Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trojans, Backdoors, Rootkits Viruses, and Worms.  Trojans: Programs that hide malicious code  Backdoor: Way of accessing a computer without the security.

Similar presentations


Presentation on theme: "Trojans, Backdoors, Rootkits Viruses, and Worms.  Trojans: Programs that hide malicious code  Backdoor: Way of accessing a computer without the security."— Presentation transcript:

1 Trojans, Backdoors, Rootkits Viruses, and Worms

2  Trojans: Programs that hide malicious code  Backdoor: Way of accessing a computer without the security and authentication procedures that are normally required  Rootkit: Modify the OS to conceal malicious programs while they run  Virus: self-replicating (within a machine) by producing its own code; attach copies of itself to other executable code  Worm: infects local and remote machines; spread automatically

3  Example: Melisa “Virus” (1999)  Trojan: entered computers by masquerading as an  Virus: infected word processing files when opened  Worm: used Outlook to spread itself to user’s personal address book

4  Trojan:  Malicious program disguised as something benign  Often delivered as part of a “wrapper” process  Examples:  BackOrifice: or – “Cult of the Dead Cow”  NetBus: 12345, 12346,  Whack-a-mole: or  Delivered via:  NetBIOS remote install  Fake executables  ActiveX controls, VBScript, Java scripts  Spyware / Adware

5  Backdoor  Allows access to the system  Often delivered via a Trojan  May install a new service, or use an unused existing service  Remote Access Trojan (RAT)

6  Overt: normal and legitimate use  Covert: using programs in unintended way  Tunneling is a good way for Trojans to bypass IDS  Port redirectors: modify which ports are used  Datapipe (Linux)  Fpipe (Windows)  Port analyzing  Fport:  Identify unknown open ports and their associated applications

7  Remote Access Trojans (RATs)  Data-Sending Trojans  Collect passwords & other confidential data  Eg: eBlaster  Destructive Trojans: destroy files or OS  DoS Trojans: cause DoS attack  Proxy Trojans: help hacker hide  FTP Trojans: connect via port 21  Security Software Disabler Trojans  FireKiller 2000

8  External attacker accesses internal systems  QAZ: 7597  Replaces Notepad.exe with Note.com  Tini: 7777; Windows Backdoor trojan allowing command prompt to anyone who connects  Donald Dick: or  NetBus: 12345, 12346, 20034,  Netcat: allows telnet session  Sample command: nc –L –p 5000 –t –e cmd.exe  SubSeven  BackOrifice 2000:  Firekiller 2000

9  Programs auto starting and running  Screen flips  Sudden reduction in system resources  Corrupt or missing files  CD-ROM drawer opens and closes  Wallpaper, background, etc changes  Unexpected/suspicious Web sites  Mouse moves by itself or pointer disappears  Taskbar disappears  Task Manager is disabled

10  netstat –an  Back OrificeUDP31337,  Deep ThroatUDP2140, 3150  NetBus TCP12345,  Whack-a-MoleTCP12361,  NetBus 2TCP20034  GirlFriendTCP21544  Sockets de TroieTCP5000, 5001,  Masters ParadiseTCP3129, 40421,  40423, 40426

11  DevilTCP65000  EvilTCP23456  Doly TrojanTCP1011, 1012, 1015  ChargenUDP9, 19  Stealth Spy PhazeTCP555  NetBIOS datagramTCP, UDP138  Sub SevenTCP6711, 6712, 6713  ICQ TrojanTCP1033  MStreamUDP9325

12  The Prayer 1.0 – 2.0TCP9999  Online KeyLoggerUDP49301  Portal of DoomTCP,UDP10067,  Senna SpyTCP13000  Trojan CowTCP2001

13  Features:  Firewall testing, port scanning, create backdoor, identify services  Command line interface opens TCP and UDP  -d: detach from the console  -l –p [port]: creates a listening TCP port  -z: port scanning  -v: verbose mode  -e: run at any time  -L: auto restart after dropped connection  -u: switches to UDP

14  Three things needed:  Legitimate Program  Trojan Program  Wrapper Program  Bundle Trojans with legitimate software  Trojan Man  Yet Another Binder  Predator Wrapper  Graffiti  EXE Maker  Restorator

15  Spyware detectors  Malwarebytes  Norton Internet Security  Fport  Tripwire  Check file signature, size, integrity  Dsniff: contains Trojans, collection of hacking tools  Windows Built-in Commands  Sigverif  SFC (system file checker): sfc /scannow  “What’s Running” or “What’s on My Computer?”  Be wary of free cleaning applications

16  International Computer Security Association (ICSA)  Sets standards for AV software  Virus: infects another file and spreads  Worm:  Does not need a carrier program  Often exists inside other files (like Word or Excel)  Examples: Nimda, I Love You

17  Polymorphic: change signature to avoid detection – eg: Virut (requires reformat)  Stealth: hide  File: infects files that can load/execute (.exe,.com,.bin,.sys)  Armored: encrypted  Boot Sector: modifies master boot files  System Sector: affect the executable code of the disk  Program: infect.BIN,.COM,.EXE,.SYS files

18  Macro: perform a sequence of actions when a particular app is triggered; eg: Excel  Tunneling: tunnel under antivirus software and hide  Multipartite: affects multiple targets  Dual Payload:  Eg: Chernobyl: changes 1 st MB of HD to zero; replaces code of BIOS to garbage  Network: run code on remote systems  Source Code: not common, very hard to write due to different compilers and languages

19  Example:  Batch file called Game.bat  echo off  delete c:\windows\system32\*.*  delete c:\windows\*.*  Convert Game.bat to Game.com with ‘bat2com’ utility  Assign an icon with Windows file properties screen  Send as attachment

20  Kefi’s HTML Virus Construction Kit  Virus Creation Laboratory v1.0  The Smeg Virus Construction Kit  Rajaat’s Tiny Flexible Mutator v1.1  Windows Virus Creation Kit v1.00

21  Scanning with UP TO DATE scanner  Use Sheep Dip or SocketShield  Isolate one computer from the network and run downloaded software there first  Integrity checking  Tripwire  With MD5  Downside: can’t detect differences made by virus versus a bug  Testing antivirus software  EICAR.com  FILE!$H+H*


Download ppt "Trojans, Backdoors, Rootkits Viruses, and Worms.  Trojans: Programs that hide malicious code  Backdoor: Way of accessing a computer without the security."

Similar presentations


Ads by Google