Presentation on theme: "Trojans, Backdoors, Rootkits Viruses, and Worms"— Presentation transcript:
1 Trojans, Backdoors, Rootkits Viruses, and Worms Chapter 5Trojans, Backdoors, Rootkits Viruses, and Worms
2 Definitions Trojans: Programs that hide malicious code Backdoor: Way of accessing a computer without the security and authentication procedures that are normally requiredRootkit: Modify the OS to conceal malicious programs while they runVirus: self-replicating (within a machine) by producing its own code; attach copies of itself to other executable codeWorm: infects local and remote machines; spread automatically
3 Some overlap Example: Melisa “Virus” (1999) Trojan: entered computers by masquerading as anVirus: infected word processing files when openedWorm: used Outlook to spread itself to user’s personal address book
4 Trojans and Backdoors Trojan: Delivered via: Malicious program disguised as something benignOften delivered as part of a “wrapper” processExamples:BackOrifice: or – “Cult of the Dead Cow”NetBus: 12345, 12346, 20034Whack-a-mole: or 12362Delivered via:NetBIOS remote installFake executablesActiveX controls, VBScript, Java scriptsSpyware / Adware
5 Trojans and Backdoors Backdoor Allows access to the system Often delivered via a TrojanMay install a new service, or use an unused existing serviceRemote Access Trojan (RAT)
6 Overt & Covert Channels Overt: normal and legitimate useCovert: using programs in unintended wayTunneling is a good way for Trojans to bypass IDSPort redirectors: modify which ports are usedDatapipe (Linux)Fpipe (Windows)Port analyzingFport:Identify unknown open ports and their associated applicationsFport reports all open TCP/IP and UDP ports and maps them to the owning application.This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applicationsFPipe is a TCP source port forwarder/redirector. It can create a TCP stream with a source port of your choice. This is useful for getting past firewalls that allow traffic with source ports of say 23, to connect with internal servers. Usually a client has a random, high numbered source port, which the firewall picks off in its filter. However, the firewall might let Telnet traffic through. FPipe can force the stream to always use a specific source port, in this case the Telnet source port. By doing this, the firewall 'sees' the stream as an allowed service and let's the stream through. FPipe basically works by indirection. Start FPipe with a listening server port, a remote destination port (the port you are trying to reach inside the firewall) and the (optional) local source port number you want. When FPipe starts it will wait for a client to connect on its listening port. When a listening connection is made a new connection to the destination machine and port with the specified local source port will be made - creating the needed stream. When the full connection has been established, FPipe forwards all the data received on its inbound connection to the remote destination port beyond the firewall. FPipe can run on the local host of the application that you are trying to use to get inside the firewall, or it can listen on a 3rd server somewhere else. Say you want to telnet to an internal HTTP server that you just compromised with MDAC. A netcat shell is waiting on that HTTP server, but you can't telnet because the firewall blocks it off. Start FPipe with the destination of the netcat listener, a listening port and a source port that the firewall will let through. Telnet to FPipe and you will be forwarded to the NetCat shell. Telnet and FPipe can exist on the same server, or on different servers.
7 Types of Trojans Remote Access Trojans (RATs) Data-Sending Trojans Collect passwords & other confidential dataEg: eBlasterDestructive Trojans: destroy files or OSDoS Trojans: cause DoS attackProxy Trojans: help hacker hideFTP Trojans: connect via port 21Security Software Disabler TrojansFireKiller 2000
8 Reverse Connecting Trojans External attacker accesses internal systemsQAZ: 7597Replaces Notepad.exe with Note.comTini: 7777; Windows Backdoor trojan allowing command prompt to anyone who connectsDonald Dick: or 23477NetBus: 12345, 12346, 20034, 23476Netcat: allows telnet sessionSample command: nc –L –p 5000 –t –e cmd.exeSubSevenBackOrifice 2000: 31337Firekiller 2000
9 Symptoms of Trojans Programs auto starting and running Screen flips Sudden reduction in system resourcesCorrupt or missing filesCD-ROM drawer opens and closesWallpaper, background, etc changesUnexpected/suspicious Web sitesMouse moves by itself or pointer disappearsTaskbar disappearsTask Manager is disabled
10 Scanning for Trojans netstat –an Back Orifice UDP 31337, 31338 Deep Throat UDP 2140, 3150NetBus TCP 12345, 12346Whack-a-Mole TCP 12361, 12362NetBus 2 TCP 20034GirlFriend TCP 21544Sockets de Troie TCP 5000, 5001, 50505Masters Paradise TCP 3129, 40421, 4042240423, 40426
12 Scanning for Trojans The Prayer 1.0 – 2.0 TCP 9999 Online KeyLogger UDP 49301Portal of Doom TCP,UDP 10067, 10167Senna Spy TCPTrojan Cow TCP 2001
13 Netcat Features: Command line interface opens TCP and UDP Firewall testing, port scanning, create backdoor, identify servicesCommand line interface opens TCP and UDP-d: detach from the console-l –p [port]: creates a listening TCP port-z: port scanning-v: verbose mode-e: run at any time-L: auto restart after dropped connection-u: switches to UDPBest reading:
14 Wrappers (Glueware) Three things needed: Legitimate ProgramTrojan ProgramWrapper ProgramBundle Trojans with legitimate softwareTrojan ManYet Another BinderPredator WrapperGraffitiEXE MakerRestorator
15 Trojan Countermeasures Spyware detectorsMalwarebytesNorton Internet SecurityFportTripwireCheck file signature, size, integrityDsniff: contains Trojans, collection of hacking toolsWindows Built-in CommandsSigverifSFC (system file checker): sfc /scannow“What’s Running” or “What’s on My Computer?”Be wary of free cleaning applications
16 Viruses and Worms International Computer Security Association (ICSA) Sets standards for AV softwareVirus: infects another file and spreadsWorm:Does not need a carrier programOften exists inside other files (like Word or Excel)Examples: Nimda, I Love You
17 Virus TypesPolymorphic: change signature to avoid detection – eg: Virut (requires reformat)Stealth: hideFile: infects files that can load/execute (.exe, .com, .bin, .sys)Armored: encryptedBoot Sector: modifies master boot filesSystem Sector: affect the executable code of the diskProgram: infect .BIN, .COM, .EXE, .SYS files- In computer security, a stealth virus is a computer virus that uses various mechanisms to avoid detection by antivirus software. Generally, stealth describes any approach to doing something while avoiding notice. Viruses that escape notice without being specifically designed to do so -- whether because the virus is new, or because the user hasn't updated their antivirus software -- are sometimes described as stealth viruses too. Stealth viruses are nothing new: the first known virus for PCs, Brain (reportedly created by software developers as an anti-piracy measure), was a stealth virus that infected the boot sector in storage. Typically, when an antivirus program runs, a stealth virus hides itself in memory, and uses various tricks to also hide changes it has made to any files or boot records. The virus may maintain a copy of the original, uninfected data and monitor system activity. When the program attempts to access data that's been altered, the virus redirects it to a storage area maintaining the original, uninfected data. A good antivirus program should be able to find a stealth virus by looking for evidence in memory as well as in areas that viruses usually attack.The term stealth virus is also used in medicine, to describe a biological virus that hides from the host immune system.
18 Virus TypesMacro: perform a sequence of actions when a particular app is triggered; eg: ExcelTunneling: tunnel under antivirus software and hideMultipartite: affects multiple targetsDual Payload:Eg: Chernobyl: changes 1st MB of HD to zero; replaces code of BIOS to garbageNetwork: run code on remote systemsSource Code: not common, very hard to write due to different compilers and languages
19 Writing a Virus Example: Batch file called Game.bat text @ echo off delete c:\windows\system32\*.*delete c:\windows\*.*Convert Game.bat to Game.com with ‘bat2com’ utilityAssign an icon with Windows file properties screenSend as attachment
20 Virus Constructions Kits Kefi’s HTML Virus Construction KitVirus Creation Laboratory v1.0The Smeg Virus Construction KitRajaat’s Tiny Flexible Mutator v1.1Windows Virus Creation Kit v1.00
21 Detecting Viruses & Worms Scanning with UP TO DATE scannerUse Sheep Dip or SocketShieldIsolate one computer from the network and run downloaded software there firstIntegrity checkingTripwireWith MD5Downside: can’t detect differences made by virus versus a bugTesting antivirus softwareEICAR.comSocketShield is a Spyware Removal product from explabs.com, get 4 Stars SoftSea Rating, SocketShield is a dedicated zero-day exploit blocker. Using a combination of research technologies and an understanding of anti-malware techniques, the program is able to block exploits from entering your computer, regardless of how long it takes for the vendors of vulnerable applications to issue patches--or how long it takes for you to install those patches. SoftSea.com had fully tested, reviewed and uploaded the install files, SocketShield does not contain any adware or spyware, the latest version is 1.1.1, you can download this spyware removal software (2.36 MB) from special server of SoftSea.com. The license of this antivirus & security software is Subscription, the price is $29.95, you can free download and get a free trial before you buy. If you want to get a full or nolimited version of SocketShield, you can buy this antivirus & security software.