OOJ1OOO 1 ftOWPcttH 1 04000000 1 * 0000000 04X0*1000 1 OkOXCMOO 1 1vy x
Inc* 12s 124 123 2 1Si •*? 14S 147 146 145 151 150 142 141 140 l» 117 136 IB 114 154 143 " 144 ■

file Type Dnvt Dnvtf Disp s play[>wf 0!5ptoy Driver System D1r»«r System 0r1 0r1*e SystemOliver Net*orlrOliv iver Unknown f*et*cA01 »« NetworfcD1 ve» Syltern Dimt Viter t er Differ Applic ication NatAOfliOiivef V,• *>*r $y*em DrNtr Unknown Syitcm Syit cm 011v® System Ol Oliver V/flnr nr• Oliv iver Sytttm Diver Unknown S.-U0T!Oliver

Desciip&on W1ndc«5NTOpe 5NTOpenType/Type1... CanonicalDisplay Driver Framebuffe f er Deploy Driver Multi-UserWin32Orrvw Pass thru parser Native VUG palter MSRemoteAccess serialnetwor... ..

Version S.1. 1& . 234 6 .2.84000 6.2.840010 62.84000 62.840010 6? 84000 6? 04000

Strvtf dnvtt 5mt»2.0Se 0Serverdrivn WD Miniport Dover FikSytfemDependencyManag... TCP/IP Registry stryCompatibility0... S«rv«t Netwoik On. MHnmnn tICURITV D>k w M.c osc« R Df Device !•director npf.ey .ey*(NTV6AM064)Kernel D... NiProbeMemfoeObserver Devie... e...

62.840010 02.64000 6.2.84000 62.8400.0 6.2. 2.84 840010 .. MOO. 4J.M.0 62.84000 41.0.2001 16.0 .0.8 .8.0 .0

HTTPProtocol Stic Stick lunparser ConsoleDriver Mkmoft Storage PortDrive ver ViiUmI Encryption Drive lonahoinSM8 2.0Redire rector

62.840010 62.84000 6.?.8400 0 6.2, 28 , 40010 7.0.0.0 62.8400.0

Company AdobeSystem™ Micr crosoft Corp.. oxoooxt. a MicrosoftCorp-. OXOOOXXMicrosoftCorp... OXOOOXCMicrosoft Corp... 0X000X1Micr crosoft Corp... .. 0X000X1.. MicrosoftCorp... 000000x 10X000X1MiCfOJOftCorp.. 0x000051Microsoft Corp... oxoooo:1MicrosoftCorp.. oxooox 1 Microioft Microio ft Corp... .. 0X00000-1 -1MkrosoftCorp... 0X00000-1Miti tiov ovoHCor Corp.. 0X000031M i iw w n C 0x00005 1.. Microsoft Corp.. 0X0000: 1CACI lochnoL. oxooox 1_ NetworkInsttu. 0X0000:110X000051Microi c roiol o lt Co Corp... 0X000031Microsoft Corp.. oxoooo: 1Microsoft Corp.. 0X00003 1.. Microsoft Coep... .. 00000003'1NewSoftwares.... 0X000031Microsoft Coro... 0X0000:

155 item(i), 1Selected 1 Selected

http://www.nirsoft.net Copyright © by EG-G*ancil. All Rights Reserved. Reproduc tion Is Strictly Prohibited.

D evice D rivers M onitoring Tool Tool:: DriverV DriverV iew Source: http://www.nirsoft.net The DriverView utility displays the entire currently loaded device drivers list in your system. Additional information is displayed for each and every driver in the list such as load address of the driver, description, version, product name, company that created the driver, etc. Instead of browsing for system components separately in Control Panel, just by running this application on your system you can easily know all the drivers on your system. This application displays the list of drivers that are on your system quickly and easily. It can create HTML reports.

Module 06 Page 964




35

DriverView

Fite

a

Edit 0

View

^

!

Options

Help

$

Driver Name * ATMF ATMFD. D.DLL DLL

Address 000C000000B69000

Index 125 124

File Type Driv Driver

* c dd dd.dll

OOOOOOOOOO8FFOOO

0x00036000

1

* TSD TSDDD.dll

00000000 00709000 OOOCOOOO'OOl62000

0x00009000 0x003ed000

Disp Displa lay Criver iver

Cano Canoni nica call Displa splay Driver

1 5

123

Fram Frameb ebufferDisp s playDriver

121

Disp s playCrive v er System Criver

OOOCOOOO'l69F3000 00

Mult Multii-User User Win32 Drive ver

6.2.8400.0

Micr Micros osof oftt Corp Corp... OOOOOOOO'O.,

OxOOOObOOO

1

153

System Criver

Pass thru pa parser

6.2.8400.0

^ vhdparser.sy vh dparser.sys

Microsoft Co Corp... 000000001..

00000000169E9000

OxOOOOaOOO

1

149

System Criver

N ative VHD parser

6.2.8400.0

^ asyncmac.sys

Microsoft Corp... 000000001..

OOOCOOOO'169DD000

OxOOOOcOOO

1

Network Driver

MS Remote Access Access serial ial networ. networ... .. 6.2.8400.0


* WPRO_41_2001.sys OOOCOOOO'l69D1000 ♦ s rv rv.sys OOOCOOOO'l6933000

OxOOOOcOOO 0x0009eOOO

1 1

Unknown Network Driver

Server driver

6.2.8400.0

000000001.. Microsoft Corp... 000000001.. M icrosoft Corp... 000000001..

♦ win32k.sys passthruparser.sys

Size 0x00060000

Load... 2

Description Wind Window ows s NT Open OpenType/ pe/Type 1...

Version 5.1.2.234 6.2.8400.0 6.2.8400.0

Company Adobe obe System stem.. ...

End A... OOOOOOOO'O..

Micr Micros osof oftt Corp Corp... 00000000 0.. = Micr Micros osof oft Corp... OOOOOOOO'O..

• s rv rv2.sys

OOOCOOOO'l6896000

0x0009d000

1

148 147 1-16 145

Network Driver

Smb 2.0 Server driver

6.2.8400.0

^ v hd hdmp.sys

OOOCOOOO'l6812000

0x00080000

1

151

System Criver

VHD M in iport Driver

6.2.8400.0

M icrosoft Corp... 000000001..

# FsDepends.sys

OOOCOOOO'16800000

0x00012000

2

150

Syst System Criv Criver

File File System stem Depe Dependency Mana Manag. g...

6.2.8400.0

Micr Micros osof oftt Corp Corp... 000000001..

^ tcpipreg preg.s .sys ys ® srvnet.sys

OOOCOOOO'15FE3000

0x00012000

1

142

Appl Applicat icatio ion

TCP/ TCP/IP IP Regi Registry stry Comp Compat atib ibil ilit ity D...

6.2.8400.0

Micr Micros osof oftt Corp Corp... 000000001..

OOOCOOOO'15F9F000

0x00044000

3

141

Net Network workDriver

Ser Server ver Net Network workdriver

6.2.8400.0

Micr Micros osof oftt Corp... 000000001..

£ secdrv.SYS S YS

OOOCOOOO'15F94000

OxOOOObOOO

1

140

System Cr Criver

Macr Macrov ovision o n SECURITY Dr Driver

4.3.86.0

Macr MacrovisionC...

♦ rdpdr.sys

OOOCOOOO'15F63000

0x00031000

1

139

Driver

Micr Microsof osoft RDP Device redirector

6.2.8400.0

Micr c rosof osoft Corp... 000000001..

^ npf.sys 1 NiPr NiProb obeM eMem em.S .SYS YS

OxOOOOcOOO OxOOOOfOOO

1 1

137 136

CACE Tech Techno nol. l... . . 000000001.. Netw Network ork Ins Instru... 000000001..

0x0002f000

1

* HTTP.sys

OOOCOOOO'l5E38 38000

OxOOOelOOO

1

135 134

System Criver Syst System Criver ver Unknown

npf.sy s ys (NT5/6 AMD64) Kernel D... 4.1.0.2001 NiPr NiProb obeM eMem em for for Observer rver Devi Devic. c... 16.0.8.0

^ WinVDEdrv6.sys

OOOCOOOO'15F57000 OOOCOOOO'15F48000 OOOCOOOO'l5F1 F19000

System Cri Crive v er

6.2.8400.0

Mic Microsoft Corp... 000000001..

000000001..

OOOOOOOO'I..

♦ lunparser.sys

OOOCOOOOl' 5EO EODOOO

OxOOOObOOO

1

154

System Criver

HTT HTTP Prot Protocol ocolStack lun parser

6.2.8400.0

Microsoft Corp... p... 000000001..

• condrv.sys

OOOCOOOO'l 5E00000

OxOOOOdOOO

1

143

System Criver

Console Driver

6.2.8400.0


^ storport.sys

OOOCOOOO'l5D9E000

0x00054000

1

System Criver

OOOCOOOO'l5D5EOOO OOOCOOOO'l5D25000

0x00040000 0x00039000

1 1

Micros Microsoft oft Stora Storage Port Port Driv Driver er Virtual Enc Encryption Driver Lono Lonoho horn rn SMB 2.0Redire rector ctor

6.2.8400.0

♦ WinVDEdrv.sys ♦ mrxsmb20.svs

152 144 133

Micros Microsof oftt Corp. orp... 000000001.. NewSoftwares.... 000000001.. Micr Micros osof oftt Coro Coro.. ... (XXXXXXX) 1.. v

Unknown Svst Svstem Criver iver

7.0.0.0 6.2.8400.0

155 item(s), 1Selected

FIGURE 6.56: DriverView Screenshot

Module 06 Page 965




Device De vice D rivers M on onitoring itoring To Tool olss i

jnj jnj

■

\

Driver Reviver

Driver Detective

http://www.dri\/ershq.com

V

^

Unknown Device Device Identifier

htp://www.zhangduo.com

(v

http://www.reviversoft.com

1

DriverScanner

_•

DriverGuide Toolkit Toolkit

y y

H

,

DriverMax

http://www.uniblue.com

Double Driver

http://www.driverguidetoolkit.com

http://www.innovative-sol.com

CEH

http://www.boozet.org

BBB

□□

Driver Magician

My Drivers

htp://www.zhangduo.com

DriverEasy

http://www.dri\/ermagician.com

http://www.drivereasy.com

Copyright © by EG-G*ancil. All Rights Reserved. Reproduc tion Is Strictly Prohibited.

D evice evic e D rivers ri vers M onitoring onit oring Tools Tools A few of the device driver monitoring tools that help in detecting Trojans are listed as follows: 0

Driver Detective available at http://www.drivershq.com

0

Unknown Device Identifier available at http://www.zhangduo.com

0

DriverGuide Toolkit available at http://www.driverguidetoolkit.com

0

DriverMax available at http://www.innovative-sol.com

0

Driver Magician available at http://www.drivermagician.com

0

Driver Reviver available at http://www.reviversoft.com

0

DriverScanner available at http://www.uniblue.com

0

Double Driver available availab le at http://www.boozet.org

0

My Drivers Drivers available at http://www.zhangduo.com

0

DriverEasy available at http://www.drivereasv.com

Module 06 Page 966




Scan Scann ning for Suspicious W i n d o w s Ser Services

Trojans spawn Windows services allow attackers remote control to the victim machine and pass malicious instructions Trojans Trojans rename their the ir processes to look like a genuine Windows service in order to avoid detection Enterprise Enterprise Service ce Manager

1r p.. CAV/1 OJ fm 5a (?(WIO (?(WIOfTfO.. tlccsJ.. tlccsJ... Rum.. c m . . OJ *rev** FartC«*1« 5a e:\w1 A / Wn Wn jc i a Ft Ftearhlnn Fo
<• ! *J 0J £'
L^_

x

S wip T jp o

A

Automatic M Automatic Automatic Manu5l Manual Automatic Manual Automatic 61l1m.hr

I-M55ELCK.4K41

J

Trojans Trojans employ employ rootkit techniques to manipulate HKEY_LOCAL_MACHINE\System\CurrentControlSet \Services registry keys to hide its processes

V

1 ar6/a


S c a n n i n g f o r S u s p i c io i o u s W i n d o w s S e r v ic ic e s w

O n c e th th e T r o j a n s a r e i n s ta t a l l e d o n W i n d o w s s e r v i c es es , i t b e c o m e s e a s y f o r a n a t t a c k e r to operate the system from a remote location. Trojans also create their processes to look like g e n u i n e W i n d o w s s e r v ic ic e s in in o r d e r t o a v o i d d e t e c t i o n . W i t h t h e h e lp l p o f W i n d o w s s e rv rv ic ic e s monitoring tools, you can detect the Trojans. T r o ja j a n s t h a t s p a w n W i n d o w s s e r vi v i ce c e s a l lo lo w a t t a c k e r s r e m o t e c o n t r o l t o t h e t a r g e t m a c h i n e a n d pass malicious instructions. Trojans rename their processes to look like a genuine Windows service

in

order

to

avoid

detection.

Trojans

employ

rootkit

techniques

HKEY_LO EY_LOC CAL_MA L_MACHI NE\ Syst Syst em\ Cur r ent ent Cont ont r ol Set Set \ Ser Ser vi ces r egi egi st r y

to

manipulate

keys t o h i d e t h e i r

processes.

Module 06 Page 967




Enterprise Service Manager F ile V ie wA c tio n H e lp S e rv ic eT y p e • R e g u la r

riv e rs C A ll C D

D is p la yN a m e

R e fre s h

D e s c rip tio n

Select Sel ect a workstation
C o m p u te r S ta tu s

E x te n s ib le A u th e n tic a tio n ... @ % s y s te m r o ... < L o c a l. .. S to p ...

P a th

S ta rtu pT y p e

C A W i...

M a n u a l

U #E n c ry p tin gF ile S y s te m ( E ... @ % S y s te m R ... < L o c a l... R u n n ... C A W i... A u to m a tic < L o c a l...

1iys1d!1st29 ft? W in d o w sE v e n tL o g C 0 M + E v e n tS y s te m

R u n n ... C A P r ...

A u to m a tic A u to m a tic

F u n c tio nD is c o v e r yP r o v i... @ % s y s te m r o ... < L o c a l. .. S to p ...

C A W i...

M a n u a l

C A W i...

M a n u a l

@ % s y s te m ro ... < L o c a l... R u n n ... C A W i...

d# W in d o w sP re s e n ta tio nF o ... @ % S y s te m R ... < L o c a l... S to p ... M ic r o s o ftF T P S e r v ic e

@ % w in d ir % V ..

Rrni in Pnlirit Plipnr

1 S 9S e rv ic e s

I ----1

p

@ % S y s te m R ... < L o c a l. .. R u n n ... C A W i... A u to m a tic @ c o m r e s .d ll,... < L o c a l. .. R u n n ... C A W i...

ft? F u n c tio nD is c o v e ryR e s o ... @ % s y s te m r o ... < L o c a l. .. S to p ...

Qkf W in d o w sF o n tC a c h eS e r ...

A

1C o m p u te r(s )

C A W i...

< L o c a l. .. R u n n ... C A W i...

1n r ^ l A d m in is tra to r

1

R in n

r \w !

A u to m a tic M a n u a l A u to m a tic

1

A tfnmslir

W IN -M S S E L C K 4 K 4 1

V

1 0 /6 /2 ^

FIGURE 6.57: 6.57: Scanning Scanning for Suspicious Window s Services

Module 06 Page 968




W i n d o w s S e r v i c e s M o n i t o r i n g T oo o o l: l: W in d ow s S e rv ic e M a n a g e r^ S r v M k n ) W i n d o w s S e r v ic ic e M a n a g e r s i m p l i f ie ie s a l l c o m m o n t a s ks ks r e la la t e d t o W i n d o w s s e r v i c e s . I t c a n c re re a t e s e r v ic ic e s ( b o t h W i n 3 2 a n d L e g a c y D r iv iv e r ) w i t h o u t r e s t a r t i n g W i n d o w s , d e l e t e e x i s t in in g s e r v i c e s , a n d c h a n g e s e r v i c e c o n f i g u r a t i o n

© File

Service Manage: View

Service

Help

I rtrt cm cmo lna rrrrc St ol e P^DM SysA... step e pped runring K w tunning . v> v> C5 C5 N5 N5P D . st epped >*>C *>CSM5PD.. runr runrin ing g C5Ndi5LVF stepped $ DcomL DcomLau au.. .. runr runrin ing g defragsv c stepped 3 De i/ fc fc eA eAi st epped | Dc/colr Dc/colro... o... stepped l unrino &Dfs runring 0 Df tc O Df sDi iv oi r un un riri ng ng DFSR runring fT)Df«r10 r un un ririn g mnrino # Dhcp Dhcp runring dijoocho tunring ^ disk stepped dmv*c Druoack© runring stepped 9 doOsvc doOsvc runring & OPS

Type

Win32 dnvei ?hared dr ive! drive! dnvet ?hared wr!32 th ha a re re d *hared wn32 FSdav« FS d riri ver wr>32 FS d ririver th ha a re re d drvot drvoi dr v* t t harod i lili ae ae d , h« h« .d .d

Ci;plcy r a r e CON-► S^ t enApof cabun Confole Dn Dn / « Cryptogiophic Servces C SN5 HZ HZ TS TS8 2N DI S Ptyoca D«ver ver CSNE CSNEFD FDTS TSCa Cac^ c^ VOS VOS Vetoed Vetoed Dt v <* C$ Nd sL sLV » »ff HD HD1S P wt wt cc cc o D t ^ f DCOM Serv Server er ^ccett Lau Laurc rchy hy Optimzc m zc di/e j D ev ev ic eA ss ss ac ac ia kr kr ! S er er ve ve • D c v c c h i t a l Servce DFS Noi 1e:w-e DFS Nanet p-K * Chent L rv* D rS rS N am ame«pa~o $ o \«1 \«1 Fllei 0 DFS Rap lk alan DrS Flcplcabcr RcocC rf> Dtvct DHCP Cl Cl er er i S y t to n A t i r b jto Ca Cac to Disk Driver d rvsc DNS C iori W iedA u utt oC oC on on ffg g DiagrcRbc Poley Ser\»c#

Sta-t type n am d na nod 00(0 tyrterr tyrterr :yjtem i vs vs te te rrrr auto uto nonod nanu^l no nod 0U0 0U0 tyckrr : * MilO bcc» *.to t y j k xx beet aeto rwnod *. «

Executable C:\' VinC >C5N5FDT 5FDTS8Z syt syt J Sy3tem Sy3tem32\Driv Drivcr»'1C cr»'1CSNEFD SNEFDT SS2<64 2<64. ays Ss 1sem. 32\ Dr iver s\ C$NdsL' VF. sys C:\VV :\VV1n\dijk. jys 'Sys1arFeor\Sy8te1n32'1e»11/ers\dmvJCsy* C:\Windcvt e\#>ete1r132UvchMt e «0 kMelwor... CA'Windcw5\iy5len132\jV'ch0it exe •k LocolS .. C\\W1n
h ttp://tools.sysprogs. org Copyright Copyright © by EG-Gouncil. All Rights Jteseivfed'.;Reproduction is Strictly Prohibited.

W i n d o w s S e r v i c e s M o n i t o r i n g T oo o o l: l: W i n d o w s S e r v i c e M a n a g e r (S ( S rv rv M a n ) Source: h t t p : / / t o o l s . s y s p r o g s . o r g Windows Service Manager is a tool that allows you to shorten all public tasks linked to Windows services. This can generate different services for Win32 and Legacy drivers without shutting down and restarting Windows. It can also cancel existing services and manipulate other configuration services. It has both GUI and ccommand-line modes. It can also be used to r u n a r b i t r a r y W i n 3 2 a p p l i c a t i o n s as as se se r vvii c es es . I t s u p p o r t s a llll m o d e r n 3 2 - b i t a n d 6 4 - b i t v e r s i o n s o f Windows.

Module 06 Page 969



File

View

Service

Internal name ,^)COMSysA... condrv $ CryptS CryptSvc V C S N 5 P 0 ... ,>CSN5PD. ,>CSN5PD.... - >C >C sN sN di di sL sL WF WF $ DcomLau. .... defragsvc Devi DeviceAs c eAs.. .... Devicelns... ^>Dfs O ^ f s D riri v er er •\fcDFSR ^ )D )D I sr sr R o $ Dh D hcp d iscache ^ di i^disk dmvsc Dnscache 3 dot3svc dot3svc £ DPS DPS


Help State stopped running lunning st o op pped lun lunning ing st o op pped runni ng ng stopped stop topped stopped running lunning lunni ng ng lunning lunning lunning tunning tunning stopped running stopped lunning

Type Win32 driver shared di iv ei ei drive iver dri ve ver shai ed ed Win32 shai shaied shaied Win32 FS diivei FS di di iv ei ei Win32 FS diivei shaied driver driver driver shared shared shared

Display name C 0M 0M + System Ap pl pl icat ion Console Dr Driver Cryptographic Services CSN5PDTS82 N DI DIS P ro rot o occol D riri ve ver CSN5 CSN5PD PDT TS82x S82x64 64 NDIS NDIS Pro Protoco tocoll Dri Driver CsNdi sL sLWF NDIS Pr ot ot o occol Dri ve ver DCOM Server Process L au auncher Optimize dr drives Device Association Service Device Install Service DFS Namespace DFS Namespace Client Driver DFS Na Na me mespace Se Serv er er Fi Filter Dri ve ver DFS Re Replication DFS Replicat ion Readonly Driver DHCP Client System Attribute Ca Cache Disk Driver dmvsc DNS Cl Client Wired AutoConfig Diagnostic Policy Service

Properties...

]

|

Start service servi ce

Add service

]

|

Delete service

Start type manual manual auto system system tem system aut o manual manu manual al manual aut o system system auto boot auto auto system boot manual auto manual auto

Executable C: \ W Wii nd ndo ws ws \s \s ys ys te tem32\ d dll lhos t.t. exe / Pr Pro ce ce ss ss id id . System32\drivers\condtv. sy sys C:\Windows\system32\svchost.exe •kNetwor... Sy st st e em m32\ Driv er er s\ s\ CS CSN5PD TS82. sy sys Syste ystem m32\D 32\Dri rivers v ers\C \CSN SN5P 5PDT DTS8 S82x 2x6 64.sy 4.syss Sys te te m3 m32\ Dr Drivers\ Cs Cs Nd Ndi sL sLWF. sy sys C :\:\ W Wii nd nd ow ow s\ s\s ys ys te tem3 2\ 2\ sv sv ch ch os os t.t. e exx e • k D co co mL mL .... C:\Windows\system32\svchost.exe •k • k de defiag... C:\Win C:\Windo dows\s ws\syst ystem3 em32\s 2\svch vchost ost.ex .exe e •k •k Loc Local alS... S ... C:\Windows\system32\svchost.exe •k DcomL... C: \\W W in in do do ws ws \s \s ys ys te tem 32 32 \d \d fssvc. ex exe System32\D river$\dfsc. sys s ys yst e em m32\ d drri ve vers\ d dff s. s. sys C: \Windows\system32\D FSR s. exe \Syst em emRoot\system32\ d1 d1ivers\ df dfsrro.sys C:\W C:\Win indo dows\ ws\sy syst stem em32 32\s \svc vcho host st.e .exe xe •k Loca LocalS lS.. .... System32\d1ive1s\discache. sys \SystemR00t\System32\drivers\disk.sys \SystemR00t\System32\drivers\dmvsc sys C:\Windows\system32\svchost.exe •k •k Networ C:\Windows\system32\svchost.exe •k LocalS... C:\W1ndows\System32Vsvchost C:\W1ndows\System32Vsvchost exe •k Local.. |

__ __ __ __ __ __ _

]

A

V

Restart service [__________________Exit

FIGURE 6.58: Windows Service Manager (SrvMan) Tool Screenshot

Module 06 Page 970




W i n d o w s Services Monitoring Monitoring Tools o

SMART Utility

AnVir Task Manager

i

http://www . http://www . thewindowsclub.com

CEH

http://www.anvW. com

Netwrix Service Service Mo nitor

Process Hacker

h t t p : / / w w w . netwrix.com . netwrix.com

http://processhacker.s http://processhacker.sourceforge.net ourceforge.net

Free Windows Service

Vista Services Optimizer

Monitor Tool

http://www.smartpcutilities.com

http://www.manageengine.com

ServiWin

E

h t t p : / / w w w . nirsoft.net . nirsoft.net

Windows Service Service M anager

55

Overseer Network Monitor http://www.overseer-network-monitor.com

Total Total Network Monitor

Tray

http://www.softin\/enti\/e.com

http://winservicemanager.codeplex.com


f

B

W i n d o w s S e r v ic i c e s M o n i t o r i n g T o o ls ls Windows Services monitoring tools monitor critical Windows services and optionally

restart them

a f t e r f a ili l u re r e . A f e w o f th t h e W i n d o w s s e rv r v ic i c e m o n i t o r i n g t o o l s t h a t a r e r e a d i ly ly

available in the market are listed as follows: 0

S m a r t U t i l i t y a v a i l ab ab l e a t h t t p : / / w w w . t h e w i n d o w s c l u b . c o m

0

N e t w r i x S e rv rv i ce ce M o n i t o r a v a i l ab ab l e a t h t t p : / / w w w . n e t w r i x . c o m

0

V i s t a S e r v ic ic e s O p t i m i z e r a v a i l a b l e a t h t t p : / / w w w . s m a r t p c u t i l i t i e s . c o m

0

S e r v i W i n a v a i l a bl bl e a t h t t p : / / w w w . n i r s o f t . n e t

0

W i n d o w s S er er v ic ic e M a n a g e r T r a y a v a i l a bl bl e a t h t t p : / / w i n s e r v i c e m a n a g e r . c o d e p l e x . c o m

©

AnV ir Task M ana ger available at h t t p : / / w w w . a n v i r . c o m

0

P r o ce ce s s H a c k e r a v a i l a b l e a t h t t p : / / p r o c e s s h a c k e r . s o u r c e f o r g e . n e t

0

F re re e W i n d o w s S er e r v ic ic e M o n i t o r T o o l a v a i l ab ab l e a t h t t p : / / w w w . m a n a g e e n g i n e . c o m

0

O v e r s e er e r N e t w o r k M o n i t o r a v a ilil a bl bl e a t h t t p : / / w w w . o v e r s e e r - n e t w o r k - m o n i t o r . c o m

0

T o t al a l N e t w o r k M o n i t o r a v a ili l a bl bl e a t h t t p : / / w w w . s o f t i n v e n t i v e . c o m

Module 06 Page 971




C EH

Check start up folder C :\ProgramData\Microsoft :\ProgramData\Microsoft \Windows\Start Menu\Programs'^Star tup C:\Users\(User Nam e)\ AppDa ta\R oami ng\ Micr oso ft\ Win dow s\S tart Menu\Programs'^Star tup

Check start up program

©

entries in the registry Details are covered in next slide

Check Check Windo ws services services

Check Check de vice drivers

automatic started

automatically loaded

Go to Run

C: \ Wi ndow ndows\ Syst em 32\ dr i ver s

Type services.m sc

-> Sort by Startup Type

Check boo boott , i ni or bed ( boot bootm mgr) gr) entri tri es


S c a n n i n g f o r S u s p i c io i o u s S t ar a r tu tu p P r o g r a m s Trojans,

once

installed

on

the

computer,

start

automatically

at

system

startup.

T h e r e f o r e , s c a n n in in g f o r s u s p i c i ou o u s s t a r t u p p r o g r a m s i s v e r y e s s e n t ia ia l f o r d e t e c t i n g T r o j a n s . B y f o l l o w i n g t h e s e s i m p l e s t e p s, s, y o u c a n i d e n t i f y i f th t h e r e a r e a n y h i d d e n T r o j a n s: s:

Step 1: C h e c k t h e S t a r t u p f o l d e r

C: \ Prog Pr ogrr amDat a\ Mi cr osof osof t \ Wi ndows\ St ar t Menu enu\ Pr ogr ogr ams\ St art ar t up C: \ Users\ ser s\ ( User ser - Name) \ AppDat a\ Roami ng\ Mi cr osof osof t : \ Wi ndows\ St art Menu\ enu\ Pr ogr ogr ams\ St ar t up ec k W i n d o w s s e rv r v ic ic e s a u t o m a t i c s t a r t e d Step 2: C h ec G o t o Run, t y p e s e r v i c e s . m s c , a n d c l i c k Sort by Startup Type ry Step 3: C h e cckk s t a r t u p p r o g r a m e n t r i e s i n t h e r e g i s t ry rs a r e a u t o m a t i c a l l y l o a d e d : Step 4: C h e c k t h a t d e v i c e d r i v e rs

C: \ Wi ndow ndows\ Syst em32\ dr i ver ver s Check

ie s boot oot . i ni o r bed ( b o o t m g r ) e n t r ie

Module 06 Page 972




Windows 8 Startup Startup Registr Registry y Entries HKLM\ SOFTWARE\ Mi cr osof t \ Wi ndow ndows\ Curr entVers i on\ Expl or er\ Shel Shel l

Explorer Startup Setting

HKCU\ Sof Sof t ware\Mi are\Mi crosoft \ Wi ndow ndows\ Curr ent ent Ver si on\ on\ Expl Expl orer\ Shel hel l

Fol Fol ders,

ithi ul •UtkM

Cogniti on Start. up

HKLM\ SOFTWARE\ Mi cr osof t \ Wi ndow ndows\ Curr entVers i on\ Expl Expl orer \ User Shel Shel l Fol Fol ders ders ,

Common Star t up

Start up

HKCU\ Sof Sof t ware\Mi are\Mi crosoft \ Wi ndow ndows\ CurrentVers urrentVers i on\ on\ Expl xpl orer\ User She Shel l Fol Fol ders, HKCU\ Sof Sof t ware\ Mi cr osof t \ Wi ndow ndows NT\ Curr ent ent Versi on\ on\ Wi ndow ndows,

Windows Startup Setting

Fol ders ders ,

CEH (•rtifwd

Star tup

l oad oad

HKLM\ SOFTWARE\ Mi cr osof t \ Wi ndow ndows\ Curr entVers i on\ Run HKCU\ Sof Sof t ware\ Mi cr osoft \ Wi ndow ndows\ Curr ent ent Versi on\Run HKLM\ SOFTWARE\ Mi cr osof t \ Wi ndow ndows\ Cur r entVersi on\ RunO RunOnce HKCU\ Sof Sof t ware\ Mi cr osoft \ Wi ndow ndows\ Curr ent ent Versi on\ on\ RunO unOnce

HKCU\ Sof Sof t ware\Mi are\Mi crosof t\ I nternet nternet Expl Expl orer\ Url Search SearchH Hooks ooks

IE

Startup Setting

HKLM KLM\ SOFTWARE\ Mi cr osof t \ I nter net net Expl Expl orer \ Tool Tool bar bar HKLM\ SOFTWARE\ Mi cr osof t Mnter net net Expl Expl orer \ Ext Ext ensi ensi ons ons HKCU\ SOFTWARE\ Mi cr osof t \ I nter net Expl Expl or er \ MenuE enuExt xt

P r o g ra ra m s t h a t r u n o n W i n d o w s s t a r t u p c a n b e l o c a te te d i n t h e s e r e g i s t r y e n t ri ri e s

Copyright © by

EG-G*ancil. All

Rights Reserved. Reproduction Is Strictly Prohibited.

W i n d o w s 8 S t a rt r t u p R e g i s t r y E n t ri ri e s P r o g r a m s t h a t r u n o n W i n d o w s s t a r t u p c a n be be l o c a t e d i n t h e s e r e g i s t r y e n t ri ri e s :

HKLM\SOFTWARE\Microsoft\windows\Currentversion\Explorer\Shell Folders, Common startup

Explorer Startup Setting

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Common Startup HKCU\So ftware\Mi crosoft\Wind ows\CurrentV ersion\Explo rer\Shel1 Folders, Folders, Startup HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Startup HKCU\Software\Micro soft\Windows NT\CurrentVerslon\Windows, load

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Windows Startup Setting

HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKCU\ Sof Sof t ware\ Mi crosof t \ I nternet nternet Expl Expl orer\ Ur l SearchH earchHoo ook3 k3

IE Startup Setting

HKLM\ S0FTW S0FTWARE\ ARE\ Mi cr o3of o3of t \ I nter net net Expl Expl orer \ Tool Tool bar bar HKLM\ SOFTWARE\ RE\ Mi cr osof t Mnt ernet Expl Expl orer \ Extensi Extensi ons ons HKCU KCU\ SOFTWARE\ ARE\ Mi cr osof t \ I nt ernet Expl or er \ MenuE enuExt xt

FIGU FIGURE RE 6.59: W indow s8 S tartup Registry Entries Entries

Module 06 Page 973




Startup Pro Pr o g r a ms Monitoring Tool: Starter

CEH

Starter is a startup manager for Microsoft Windows It allows you to view and manage all the programs that are starting automatically whenever OS is loading

File Edit C cn f.guiaton H elp a a a Edit :]rr* " ^Processes |

ections S B tf % All sections(18) 1 jU Startup folden(l) folden(l) Current user g i Allu1*»<1) £* Default user J0 Regiiby iiby (17 17) & Current user(7) J# Run (61 M RunOnce(I) 3 l i Alluwu(IO) H Run(9] j$ RunOnce 3 RunOnceE... H RunServicei 3 RunServic*.. 9 t? Drfaultuser 3 Run 3 RunOnc* I 3 1N1 files

1

Starter(Server4.0)

ra

0 3 ♦ J R efresh1 La□ unch Properti ties Cpboni Abcut

/72m

Seiv Seivii

Vaie (3 tf APC (3* EPSON UD STARE □ i r FlBacleup 9009 9009 lataH ataHi (3 GTWhois •St rronimgr 1nS.na (3 [3 U I Sn:gi: 10.Ink [3 ivcnM ivc nM 0 Title itle (3 Unin-taII C:\Uvc , a r a WinFL inFLTray Tray

(3

Eratt..

^ M a w S iB iRegistry B a-User B Run

C\Program Files les «36.Ad. a ce: Pa renal Control B_ GJ>rog1 GJ>rog1am Filet U36 U3611\M .ancedPa cnul Contf 0l\B_ CAProgram Fie* (r36)\PC Dwe n MeadOujrt cn' D v. 'C:\Progfam Fi*t U96&\Auto Tr* J.*»'dULw•' C:\Progr«mEtles(r96J\Ekom^ctTPasswordRecovery.. C:\Prog1 C:\Prog1amFS« u & '.EVfT.EMfT nctifie «■* ‘CAPtogram fi n (4t*IPSO N P.c|«tor\lPSON US . 6)'.NewvScftware t\f eiderLodcsfC^Program Files (rt (rt6 C:VProqam Edet Tarfk'googlet . G\Program G\Pr ogram Files(x36'.GecfcT00*1'GT\Yh0tJcxe GecfcT00*1' GT\Yh0tJcxe ' C:VP1 C:VP1cg>wnF4n Udbi^WmdoMilA«\)Sâgic3_ C:\W1 C:\W1ndcM1 ndcM1 VncM
(196j',G ooglr', ',G oo^ ir

.x

Registry-MachineRun Rejpstry User Run Registry•MachineRun Reysfty UserRun Reystry •Machine Run Re^tb y MachineRun Rcgisoy UserRun Retptby •Machine Run Re^ sory Ma chi ne Run Ray *by -Ut w Run Re^tby •Machine Run Startup ADUsers Reiptby •Machin* Run Regiioy MachineRun-. Registry •User RunOnce Reysoy UserRun

D«c!p!bn

lil) Yes fed v«s

₪Vei bd Vts ₪ Yd ElcomsoftDistributed Passwc EMET Notifiei (Enhanced Mit! EPSON USB Ditplsy VI M [EP'J [EP'J bd YCS (FolderLock) 0V Google Talk lid Yes Window* l v« M«k»«nyar

bdv«

Rv

0V

Isd Ye Snegh

bd Ve: hd V« 0 Vn

5 Wmm

AdobeResdetandAc!0batM anager/1.6.S.0/AdobeReaderandAcro robatM anagerAd>

—ms —ms— —iia —2^2!—*2 —*2s!— laamuuhttp://codestuff .tripod,com Copyright © by

r

EG-G*ancil. All

Rights Reserved. Reproduction is Strictly Prohibited.

S t a rt r t u p P r o g r a m s M o n i to t o r i n g T oo o o l: l : S t a rt rt e r Source: h t t p : / / c o d e s t u f f . t r i p o d . c o m

S t a r t e r a l lo lo w s y o u t o v i e w a n d m a n a g e al all t h e p r o g r a m s t h a t s t a r t a u t o m a t i c a l l y w h e n e v e r t h e operating system is loaded. It enumerates all the hidden registry entries, startup folders' items a n d s o m e o f t h e i n i t ia ia l i z a t i o n f ilil e s, s, s o t h a t t h e u s e r c o u l d

choose

to

tem po rarily

d i s a bl bl e

s e l ec e c t e d e n tr t r ie ie s , e d i t t h e m , c r e a t e n e w , o r d e l e t e t h e m p e r m a n e n t l y . Starter can also list all the processes running and with a change to view extended process' information (such as used DLLs, memory usage, thread count, priorities, etc.), and to terminate selected process. It supports Microsoft Windows 9x, Me, NT, 2000, XP, 2003, and Vista. There are

no

s pe p e c i fi fi c

requirem ents

except

one:

registry

ope ration s

on

a Window s-NT-ba sed

o p e r a t i n g s y s t e m m a y r e q u i r e s p e ci ci a l ac ac c es es s r ig ig h t s . A s a ru ru l e , m e m b e r s o f A d m i n i s t r a t o r s a n d Power Users groups have nothing to worry about.

Module 06 Page 974




f5 I

I

H j

Starter (Server 4.0)

File

Edit

Configuration a Nev.

Exit -4 StJrtup StJrtupll

9

-

B S

a

B

B ^

Piocr Piocrss ssn

Afl Afl lection lectionss (18) (18) Startup folders (1) ^ Current user Jtt All users (1) £ * Default user user Registry (17) & Current user (7) 3 Run ($) RunOnce (1) 3 S i All users (10) 3 Run (9) 3 RunOnce 3 RunOnceE... 3 RunSetvices 3 RunServKe... S 4 Def ault user 3 Run 3 RunOnce INI INI file filess

3

a

a

Edit

Delete

cl Refresh

a

Launch

3

1

Properties

Optiom

About

\ 4 b Swvkci

S B 63 Name *

Sections ^

Hdp

Vau le !E s a z a E E

Section

C:\Program Files (*86)\Advanced Parental Parental Controf \B~ C:\Pr 09 09 rem Frfes (186)\Advanced Parental Controf B... PI Driver Detective C:\P rogram Files («96)\PC Drivers HeadQuarters \Dnv.. . "C:\Program Files (x (x86)\Auto-Tracker\dtn.exe" ( 3 dtn.exe Password Recovery... Recovery... ElcomSoft DPR S.- C:\Program Files (»86)\Eko msoft Password C:\Program Files (*86)\EME T\EM6T_notrf 1er.exe 0 g EMET Notrfi Notrfief ef 0 i * EPSON UD START "C:\Program Files (*86)\EPSON Projector EPSON US— C:\Program Files (*86)\New$oftware $\F0Wer Lock\F.. . B 6 F L B d c ku p 0 <^> googl etilk C:\Program Files (*86)\ Google\ Google Talc\googlet ... C:\Program Files (*86)\GeekTools\GTWho*s.ece 0 GTWh GTWhois ois "C:\Program Files (x (x86)\Windows Lrve\Messenger\m... Lrve\Messenger\m... 0 i l msnm msnmsgr sgr "C:\Program Files(x86)\ActrveTracker\m5.ex (x86)\ActrveTracker\m5.exe* e* ( 3 m5.exe C:\Program Files (x86)\TechSm*h\Snagft 10 »Snag1t 3 ... [ 3 (B Soag Soagrt rt lO.Ink lO.Ink ( 3 svcnet2 C:\Windows\svcnet2Vsvcnet2.exe UnHackMe Rootkit Check 0 Ti tltl e 0 Uninstall Uninstall C:\User... ser... C:\W1ndows\system iAcmd .exe .exe/q /c rmdw /* /q "G~ C:\W1ndows\SysWow64' WmFLTray.exe (3 B WmfL WmfLTr Tray ay (3 11 APC APC

Oetavtam

cza e

*k

Registry Registry • User Run Registry Registry Machine Run Run Registry •User Run Registry • Machine Run Run Registry Registry - User Run Registry - Machine Run Registry Registry • Machine Run Registry • Uset Run Registry Machine Run Registry - Machine Run Registry Registry • Uset Run Registry Machine Run Run Startup All Users Registry Machine Run (k 9 «t y - Machine Run... Regis Registry User RunOnce Registry User Run

&

' 13

Yes (Bac (Backk Proce Process ss)) Yes (Bac (Backk Proce Process ss)) Yes Yes Yes Elcomsoft Elcomsoft Distributed buted Pas Passw swcc (Enhanced M it fm EMET Notifier (Enhanced Yes EPSON US8 Display VI.40 (EP Yes (Folder Lock) Yes Google Talk Yes 1 j • 1 Yes Yes Yes Soag Soagit it «a

< < f m Yes Yes

Tray ApplKation (Folder Lock

Wm.1m

Adobe Reader and Acrobat Manager / 1.6.5.0/ Adobe Reader Reader and Acrobat Manager / Adobe Systems Incorporated

FIGURE 6.60: 6.60: Starter Tool Screenshot

Module 06 Page 975




Startup P rog r ams Monitoring Monitoring Tool: Secu Securi rity ty A u t o R u n S e c u r i ty ty A u t o R u n d i s p l a y s t h e

ClEH

Urtrft ftetf (lhKj| N«Im

list of all applications that are loaded automatically when Windows starts up _

1 ■ rj

Securit ityA yAutorun ;WIN-M SSElCK4K41/Ac1m 1n1strator]

-I" « o o

4- —

N -

S t a rt r t u p P r o g r a m s M o n i t o r in i n g T o ol o l : S e c u r i ty ty A u t o R u n Source: h t t p : / / t c p m o n i t o r . a l t e r v i s t a . o r g

Security AutoRun allows you to view the list of all applications that are loaded automatically wh en W ind ow s starts up.

E ac ac h a p p l i c a t i o n i s l is is t e d w i t h t h e d e t a i l s o f i ts ts t y p e , r e g i s tr tr y ,

common/user, services, drivers list, command-line string, product name, file version, company name, location in the registry or file system, and more. It identifies a spyware or adware program

th at

runs

at

s t a r tu tu p .

C o m p a t i b le le

ope rating

s y st st e m s

of

Window s

are

9x/ME/NT/2000/XP/Vista/7.

Module 06 Page 976




ls

Security Security Autonvt - [WIN M SStlC K4K4 K4K4 VAdmmistMt or]

is m m

o o 4A Cur crtUMr

¥ **»)

^ *»/ Ox*(I) (I) ¥ •alOM

¥ »* 0 ^ ft

*

IMdfttf* IMdfttf*

5 sun*fcMr) (l)

*ppk*S0wl* t«r i UM i i«r «a

¥

V Ox•C •CO) ¥ ^rOnab

»0

Nrt wert t lr «w«neQnr p

V ^rS«^(«Ch» *

?alo ?aloes es

*

Sh««Ct»»Kt(0

C V r t » X 1 * $ yt1V0»^4 yt1 V0»^4 y/W/ W / Vi f r « » V *

JP Nryca(SS

C:tMr4^*4aWl*rtrramm«64vX0**F'rt«• ^<7 •Mh(*•6:600* Ux)•* « .. t f-oîn f-oînHn(06!CocÛ*tet»£oo*«jpd•*♦

O >Ntr

C:»wnd»we7WlMgeit it.r*• *•

4 Q>Mrl« Q>Mrl« 4

w

c:fro rogr«nN nN««(> (>M)CPSONPro^KtorCPiONUS80 »-

^ w itvipSrMon

4

C:^ftndaw»y»gc< c1Ufcv*0tt.C■*4** 4***gx C:Wndowe)m )m»e«MWwvc-w -w c

instat o) Components

49 miogan ¥ wgon QSt*ru>W 0 «r

:

* * c a j / * r Ox Ox »< »< i )

#1Md nw1 | tt «Txocu/Mmûi | 0 •«CU/OnMo» j # Muafft Muafftrt rtro roB B *HMCU1 j v MoOu'i I 1_i SdwA*tfT*a I ‘ tnM « # tWI O** | *j *HMCU1 Sart«(Mrvat> rvat>-(n|| -(n|| 0 I M | A **Own 1 # mw tm Om m I # 1im/»ôtnct(1) | V HtM/SifiOaCi _ Sart«(M S*r*ctN««* Cyrtrx**.-*XNY f*TS*0 *0*V&^0 V&^0 *ctxrr • «W$ fcM0 fcM0»*rt0 »*rt0rrV»*b *bS4TMCN

3) r/QaCUl Si CUUM 3) App|r«0lU

X:ft9l*NN(1M)yMl%«nraS4r1<(t^

C'Ar«M «»rt«^«Uywr>K f>* /If

g *Opt"* *Opt"*

^ Ta*S<*adJar ♦ .Start*

> tt*o(0)

^ t t i k A n (} (} )

Nr«n*t*Sor Mcrwoft 0* 0* Owgnotacs $«*0 • O«o» Sasc*tngrw

OWotSofrw rwft Pmkjp*

POQOW fct

Wtfp fprw Wvm

Per
3

B< V ) *• mt

C: Wr êi wW DW wr>r - »«W»«. SQLw» C prtS rtS•*W V'tfrv 'tfrvn#

X *>07*•H" WCo~*>n 9w4\ .. Xff-ogr !Nn (*♦6)<0 0 Nutat Nut ate* e* 9w»d’, X:1^0yw■NetComienN nN»ef40eee^$ ^$hsndvy*cv Hn (»M:r«ttUp :r«ttUp«YM«*•** *•**4 4 **«’ 1 iw^fOQOKioyfOQ M X:*o*• •H" 0*9V*W C'AW'iSo••

HKt Y.lOCAl.MACMtj r SYS

FIGURE 6.61: 6.61: Security AutoRun Tool Screenshot

Module 06 Page 977




Startup Pro Pr o g r a ms Monitoring Tools

©

Absolute Startup manager

Program Starter

h t t p : / / w w w . absolutestartup. . absolutestartup. com

http://www.ab-tools.com

ActiveStartup

Disable Startup

http ://www . hexilesoft. hexilesoft. com

h t t p : / / w w w. disables tartup. tart up. com

StartEd Lite http://www.outertech.com

C EH

StartupMonitor t

a

t

http://www.mlin.net

Startup Inspector

Chameleon Startup Startup Manage r

h t t p : / / w w w . windowss . windowss tartup.com

http://www.chameleon-managers.com

Autoruns for Window s

1 1 1


Startup Booster http://www.smartpctools.. com http://www.smartpctools


S t a r tu t u p P r o g r a m s M o n i t o ri ri n g T o ols A l is is t o f S t a r t u p p r o g r a m s m o n i t o r i n g t o o l s a r e as as f o l l o w s : 0

A b s o l u t e S t a r t u p m a n a g e r a v a i l ab ab l e a t h t t p : / / w w w . a b s o l u t e s t a r t u p . c o m

0

A c t i v e S t a r t u p a v a i l a bl bl e a t h t t p : / / w w w . h e x i l e s o f t . c o m

0

StartEd Lite ava ilable at h t t p : / / w w w . o u t e r t e c h . c o m

0

S t a r t u p I n s p e c t o r a v a i la la b l e a t h t t p : / / w w w . w i n d o w s s t a r t u p . c o m

0

A u t o r u n s f o r W i n d o w s a v ai a i la l a b le le a t h t t p : / / t e c h n e t . m i c r o s o f t . c o m

0

P r o g r a m S t a r t e r a v a i l a bl bl e a t h t t p : / / w w w . a b - t o o l s . c o m

0

D i s a b le le S t a r t u p a v a i l a b l e a t h t t p : / / w w w . d i s a b l e s t a r t u p . c o m

0

S t a r t u p M o n i t o r a v a ilil a b le le a t h t t p : / / w w w . m l i n . n e t

0

C h a m e l e o n S t a r t u p M a n a g e r a v a i l ab ab l e a t h t t p : / / w w w . c h a m e l e o n - m a n a g e r s . c o m

0

S t a r t u p B o o s t e r a v a i l ab ab l e a t h t t p : / / w w w . s m a r t p c t o o l s . c o m

Module 06 Page 978




Scanning fo for Suspicious Suspicious File Files s and Folde Folders rs

CEH

Trojans normally m odify system's files and folders. Use these tools to d etect system changes

SIGVERIF

TRIPWIRE

FCIV I t is is a c o m m a n d l i n e u t i l itit y t h a t

I t is is a n e n t e r p r i s e c l a s s s y s t e m

I t c h e c k s i n t e g r i t y o f c r i t i c a l f ilil e s

c o m p u t e s M D 5 o r S H A1 A1

integrity v erifier that scans and

t h a t h a v e b e e n d i g i t a llll y s i g n e d

r e p o r t s c r i titi c a l s y s t e m f i l e s f o r

by Microsoft

c r y p t o g r a p h i c h a s h e s f o r f ilil e s

changes

C:\ C IV>fciv\.exe IV>fciv\.exe c:\hash.txt / / File File Checksum Checksum Integ rity Verifier Verifier version 2.05.

//

tripwire.

6blfb2f76cl39c82253732elc8824cc2

C: \ hash. txt


S c a n n in g f o r S u s p ic io u s F ile s a n d F o ld e r s Usually w hen a system gets infe cted by a Trojan, it modifie s the files and folders; yo u c a n sc sc an an t h e f ilil e s an an d f o l d e r s w i t h t h e f o l l o w i n g t o o l s i n o r d e r t o d e t e c t t h e T r o j a n s i n s t a l l e d .

F C IV

^

v

Fi l e C h ec e c ks k s um u m I n t e g ri r i ty t y V e r i fi f i e r ( F C I V ) is is a u t ili l it i t y t h a t c a n a lll l ow o w yo y o u t o g e n er e r at at e M D 5

or SHA-1 hash values for files that can be verified with the standard values to determine any c h a n g e i n t h e m ; i f f o u n d , y o u c an an r u n a v e r i f i c a t i o n o f th th e f i l e s y s t e m f i l es es a g a i n s t t h e X M L d a ta t a b a s e t o d e t e r m i n e w h i c h f ili l e ess h a v e b ee e e n m o d i f ie i e d . I t i s a c o m m a n d - p r o m p t u t i l it it y t h a t c o m p u t e s a n d v e r i f i e s c r y p t o g r a p h i c h as as h v a l ue u e s o f al al l y o u r c r i t i c a l fi f i l es es a n d s a ve ve s t h e v a l u e s i n an XML file database.

C: \ CI CI V>f ci v\ .ex .exe c: \ hash. sh. t xt / / Fi l e Checksu cksum m I nt egr i t y Ver i f i er ver si on 2. 2. 05. //

6bl f b2f 76cl 76cl 39c82 c82253732el c88 c8824cc2 c : \ hash. sh. t xt T r ip w i r e — ©© Source: h t t p : / / w w w . t r i p w i r e . c o m

Module 06 Page 979

Ethical Hacking and C ounterm easures Copyrigh t © by EC-C EC-COU OUIIC IICilil All Rights Reserved. Reproduction is Strictly Prohibited.


Tripwire

Enterprise

provides


the

configuration

control

capabilities

organizations

need

to

proactively secure the entire infrastructure and ensure compliance with internal policies, regulations, and industry standards and benchmarks. “

S IG V E R IF Source: h t t p : / / b o o k s . g o o g l e . c o . i n

SIGVERIF is a signature verification tool that allows you to find signed and unsigned drivers connected to the system. When you find any unsigned driver, you can move that to a new folder and restart the system and test the program and functionality for errors. The following a r e t h e s t e p s t o i d e n t i f y u n s i g n e d d r i v e rs rs : Q

Click Sta rt, click Run, typ e SIGVER SIGVERIF, IF, and th en click

OK.

9

C lili ck ck t h e A d v a n c e d b u t t o n .

e

C lili ck c k t h e o t h e r f ilil e s t h a t a re re n o t d i g i t a l ly l y s ig i g n e d. d.

9

N a v ig i g a te t e t o w i n n t \ s y s t e m 3 2 \ d r i v e r s f o l d e r a n d t h e n c lili ck ck OK .

After SIGVERIF finishes, it checks all the unsigned drivers and lists are displayed on the c o m p u t e r . T h e i n v e s t i g a t o r c a n f i n d t h e l i s t o f al al l s i g n e d a n d u n s i g n e d d r i v e r s f o u n d b y SI SI GV GV ER ER IF IF in

s i gver i f . t xt xt i n t h e %wi ndi ndi r %f o l d e r , t y p ic ic a l l y t h e w i n n t o r w i n d o w s f o l d e r .

Module 06 Page 980




File Files s an and Folder Folder Integ Integri rity ty Checker: FastS FastSum um and W i n M D 5 W1nMD5V2.07 (Cl 2003-2006 by eolsonS'mi tedu

- I ! x

http://www.blisstonia.com J

W i n M D 5 i s a W i n d o w s u t i l i t y f o r c o m p u t i n g th th e MD5 hashes ("fingerprints") of files

J

These fingerprints can be used to ensure that the file is uncorrupted

http://www.fastsum. http://www.fastsum.com -1 FastSum is used for checking inte grity o f the files -J

It com putes checksums according to the M D5 checksum a lgorithm


j F i le s a n d F o l d e r I n t e g r it y C h e c k e r : F a s t S u m

a n d W in M D 5

A fi f i le le s a n d f o l d e r i n t e g r i t y c h e c k e r a l lo lo w s y o u t o m o n i t o r t h e i n t e g r i t y o f f ili l e s a n d folders and check for any changes in the critical files, indicating potential intrusion attempts. These w ork w ith a suite of security tools to provide a com plete a udit and mo nitoring solution f o r OS S a n d G u a r d i a n f i l e s y s t e m s . FastSum Source: h t t p : / / w w w . f a s t s u m . c o m FastSum is built on the well-proven MD5 checksum algorithm, which is used worldwide for c h e c k i n g t h e i n t e g r i t y o f th th e f i le l e s . Y o u c a n t a k e c o n t r o l o f y o u r d a t a w i t h F a st s t S um um . F i n g e r p r i n t y o u r i m p o r t a n t f ilil e s n o w a n d c h ec e c k t h e i n t e g r i t y a f t e r a n e t w o r k t r a n s f e r o r a CD CD b u r n i n g s i m p l y b y ta ta k i n g t h e f i n g e r p r i n t s a g a in in a n d c o m p a r i n g t h e m w i t h t h e p r e v i o u s l y m a d e o n e s . I n t h e s a m e w a y , y o u c a n a ls ls o f i n d o u t w h e t h e r y o u r f i le le s h a d b e e n d a m a g e d b y v i r us us e s , n e t w o r k i ss ss ue ue s, s, o r C D / D V D b u r n i n g f a i l u r e s .

Module 06 Page 981




FattSum 1.7 IUnr«g IUnr«g>?t«f*d >?t«f*d l

t * !(•» !(•» ftft**

Om

X ► * Ti OmiiNllavffivttiliMvyiuMirttsvriiictaaiwad

*«* K»j» *rfV r*JH r*JHy«c

P m t * £ •* •* * Cm * 5 w i r » w

et*ta

9

n« tr of •* •

D DncW'e'JfjT' r.f*h r.f*h« « * ® c**jdfc 4 ) E U > /* > r w v iw V “1- — *» Pca#11 Pca#11pr® pr®

So. «N I U«B 1^5 •® •® 7. « JBM 2KB

' " f• !

on ««

1 •*? — # ] deeeopn

Chpcxm^vfM r.0*U~*£ 1 » ^ D D W H f5 K W 4 ( C J 4 r « W « « 5 W 3 ’ w c c € f fw fw 4^ 5 « 0 >? 1€« 13t3LfU4tU:tlWMi2nt2rtM44*a 4ACaaefSlS35CS£2t37SX1«Bltft6l7 >4 •t F4J! F4J! h : E iTf l [1:>3i >3i C3I24 C3I24U5iA885tA2»U«2X1WH 6* 2CW«^MEFfv!rEA«7??nRB273

• U y V U 4D 4D U 4 .1 .1 M M M l S« S« e C «U «U A 54AS647711J 7A4271Mf &Cto££E 7X& MS Ml 44jiÊtfX»M0E*juCC£*]14!1tai 5HCttOFMf DK&6E4D7562t3£X6? ?K1»*aCPClKWfiC5«CMEFE7«ll

P

•

IM

{? f*M* j\

SMptrM

j

A

C*a« C*a«Ml Ml froc«MKmI*10* •* /VXII?6 /VXII? 64 ♦PH D**C«nQ»* 7 !** * ? Up*

10*

W * • I * W « P

:UfcUrtr^ :UfcUrtr^ » dwk MM

c DMiMMi * 1aar,J0»7149pn Pracwii22H«anO nOtaoarv% v%#31* ■■n1 n1156&£ oc00w«pr ec€00«Bi«r

FIGURE 6.62: FastSum W in M D 5 Source: h t t p : / / w w w . b l i s s t o n i a . c o m W i n M D 5 v 2 . 0 is is a W i n d o w s ( 98 9 8 , 2 0 00 00 , XP XP , V i s ta ta , 7) 7) u t i l i t y f o r c o m p u t i n g t h e M D 5 h a s h e s ( " f i n g e r p r i n t s " ) o f fifi le le s . I t al al so so m a k e s i t v e r y e a s y t o c o m p a r e t h e f i n g e r p r i n t s a g a i n s t t h e c o r r e c t fingerprints stored in an MD5SUM file. RedHat, for example, provides MD5SUM files for all of its large downloadable files. These fingerprints can be used to ensure that your file is uncorrupted. WinMD5 v2.07 (C) 2003-2006 by eolson@mit.edu File

Edit

Options

Help

Currently Processing: (idle)

Errors Found

(0 items enqueued)

Pat h MD5SUM. md5 ChangeLog. ChangeLog. t xt Cor r upt Fi Fi l e. t xt xt README. t xt Wi nMD5.exe D5. exe

Clear

| Has h

| Byt es

aeca3c951ddeal 830ebe7cebab5d 830ebe7cebab5de8cc e8cc d73f d73f f 397a76f 397a76f 886e8c5a 886e8c5a80b 80b052 05223feel 23feel 63895264778b3c e92c 57d0df f 67 670f 7c 7c 7 e3d78080bf e3d78080bf c49d89113c55cf c49d89113c55cf 4b7c4f b4 191c7c02a3206f 191c7c02a3206f dca2b79941c634d dca2b79941c634d2b2 2b2

Abort

192 192 1304 92 978 978 126976

| St at us Loaded Good BAD Good Good

Number of known md5 hashes found in MD5SUM files :

4

Drag files and MD5SUM files (if available) into this window.http window.http !;v.v.v. .bl 1sston 1a cony'software

FIGU FIGURE RE 6.63: 6.63: W iinM nM D5

Module 06 Page 982




File Files s an a nd Folder Inte Integr grit ity y Checker Advanced Checksum Verifier

CEH

Attribute Manager

(ACSV)

http://www.miklsoft.com

http:/'/www . irnis.net

J

2

i

p

I

ji

Fsum Fronte d

PA File Sight

y

http://fsumfe.sourceforge.net

http://www.poweradmin . com

Verisys

CSP File Integrity Checker

h t t p : / / w w w . ionx. . ionx. co. uk

h t t p : / / w w w. tandemsecurity. com

€

AFICK (Another File Integrity Checker)

ExactFile http://www.exactfile.com

http://afick.sourceforge.net

File Integrity Monitoring

OSSEC

h t t p : / / w w w . ncircle.com . ncircle.com

^ n₪ 1 |

Copyright © by

http://www.ossec.net

EG-G*ancil. All


F i le s a n d F o l d e r I n t e g r it y C h e c k e r s F ilil es es a n d F o ld ld e r I n t e g r i t y C h e c k e r s m o n i t o r f i le l e in i n t e g r i t y a n d i d e n t i f y t h e c h an an g e s i n the critical files that intimate any potential intrusion attempts A few files and folder integrity checkers are listed as follow s: ©

A d v a n c e d C h e c k s u m V e r i f i e r ( AC AC SV SV ) a v a i l a b l e a t h t t p : / / w w w . i r n i s . n e t

0

Fsum Fronted available at h t t p : / / f s u m f e . s o u r c e f o r g e . n e t

0

Verisys available at h t t p : / / w w w . i o n x . c o . u k

0

A FI FI CK CK ( A n o t h e r Fi Fi le le I n t e g r i t y C h e c k e r ) a v a i l a b l e a t h t t p : / / a f i c k . s o u r c e f o r g e . n e t

0

F ilil e I n t e g r i t y M o n i t o r i n g a v a ilil a b le le a t h t t p : / / w w w . n c i r c l e . c o m

©

A t t r i b u t e M a n a g e r a v a i la la b l e a t h t t p : / / w w w . m i k l s o f t . c o m

©

PA File File Sight ava ilable at h t t p : / / w w w . p o w e r a d m i n . c o m

0

CSP File File In teg rity Che cker ava ilable at h t t p : / / w w w . t a n d e m s e c u r i t y . c o m

0

ExactFile ExactFile availab le at h t t p : / / w w w . e x a c t f i l e . c o m

0

OSSE OSSEC C av aila ble at h t t p : / / w w w . o s s e c . n e t

Module 06 Page 983




Scan Scanni ning ng for Suspicious Suspicious Network Activities J

C EH

Tr oja ns co nn ec t ba ck to ha nd le rs an d se nd co nf id en tia l in fo rm at io n to attackers

J

Us e ne tw or k sc an ne rs an d pa ck et sn iff ers to m on it or n e tw o rk traffic going going to m alicious alicious rem ote addresses

J

Run to ol s suc h as Ca ps a to m on it or n et w or k tra ff ic an d loo k f or suspicious suspicious activities sent over the web


S c a n n in g f o r S u s p ic io u s N e t w o r k A c t iv i tie s After a malicious attack, the Trojans start sending the confidential data present on the s y s t e m t o t h e a t t a c k e r s . T r o j a n s c o n n e c t b a c k t o h a n d l e r s an a n d s e nd nd c o n f i d e n t i a l i n f o r m a t i o n t o attackers. Use network scanners and packet sniffers to monitor network traffic going to m a l i c i o u s r e m o t e a d d re re s s e s . In In o r d e r t o a v o i d t h e s e s i t u a t io i o n s , i t ' s a lw l w a y s b e t t e r t o s ca ca n t h e n e t w o r k s f o r s u s p ic i c i o u s a c ti t i v i ti ti e s . W i t h t h e h e l p o f s c a n n i n g u t i l i t ie ie s , y o u c a n k n o w i f t h e d a t a is being transferred to a malicious remote source. By using network scanning tools like Capsa, you can identify such activities.

Module 06 Page 984




Dete etecti cting Tro Trojan jans and a nd W o r m s with with Capsa Cap sa Networ Net work k Analy Analyze zer r

CEH

Capsa is an intuitive network analyzer, which provides detailed information to help check if there are any Trojan activities on a network

htt p :/ / w ww . colasoft. com

Copyright © by EC-C EC-Coanci l. All Rights Reserved. Reserved. Reproducti on Is Strict ly Prohibite d.

J D e te c tin g T r o ja n s a n d W o r m s w ith C a p s a N e t w o r k A n a ly z e r Source: h t t p : / / w w w . c o l a s o f t . c o m C ap a p sa sa i s a n e t w o r k a n a l y z e r t h a t p r o v i d e s e n o u g h i n f o r m a t i o n t o h e l p c h e c k i f t h e r e i s a n y T r o j a n a c t i v i t y o n a n e t w o r k . I t i s a p o r t a b l e n e t w o r k a n a l y z e r f o r LANs/WLANs t h a t p e r f o r m s packet capturing, network monitoring, advanced protocol analysis, in-depth packet decoding, and automatic expert diagnosis. F e a t u re re s o f C a ps ps a N e t w o r k A n a l y z e r i n c l u d e : ©

R e a l - t im im e

capture

and

sa sa v e d a t a t r a n s m i t t e d

over

l o ca ca l n e t w o r k s , i n c l u d i n g w i r e d

network and wireless network like 802.11a/b/g/n Q

M o n i t o r n e t w o r k b a n d w i d t h a n d us us ag a g e b y c a p t u r i n g d a t a p a c k e ts ts t r a n s m i t t e d o v e r t h e n e t w o r k a n d p r o v i d in i n g s u m m a r y a nd n d d e c o d i n g i n f o r m a t i o n a b o u t t h e se s e p a c k e ts ts

©

V i e w n e t w o r k s t a t is is t i c s, s , a l l o w i n g ea e a s y c a p t u r e a n d i n t e r p r e t a t i o n o f n e t w o r k u t i lili z a t i o n data

e

M on itor

Interne t,

e m a i l,l,

and

instant

m es e s s a g in in g

traffic,

h e l p in in g

keep

em ployee

produ ctivity to a max imum

Module 06 Page 985



e

D i a g no no s e

and

pinp oin t


net w or k

proble ms

in

seconds

by

detecting

and

locating

suspicious hosts e

M a p o u t t h e d e ta ta i ls ls , i n c l u d i n g t r a f f i c , IP IP a d d re re s s , a n d M A C , o f e ac ac h h o s t o n t h e n e t w o r k , a l l o w i n g f o r e a s y i d e n t i f i c a t i o n o f e a c h h o s t a nd n d t h e t r a f f i c t h a t p a ss ss es es t h r o u g h e a cch h

©

V i s ua u a l iz iz e t h e e n t i r e n e t w o r k i n a n e l lili p s e t h a t s h o w s t h e c o n n e c t i o n s a nd n d t ra ra f f i c b e t w e e n e a c h h o st st

FIGURE 6.64: 6.64: Detecting Trojans Trojans and Worms with Capsa Network Analyzer

Module 06 Page 986




Copyright © by EG-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

M o d u l e F lo lo w So far, we have discussed various Trojans and the ways they infect the system resources or inform ation stored on the c om pute r, as well as ways to dete ct Trojans on a computer.

Once

you

detect

a

Trojan,

you

should

immediately

delete

it

and

apply

c o u n t e r m e a s u r e s t h a t o f f e r p r o t e c t i o n a g a in in s t T r o ja ja n s a n d b a c k do d o o r s. s . T h e se se c o u n t e r m e a s u r e s minimize risk and provide complete protection to the user's system.

Trojan Concepts

(

!/— V

Trojans Infection

Types of Trojans

Countermeasures

|jj |jjp |j| |j|

Anti-Troj Anti-Trojan an Sof twa re Penetration Testing Testing

—

f 1 Troj rojan Dete Detect c tiion

Module 06 Page 987




T h is is s e c t io io n h i g h l i g h t s v a r i o u s c o u n t e r m e a s u r e s t h a t p r e v e n t T r o j a n s a n d b a c k d o o r s f r o m entering into yo ur system.

Module 06 Page 988




Trojan Trojan C ounterm easures

C EH

Avoid opening email attachments received from unknown senders

Avoid accepting the

Block all unnecessary ports

programs transferred by

at the host and firewall

i n s t a n t m e s s a g i ng ng

Harden weak, default configuration settings

Disable unused

M o n i t o r t h e i n te te r n a l

functionality including

n e t w o r k t r a f f ic ic f o r o d d

protocols and services

ports or encrypted traffic

Copyright © by

EG-G*ancil. All


T r o ja ja n C o u n t e rm e a s u r e s A T r o j a n i s a m a l i c i o u s p r o g r a m t h a t m a s q u e r a d e s as as a g e n u i n e a p p l i c a t i o n . W h e n these Trojans are activated, they lead to many issues such as erasing data, replacing data on a victim's computer, corrupting files, spreading viruses, and spying on the victim's system and secretly reporting the data, recording keystrokes to steal sensitive information such as credit card number, user names, passwords etc. and opening a backdoor on the victim's system for carrying out precarious activities in the future. In order to prevent such activities and reduce t h e r i s ks ks a g a in in s t T r o j an an s , t h e f o l l o w i n g c o u n t e r m e a s u r e s h o u l d b e a d o p t e d : 0

A v o i d o p e n i n g e m a i l a t t a c h m e n t s re r e c e iv iv e d f r o m u n k n o w n se s e n d er er s

0

B l oc o c k a llll u n n e c e s s a ry r y p o r t s a t t h e h o s t a nd n d f ir ir e w a l l

0

A v o i d a c c e p t i n g t h e p r o g r a m s t r a n s f e r r e d b y i n s t a n t m e s s a g in in g

0

H a r d e n w e a k , d e f a u l t c o n f i g u r a t i o n s e t t in in g s

0

D i sa s a b le le u n u s e d f u n c t i o n a l i t y i n c l u d i n g p r o t o c o l s an a n d s e r vi vi c es es

0

M o n i t o r t h e in i n t e r n a l n e t w o r k tr t r a f f i c f o r o d d p o r ts t s o r e n c r y p t e d t ra ra f f i c

Module 06 Page 989




Trojan Trojan Cou nterm nter m easures (Cont’d) Avoid dow nloadin g and executing applications from untrusted sources

Avoid typing the commands blindly and impleme nting pre-fabricated programs or scripts

Install patches and sec urity updates for the operating systems and applications applications

Manage local works tation file integ rity through checksums, auditing, and port scanning scanning

C EH

/ . Ic Ic itit if w wd d

i t tx tx j J • U. U. U U..

Scan Scan CDs and flopp y disks with antivirus softwa re before using using

Run Run host-based antivirus, firewall, and intrusion detection software

Copyright Copyright © by EG-Gouncil. All Rights Rights ^gSen/ ^gSen/ ed.;Reproduction ed.;Reproduction is Strictly Prohibited.

T r o j a n C o u n t e r m e a s u r e s ( C o n t ’d ) 9

A v o i d d o w n l o a d i n g a n d e x e c u t i n g a p p lil i c a ti t i o n s f r o m u n t r u s t e d s o u rc rc e s

9

I n st s t a llll p a t c h e s a n d s e c u r i t y u p d a t e s f o r t h e o p e r a t i n g s y s t e m s a n d a p p l i c a t i o n s

9

S ca ca n CD CD s a n d f l o p p y d i s ks ks w i t h a n t i v i r u s s o f t w a r e b e f o r e u s in in g

9

Restrict permissions within the desktop environment to prevent malicious applications installation

9

Avoid typing the commands blindly and implementing pre-fabricated programs or scripts

9

M a n a g e l oc oc a l w o r k s t a t i o n f i l e i n t e g r i t y t h r o u g h c h e c k s u m s , a u d i t i n g , a n d p o r t s c a n n in in g

9

R un un lo lo c a all v e r s i on o n s o f a n t i v i r u s , f i r e w a l l , a nd nd i n t r u s i o n d e t e c t i o n s o f t w a r e o n t h e d e s k t o p

Module 06 Page 990




Backdoor Counterme Coun termeasures asures

CEH

UrtifM

tUx*l

lMh lIMh•(

Most commercial anti-virus products can automatically scan and detect backdoor programs before they can cause damage

m

Educate users not to install applications downloaded from untrusted Internet sites and and email attac hments

Use anti-virus tools such as Windows Defender, McAfee, and Norton to detect and eliminate backdoors

Copyright © by

EG-G*ancil. All


B a c k d o or C o u n t e rm e a s u r es P e rh r h a ps ps t h e o ld l d a d a g e " a n o u n c e o f p r e v e n t i o n i s w o r t h a p o u n d o f c u r e " i s r e l ev ev a n t here. Some backdoor countermeasures are: 0

T h e f i r s t l in in e o f d e f e n s e i s t o

educate

use err s r e g a r d in in g t h e

d a n g e r s o f i n s t a llll i n g

applications dow nload ed fro m the Internet, and to be cautious if they have to open email attachments. 0

T h e s e c on o n d l i ne ne o f d e f e n s e c a n be be a n t i v i ru r u s p r o d u c t s t h a t a re re c a p a b l e o f r e c o g n iz iz i n g T r o j a n s i g n a t ur u r e s . T h e u p d a t e s s h o u l d b e r e g u l a r ly ly a p p l i e d o v e r t h e n e t w o r k .

0

The third

l in in e o f d e f e n s e c o m e s f r o m

k e e p i n g a p p l i c a t i o n v e r s io io n s u p d a t e d

by the

f o l l o w i n g s e c u r i ty t y p a tc tc h e s a n d v u l n e r a b i l i ty ty a n n o u n c e m e n t s . Use antivirus tools such as Windows Defender, McAfee, and Norton to detect and eliminate backdoors.

Module 06 Page 991



C o n s t r u c t T r o j an an


Trojan Execution

Trojan Horse Construction Kits

Trojan Horse construction

The tools in these kits can

Trojan Horse Construction Kit

kits help attackers to

be dangerous and can

P r o g e n i c M a i l T r o ja ja n

construct Trojan horses of

backfire if not executed executed

Con struction Kit - PMT

their choice

properly

Pandora's Box

411

©

© Copyright © by

EG-G*ancil. All


T r o ja n H o r se C o n s t r u c t io n K its T h e s e k i ts ts h e l p a t t a c k e r s c o n s t r u c t T r o j a n h o r s e s o f t h e i r c h o i ce ce . T h e t o o l s i n t h e s e k i ts ts c a n b e d a n g e r o u s a n d c a n b a c k f i r e i f n o t e x e c u t e d p r o p e r l y . S o m e o f t h e T r o j a n k i ts ts available in the wild are as follows: 0

T h e T r o j a n H o r s e C o n s t r u c t i o n K i t v 2 . 0 c o n si s i s ts ts o f th t h r e e EXE f i le le s : T h c k - t c. c. e x e , T h c k fp.exe, and Thck-tbc.exe. Thck.exe is the actual Trojan constructor. With this commandline utility, the attacker can construct a Trojan horse of his or her choice. Thck-fp .exe is a f i le le s i ze ze m a n i p u l a t o r . W i t h t h i s , t h e a t t a c k e r c a n c r e a t e f i le l e s o f a n y l e n g t h , p a d o u t f i le le s to a specific length, or even append a certain number of bytes to a file. Thck-tbc.exe will turn any COM program into a Time Bomb.

Q

T h e P r o g e n i c M a i l T r o j a n C o n s t r u c t i o n K i t ( P M T ) is is a c o m m a n d - l i n e u t i l i t y t h a t a l l o w s an attacker to create an EXE (PM.exe) to send to a victim.

0

P a n d o r a ' s B ox ox is a p r o g r a m d e s i g n e d t o c r e a t e T r o j a n s / t i m e b o m b s .

Module 06 Page 992




M odule Flow Fl ow

EH

Penetratio n Testing Testing

^


**S

Trojan Concepts

Trojan Infection

Countermeasures

Types of Trojans

Trojan Detection / Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

I M od ule Flow lu §

P r io io r t o t hi h i s , w e h a vve e d i sc s c u ss ss e d v a ri ri o u s c o u n t e r m e a s u r e s t h a t o f f e r p r o t e c t i o n t o y o u r

computer system and the information stored on it against various malware such as Trojans and b a c k d o o r s . I n a d d i t i o n t o t h e se se , t h e r e i s a n t i - T r o j a n s o f t w a r e t h a t c a n p r o t e c t y o u r c o m p u t e r systems and other in form ation

a s se se ttss a g a in in s t T r o j a n s a nd nd b a c k d o o r s . A n t i - T r o j a n s o f t w a r e

d ea e a ls ls w i t h r e m o v i n g o r d e a c t i v a ti ti n g m a l w a r e .

, •

s

v

—

Tro jan Concepts

Co u nte rm e a su re s

Trojans Infection


Types Types of Trojans Trojans

^

Penetrat Penetration ion Test Testin ing g

—

f

Trojan Detection

This section lists and describes various anti-Trojan software programs.

Module 06 Page 993




Anti-Trojan Anti-Trojan Softwar Software: e: TrojanHunter

CEH

TrojanHunter is an advanced malware scanner that detects all sorts of malware such as Trojans, spyware, adware, and dialers

' -L e T x

TrojanHunter

M e m o r y s c a n n in in g f o r d e t e c t i n g any m o d i f i e d v a r i a n t o f a particular bu ild o f a Trojan

File View Seen J00I5 Help

\

FjlE car

\

QjckScan

Q

Update

*

cLry TrojanHunter Now -Clcfc Here!

Bat

Registry scanning for detecting traces of Trojans in the registry

! j

b

Inifile scanning for detecting traces of Trojans in configuration files files

^Char. ..

Clow

O Fo>n Fo>nd d va » file: CAJser3\AdrhVkaoOeto\.K0i\T OT0Wx.cxcAJ0K.fyv1hwyb (Aocnt.2989) W POJ10 VOtdn Ifc: C:V/rtJowstf ysWOM64y1CAFEE. EKE(RI shvare. TVtyPrcwv . IOC)

TrojanHun ter Guard for resident memory scanning - detect any Trojans if they manage to start up

http ://w ww. trojanhunter. com com Copyright © by

EG-CMHCil. All


A n t ii - T r o jjaa n S o f tw t w a r e: e: T r o j a n H u n t e r Source: h t t p : / / w w w . t r o j a n h u n t e r . c o m T r o j a n H u n t e r is is a m a l w a r e s c a n n e r t h a t d e t e c t s a n d r e m o v e s a llll s o rt rt s o f m a l w a r e , s u c h as as Trojans, spyware, adware, and dialers, from your computer. Some of Trojan Hu nter's features include: 0

H i g h -s - s p e e d f i le l e s ca ca n e n g i n e c a p a b l e o f d e t e c t i n g m o d i f i e d T r o j a n s

0

M em ory scanning for detec ting any mo dified variant of a particular build of a Trojan

9

R e g i st s t r y s c a n n i n g f o r d e t e c t i n g t r a ce c e s o f T r o j a n s in in t h e r e g i s t r y

Q

I n i fi fi le le s c a n n in in g f o r d e t e c t i n g t r a c e s o f T r o j a n s in in c o n f i g u r a t i o n f i le le s

0

Port scanning for detec ting open Trojan ports

9

T h e A d v a n c e d T r o j a n A n a ly l y z e r , an an e x c lu lu s i v e f e a t u r e o f T r o j a n H u n t e r , is a b l e

to find

w h o l e c la la ss s s es es o f T r o j a n s u s i n g a d v a n c e d s c a n n i n g t e c h n i q u e s 0

T r o j a n H u n t e r G u ar ar d f o r r e s id i d e n t m e m o r y s c a n n in i n g - d e t e c t a n y T r o ja ja n s if if t h e y m a n a g e to start up

9

L i v e U p d a t e u t i l i t y f o r e f f o r t l e s s r u l e s e t u p d a t i n g v ia ia t h e I n t e r n e t

Module 06 Page 994



9


P r o ce ce s s l is is t g i v i n g d e t a i l s a b o u t e v e r y r u n n i n g p r o c e s s o n t h e s y s t e m , i n c l u d i n g t h e p a t h t o t h e a c t u a l e x e c u t a b l e f ili l e

0

A c c u r a t e r e m o v a l o f al all d e t e c t e d T r o j a n s - e v e n i f t h e y a r e r u n n i n g o r i f t h e T r o j a n h a s i n j e c t e d i t s e l f in i n t o a n o t h e r p r oc oc e s s TrojanHunter File

View

Scan

Tools

Help

0 Full Scan

Quick Scan

L j l J

■h

Update

Exit

Object s scanned:

147791

Trojans found:

a Buy Trojan Hun ter Now - Click Here!

2

> , Clean. Clean.

Close

(U) Found trojan file: file: C:\Users\Admin\AppDataV-0 cal\TempVjpx.exeAJpx.fyvzhwyb cal\TempVjpx.exeAJpx.fyvzhwyb (Agent.2989) (Agent.2989)

10

Found trojan file: C: \W1ndows\$ysWOW \W1ndows\$ysWOW64V>1 64V>1CAFEE.E CAFEE.EXE XE (Rjskw are.TinyP roxy. 100)

FIGURE 6.65: TrojanHunter Anti-Trojan Software

Module 06 Page 995




Anti-Trojan Softw Software are: : Emsis Emsisof oft t Anti-Malware E m s i s o f t A n t i -M -M a l w a r e p r o v id id e s

Emsisoft

P C p r o t e c t i o n a g a i n s t v ir ir u s e s ,

CEH

ANTI-MALWARE

Trojans, spyware, adware, worms, bots, keyloggers, and rootkits

t=J

T w o c o m b i n e d s c a n n e rs rs f o r

S C A N C O M P U TE R Scanne ned d objects objects

c l e a n in in g : A n t i - V i ru ru s a n d A n t i -

*97-163

Dctectcd objects:

Reno/eb Reno/eb ob objec jects:

0

DrtaiK 62 registry keys ir cdium ri^<

a

Scanning: Sar'rohcd

Malware

Oiagntnn

Three guards against new

B

infections: file guard, beha vior

U

b l o c k e r, r, a n d s u r f p r o t e c t i o n

317

f O

Id

&

Id Id

S J detectedbcaticr?.. IraicJtauaUYlCf 5J (A) (A) Gt We* gidptp^ trdbca to'5 TraicJtamtreJiM aiYr Svstan Svstan Pmtn ifd £ Vicr Vicr Jdc -x:*db x :*db ^*jcr 3.. 3.. Troiaa.Gcn cnu5515373 TO) E \1zn Jde'.e.tedk>.3X> 5.. YD5.TroiaikNooUD (0) (E \ t z r Jdc'.c. Jdc'.c. rdlo.a Xf S. S... JS JSJWCC(B)

MjtptctottcM cM*tHaveb ebeendetecte teddurin ingthe1 e1

16regstry keys mrdiumrWc

I Scan finished!

If there*vjc beer anyMa anyMalware foundonvowP donvow PC. rwi tan obtainrare rarerrfbraiatKMon** obouteochOctcctrCMa hOctcctrCMal*arc. Cld< the1 the 1M11 ■of tie detected nalwarcto $rc Ina Inarrw Inow** wndorv. rrwInow**

2 files highrisk

2fifes high risk 2 f i t s •Highrisk

Cltk onVicv»01detected

locittorV .o get a Kt o' «1 kxjtd

eocroorcnts!ha rcnts!hatarc•cotcc arc •cotcc » the Mfll^rtip Mfll^rt ip name.

Sebct01!objectsyou/ran: to quatan annrw !hendrfcê

T»1irt'Mtrr «H «Her*eHrMerN" er*eHr MerN"

—

ASout •ftc £0twa e

© 2a03-2D:2ErKB=#r

http://www.emsisoft.com

Copyright © by EGEG-CO COBnci!. Bnci!. All Rights Reserved. Reproducti on is Stri Stri ctly Prohibi ted.

A n t ii - T r o j a n S o f tw t w a r e : E m s i s o f t A n t i -M -M a l w a r e Source: h t t p : / / w w w . e m s i s o f t . c o m E m s i so so f t A n t i - M a l w a r e p r o v id i d e s r e lili a b le le p r o t e c t i o n o f y o u r s y s t e m a g ai a i n st s t v a r io io u s t h r e a t s s u c h as

viruses,

Trojans,

spyware,

adware,

worms,

bots,

keyloggers,

and

rootkits.

It

has

two

combined scanners (antivirus and anti-malware) for cleaning infection and three guards against n e w i n f e c t i o n s : f ilil e g u a r d , b e h a v i o r b l o c k e r , a n d s u r f p r o t e c t i o n .

Module 06 Page 996



E m s is o f t

&

AN ANTI-MALWARE

SCANC NCOM PUTER Scanned objects :

r


497483

/

Detected objects:

317

Removed objects:

ijLigS 0

\ Se a n n in g : Scan Scan finishe finished! d!

Diagnosis Trace.ReqistrvTrace.Reqi strv-Windows Windows Password Pass word CA)

PI

9 p i

Details 62 registry keys - medium risk

A

View View all all detected locations...

Trace.Reaistrv.LCP 5.0 fA)

Scan finished!

16 regis try k eys - medium um risk

ffl View View all all detected locations...

HTI Trace.Re Trac e.Reais aistr trv.Pr v.Proact oactive ive Svstem Svst em Password Re< Re<15 15reoistry keys - medium risk 5) View all detec ted locations ... |w |

Troian.Generic.5515373 (B) (B)

2 files - high risk

b

ffl View View all all detected locations... 0

VBS.Troian.Noob.BfB)

2 files - high risk

ffl View View all all detected locations... 2 files - high risk 3&AXCCXB) Suspicious files have been detected during the scan. 0

If there has been any Malware Malware found on your PC, you can obtain more information online about each detected Malware. Malware. Click c k the name of the detected malware to view the description in a new browser window.

V

Clide Clide on "View all detec ted locations’ to g et a list o f all all found components components tha t are related to the Malware name. Select all all objects you w ant to quarantine and then didc the iflrantinp vIprtpH nhip rfc' Oi iflrantinp

© 2003-2012 Emsisoft Emsisoft

About this software

F IG IG U RE RE 6 . 6 6 : E m s i s o f t A n t i - M a l w a r e

Mo dule 06 Page Page 997

Ethical Hacking and Coun termea sures Copyright © by EC-C0 EC-C0Un UnCi Cill All Rights Reserved. Reproduction is Strictly Prohibited.



An A n t i - T r o j a n S o f t w a r e s Anti-Trojan Shield (ATS) a□ □

p H

http://www.spamfighter.com

---------- -

Spyware Doctor Doctor

Anti Trojan Elite

http://www.pctools. com

http://www.remove-trojan.com

h t t p : / / w w w . . c omodo. com

H

S P Y W A R E f i g h te r

http://www.atshield.com http://www.atshield. com

Anti Malware BOCIean

- [nn|

CEH

V'

SUPERAntiSpyware

A

http://www.superantispyware.com

Anti Hacker

Trojan Remover

http://www.hide-my-ip.com

http://www.simplysup.com http://www.simplysup. com

XoftSpySE

Twister Antivirus

http://www.paretologic.com

http://www.filseclab.com


* A nti-Tro jan Softw are Anti-Trojan

software

provides

protection

to

your

computer

system

and

the

information stored on it by blocking various malicious threats such as Trojans, worms, viruses, b a c k d o o r s , m a l i c i o u s A c t iv i v e X c o n t r o l s , a n d J av av a a p p l e t s t o e n t e r y o u r s y s t e m . A f e w o f t h e a n t i T r o j a n s o f t w a r e p r o g r a m s t h a t a r e u s e d f o r t h e p u r p o s e o f k i l l in in g m a l w a r e a r e l i s te t e d as as f o l l o w s : 9

A n t i - T r o j a n S h ie ie l d ( AT AT S) S) a v a i l a b l e a t h t t p : / / w w w . a t s h i e l d . c o m

9

S p y w a r e D o c t o r a v a i l a bl bl e a t h t t p : / / w w w . p c t o o l s . c o m

9

A n t i M a l w a r e BO BO C I ea ea n a v a i l a b l e a t h t t p : / / w w w . c o m o d o . c o m

9

Anti Hacker available at h t t p : / / w w w . h i d e - m v - i p . c o m

9

X o f tS tS p y S E a v a i l a b l e a t h t t p : / / w w w . p a r e t o l o g i c . c o m

9

SPYWAR Efighter available at h t t p : / / w w w . s p a m f i g h t e r . c o m

9

A n t i T r o j a n E lili t e a v a i l a b l e a t h t t p : / / w w w . r e m o v e - t r o i a n . c o m

9

SUPERA ntiSpyware available at h t t p : / / w w w . s u p e r a n t i s p y w a r e . c o m

9

T r o i a n R e m o v e r a v a i l ab ab l e a t h t t p : / / w w w . s i m p l y s u p . c o m

9

T w i s t e r A n t i v i r u s a v a i l ab ab l e a t h t t p : / / w w w . f i l s e c l a b . c o m

Module 06 Page 998




M odule Flow Fl ow

EH

Trojan Concepts

Trojan Infection

**S

Countermeasures

Types of Trojans


M o d u l e F lo lo w A s a p e n e t r a t i o n t e s t e r , y o u s h o u l d f o l l o w t h e s a m e s t r a t e g ie ie s a s t h a t o f a n a t t a c k e r t o t e s t y o u r n e t w o r k o r s y st s t e m a g a i ns n s t T r o j a n a n d b a c k d o o r a t t a c k s . Yo Y o u s h o u ld ld p e r f o r m a l l t h e available attacking techniques including the newly emerged attacking techniques. This allows y o u t o f i g u r e o u t t h e l o o p h o l e s o r v u l n e r a b i l it it i e s i n t h e t a r g e t o r g a n i z a t i o n ' s s e c u r i ty ty . I f y o u f i n d a n y v u l n e r a b i l i t ie ie s o r l o o p h o l e s , y o u s h o u l d s u g g e s t c o u n t e r m e a s u r e s t h a t c a n m a k e t h e organization's security better and stronger.

Trojan Concepts

Countermeasures —

, •

Trojans Infection

! / — V —

Types of Trojans

| | || | r

Anti-Trojan Software P e n e t r a t i o n T e s t in in g

Trojan Detection

Module 06 Page 999




P e n Testin Testing g fo for Trojans a n d Backdoors Use tools such as

0

TCPViewand

CEH

S c an an t h e s y st st e m fo fo r o p e n p o r ts ts , running processes, processes, registry entries,

CurrPorts

device drivers and services services 0

If any suspicious port, process, process, registry entry, device driver or

Scan for running Processes

Use tools such as

service is discovered, discovered, che ck the

W h a t ' s R u n n in in g

associated executable files 0

C o l le le c t m o r e i n f o r m a t i o n a b o u t these from pu blisher's websites, if

Scan for registry entries Scan for device drivers installed on the computer

Scan for Windows services

Use tools such as jv l6 Po we r To ols 2012 and PC Tools Registry Mechanic

available, and Internet 0

C h e c k i f t h e o p e n p o rt rt s ar ar e k n o w n to be opened by Trojans in wild

Use tools such as DriverView and D r i v e r D e t e c t iv iv e

Use tools such as SrvMan and ServiWin

Copyright © by

EG-G*ancil. All


P e n T e s t i n g fo fo r T r o j a n s a n d B a c k d o o r s Step 1: Scan for open ports O p e n p o r t s a r e t h e p r i m a r y s o u r c e s t o l a u n c h a t ta ta c k s . T h e r e f o r e , i n a n a t t e m p t t o m a k e y o u r network secure by conducting pen testing, you should find the open ports and protect them. Y o u ca ca n f i n d t h e u n n e c e s s a r y o p e n p o r t s b y s c a n n i n g f o r o p e n p o r t s . F o r t h i s p u r p o s e , y o u c a n use the tools such as TCPView and CurrPorts.

Step 2: Scan for running processes Most Trojans don't require the user to start the process. They start automatically and don't even no tify the use err . Th Th i s k in in d o f T r o j a n c a n b e d e t e c t e d b y s c a n n i n g f o r r u n n i n g p r o c e s s e s . In In order to scan for running processes, you can use tools such as What's Running, which scans y o u r s y s t e m a n d l i st st s a llll c u r r e n t l y a c t i v e p r o g r a m s , p r o c e s s e s , s e r v ic ic e s , m o d u l e s , a n d n e t w o r k c o n n e c t i o n s . I t al al s o i n c lu lu d e s s p e c ia ia l a r ea ea s t o d i s p l a y s t a r t u p p r o g r a m s .

Step 3: Scan for registry entries A f e w T r o ja ja n s r u n i n th t h e b a c k g r o u n d w i t h o u t a n y n o t i f ic ic a t i o n t o t h e s y s te t e m ' s u se s e r. r. I f y o u w a n t to test for such Trojans, then you should scan for registry entries. This can be done with the h e l p o f t o o l s s u c h a s J V P o w e r T o o l s a n d PC T o o l s R e g i s t r y M e c h a n i c .

Mo dule 06 Page Page 1000

Ethical Hacking and Coun termea sures Copyright © by EC-C0 EC-C0Un UnCi Cill All Rights Reserved. Reproduction is Strictly Prohibited.



Step 4: Scan for device drivers installed on the computer I n o r d e r t o c o n t r o l t h e h a r d w a r e , m o s t m o d e r n O Se S e s u se se t h e i r o w n d e v i c e d r i v e rs rs . A t t a c k e r s c a n t a k e a d v a n t a g e o f t h i s s i t u a t i o n t o s p r e a d T r o j a n s a n d b a c k d o o r s t h r o u g h d e v i c e d r iv iv e r f ilil e s. s. T r o j a n s s p r e ad a d t h r o u g h d e v i c e d r i v e r s i n f e c t t h e d e v i c e d r i v e r f i le le s a n d o t h e r p r o c es es s es es .

Step 5: Scan for Windows services I f y o u f i n d a n y o f t h e W i n d o w s s e r v ic ic e s s u s p ic ic i ou ou s , t h e n c h e c k t h e a s s o c i a t ed e d e x e c u t a b l e f i l es es . To scan Windows services, you can use the tools such as SrvMan and ServiWin.

Module 06 Page 1001




Step 6: Scan for startup programs S o m e T ro r o j a ns n s r u n a u t o m a t i c a l l y w h e n y o u s t a r t W i n d o w s . T h e r e f o r e , s c an an f o r S t a r t u p p r o g r a m s using tools such as Starter, Security AutoRun, and Autoruns and check the listed startup programs

and

determine

if

all

the

programs

in

the

list

can

be

recognized

with

known

functionalities.

Step 7: Scan for files and folders T h e e a sy sy w a y f o r a n a t t a c k e r t o h a c k a s y s t e m i s w i t h t h e u s e o f f ilil e s e m b e d d e d w i t h T r o j a n p a c k a g e s. s. F i r e w a l l s , ID ID Se Se s, s, a n d o t h e r s e c u r i t y m e c h a n i s m s m a y f a i l t o p r e v e n t t h i s k i n d o f attack. Therefore, you need to scan all files and folders for Trojans and backdoors. You can scan files and fold ers using tools such as FCI FCIV, V, TRIPWIRE, TRIPWIRE, SIGV SIGVER ERIF, IF, FastSum, and W inM D 5.

Step 8: Scan for network activities N e t w o r k a c t i v it it i e s s uc u c h as as u p l o a d o f b u l k f i le le s o r u n u s u a l l y h ig ig h t r a f f i c g o i n g t o a p a r t i c u l a r w e b a d d r e ss ss m a y s o m e t i m e s r e p r e s e n t a s ig ig n o f T r o j a n . Yo Yo u s h o u l d s ca c a n f o r s uc uc h n e t w o r k a c t i v i t i e s . T o o l s s u c h a s C ap ap s a N e t w o r k A n a l y z e r c an an b e u s e d f o r t h i s p u r p o s e .

Module 06 Page 1002




Step 9: Scan for modification to OS files Check the critical OS file modification or manipulation using tools such as TRIPWIRE or m a n u a l l y c o m p a r e h a ssh h v a l u es e s i f y o u h a v e a b a c k u p c o py py .

Step 10: Run Trojan Scanner to detec t Trojans Trojan scanners such as Trojan Hunter and Emsisoft Anti-Malware are readily available in the m a r k e t . Y o u c an an i n s t a llll a n d r u n t h o s e T r o j a n s c a n n e r s t o d e t e c t T r o j a n s o n y o u r s y s t e m .

Module 06 Page 1003




P e n Testin Testing g fo for Trojans a n d Backdoors (Cont’d) Document all the findings

0

If Trojans ••>

are d e t e ct ct e d ?

CEH

Docum ent all your findings in

NO

previous steps; it helps in

A.

d e t e r m i n i n g t h e n e x t a c t io io n i f Trojans are identified in the system

YES

0

I s o l a te te i n f e c t e d s y s t e m f r o m the network immediately to prevent further infection

I s o l a te te t h e m a c h i n e f ro ro m n e t w o r k

9

S a n i titi z e t h e c o m p l e t e s y s t e m for Trojans using an updated anti-virus

solution to clean Trojans

Copyright © by

EG-G*ancil. All


P e n T e s t in i n g f o r T r o j a n s a n d B a c k d o o r s ( C o n t ’d ’d ) Step 11: Document all the findings Once you conduct all possible tests to find the Trojans, document all the findings that you obtain at each test for analysis and check if there is any sign of a Trojan.

Step 12: Isolate the machine from the network W h e n y o u f i n d a T r o j a n o n a m a c h i n e , y o u s h o u ld ld i s o l a te te t h e m a c h i n e i m m e d i a t e l y f r o m t h e n e t w o r k b e f o r e i t ta t a k e s c o n t r o l o v e r o t h e r s y s t em e m s i n th t h e n e t w o r k . C h ec ec k w h e t h e r t h e a n t i v i ru ru s software is updated or not. I f t h e a n t i v i r u s is i s n o t u p d a t e d , t h e n u p d a t e i t a n d t h e n r u n i t t o s c an an t h e s y s t e m . I f t h e a n t i v i r u s i s a l r e a d y u p d a t e d , t h e n f i n d o t h e r a n t i v i r u s s o l u t i o n s t o c l e a n T r o ja ja n s .

Module 06 Page 1004




Module Module Sum m ary

C EH

Trojans are malicious pieces of code that carry cracker softwa re to a target system □

They are used primarily to gain gain and retain retain access on the target system

□

They often reside deep in in the system and make make registry registry changes changes that allow them to meet their purpose as a remote administration tool

□

Popular Trojans Trojans include include MoSucker, Remo teBy Mail , Illusion Illusion Bot, and and Zeus Zeus

□

Aware ness and preventive meas ures are the best defences against Trojans Trojans

□

Using anti-Tr anti-Trojan ojan tools such such as TrojanHunter and Emsisoft Anti-Malwa re to detect and eliminate Trojans Trojans


M o d u llee S u m m a r y 9

T r o j a n s a r e m a l ic i c i o u s p ie i e c e s o f c o d e t h a t c a r ry ry c r a c k e r s o f t w a r e t o a t a r g e t s y s te te m .

©

T h e y a re re u s ed ed p r i m a r i l y t o g a i n a n d r e t a i n a cc cc e s s o n t h e t a r g e t s y s t e m .

9

T h e y o f t e n r e s i de d e d e e p in in t h e s y s t e m a n d m a k e r e g i s t ry r y ch ch a n g e s t h a t a l l o w t h e m t o m e e t t h e i r p u r p o s e a s a r e m o t e a d m i n i s t ra ra t i o n t o o l .

0

P o p u l a r T r o j a n s i n c l u d e M o S u c k e r , R e m o t e B y M a i l , I l l u s io io n Bo Bo t , a n d Z e us us .

0

A w a r e n e s s a n d p r e v e n t i v e m e a s u r e s a r e t h e b e s t d e f e n c e s a g a i n s t T r o j an an s .

9

U s in i n g a n t i - T r o j a n t o o l s su s u c h a s T r o j a n H u n t e r a n d E m s i s of o f t A n t i - M a l w a r e t o d e t e c t a nd nd e l i m i n a t e T r o j a ns ns .

Module 06 Page 1005


CEHv8 Module 06 Trojans and Backdoors.pdf

Recommend Documents