File000145

451 views
345 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
451
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

File000145

  1. 1. Module XXXII – Investigating Virus, Trojan, Spyware and Rootkit Attacks
  2. 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Police ‘Find’ Author of Notorious Gpcode Virus Source: http://www.infoworld.com/ September 30, 2008 The infamous Gpcode "ransomware" virus that hit computers in July was the work of a single person who is known to the authorities, a source close to the hunt for the attacker has told Techworld. The individual is believed to be a Russian national, and has been in contact with at least one anti-malware company, Kaspersky Lab, in an attempt to sell a tool that could be used to decrypt victims' files. Initially sceptical, the company was able to verify that the individual was the author of the latest Gpcode attack -- and probably earlier attacks in 2006 and 2007 -- using a variety of forensic evidence, not least that he was able to provide a tool containing the RC4 key able to decrypt the work of the malware on a single PC. The 128-bit RC4 keys, used to encrypt the user's data, are unique for every attack. The part that had stymied researchers was that this key had, in turn, been encrypted using an effectively unbreakable 1,024-bit RSA public key, generated in tandem with the virus author's private key. But the tool did at least prove that the individual had access to the private "master" key and must therefore be genuine. Kaspersky Lab set about locating the man by resolving the proxied IP addresses used to communicate with the world to their real addresses. The proxied addresses turned out to be zombie PCs in countries such as the United States, which pointed to the fact that Gpcode's author had almost certainly used compromised PCs from a single botnet to get Gpcode on to victim's machines. Tracking down the owners of these PCs proved extremely difficult, with service provider Yahoo, for one, allegedly refusing to cooperate with the investigation on privacy grounds. Foreign police were informed, however, as were the Russian authorities. Armed with enough circumstantial evidence, "they were interested," the Kaspersky source confirmed.
  3. 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Researchers - Banks Need Better Security Source: http://www.mxlogic.com/
  4. 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Worms Attack Facebook, MySpace 05 December, 2008 12:49:00 Panda Security has detected Boface.G, a new worm that uses the Facebook and MySpace social networks to spread. “Worms are programmes that make copies of themselves in different places on a computer,” says Jeremy Matthews, head of Panda Security’s sub-Saharan operations. “The objective of this type of malware is usually to saturate computers and networks, preventing them from being used.” The Boface.G worm posts a link on the infected users’ profile or contacts panel to a fake YouTube video. Alternatively, it sends the infected users’ contacts a private message with the link. When they try to watch the video (which seems to come from one of their friends) they are taken to a web page where they are encouraged to download a Flash Player update to watch it. However, if they do so, they will let a copy of the worm into their computers and will infect of all their contacts. “Social networks attract millions of users and have become one of cyber-crooks’ favourite ways to spread their malicious creations,” says Matthews. “Users of these social networks should try to confirm the origin of these messages before following links or downloading items to their computers”. According to PandaLabs, one of the two social networks under attack has already taken measures to protect users from this malware. For protection against attacks like these, Facebook and MySpace users are encouraged to have an updated antivirus. Source: http://mybroadband.co.za/
  5. 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Webroot® Threat Advisory: Hackers Using Continental Flight 1404 Headlines to Scam Online News-Seekers Source: http://news.prnewswire.com /
  6. 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Rootkit Unearthed in Network Security Software Source: http://www.theregister.co.uk/
  7. 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: PandaLabs’ 2009 Predictions - Malware Will Increase in 2009 Banker Trojans, Fake Antivirus Software, SQL Injection Attacks, Customized Packers & Obfuscators among the Most Popular Expected Cybercriminal Tactics Glendale, CA (PRWEB) December 21, 2008 -- PandaLabs, Panda Security's malware analysis and detection laboratory, today announced that a significant increase in the volume of malware (viruses, worms, Trojans, etc.) is expected in 2009. Panda Security's laboratory detected more malware strains in the eight months between January and August of 2008 than in the previous 17 years combined. Summing up, malware in 2009 is expected to grow and become more sophisticated and more difficult to detect. There will also be an increase in Web-based attacks and attacks through social networks, which allow for more silent infections The financial crisis will also bring an increase in malware and false job offers. In addition to an overall growth in malware, PandaLabs made the following predictions: 1. Banker Trojans and fake antivirus solutions will be the most prevalent forms of malware in 2009. Banker Trojans are designed to steal login passwords for banking services, account numbers, etc., whereas fake antivirus solutions try to pass themselves off as real antivirus products to convince users they have been infected by malicious codes. 2. Social Networks will be a focal attack point by cybercriminals. We will continue to see worms in social networks spread malware from one user to another. Malicious codes designed to steal confidential data from unsuspecting users will also become more prevalent. 3. SQL injection attacks will continue to rise. SQL injection attacks involve vulnerabilities on the servers that host specific sites. Cyber- criminals exploit these vulnerabilities by infecting users that visit these Web pages without realizing they've been attacked. 4. Customized packers and obfuscators will grow in popularity. These tools are used by cybercriminals to compress malware and make detection more difficult. Criminals capitalizing on this form of attack will often successfully avoid the standard tools available in forums, websites, etc., and instead turn to their own obfuscators in an attempt to evade 'signature-based' detection by security solutions. 5. Expect a resurgence of classic malicious codes. The use of increasingly sophisticated detection technologies will drive cyber-crooks to turn to old codes, adapted to new needs. 6. Attacks on new operating systems and computing platforms will be on the rise. PandaLabs forecasts a significant proliferation of malware targeting new platforms such as Mac OS Leopard X, Linux or iPhone in the coming year. However, these new codes will never be as numerous as those for Windows systems. 7. Increased targeted attacks around issues stemming from the financial crisis will continue into 2009. Over the last few months of 2008, PandaLabs has reported a clear correlation between the financial crisis and an increase in malware strategies and techniques. Source: http://www.prweb.com/
  8. 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Viruses and Worms • How to know a Virus Infected System • Characteristics of a Virus • Symptoms of Virus-Like Attack • Indications of Virus Attack • Stages of Virus Life • Virus Detection Methods • How to Prevent a Virus • Trojans and Spywares • Indications of a Trojan Attack • Remote Access Trojans (RAT) • Anti virus Tools • Anti Trojan Tools This module will familiarize you with:
  9. 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Viruses and Worms Virus Detection Methods Indications of Virus Attack Anti Trojan Tools Antivirus Tools Remote Access Trojans (RAT)Trojans and Spyware Characteristics of a Virus
  10. 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Statistics of the Malicious and Potentially Unwanted Programs
  11. 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Top 20 for January 2008
  12. 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Computer viruses are malicious software programs that infect computers and corrupt or delete the data on them Viruses spread through email attachments, instant messages, downloads from the Internet, contaminated media etc. • File infectors: Attach themselves to program files • System or boot-record infectors: Infect executable code found in certain system areas on a disk • Macro viruses: Infect Microsoft Word application Viruses are generally categorized as:
  13. 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Worms A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs It is considered as a sub class of a virus It takes advantage of file or information transport features on the system allowing it to travel independently It spreads through the infected network automatically but a virus does not
  14. 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Characteristics of a Virus Resides in the memory and replicates itself while the program where it attached is running It does not reside in the memory after the execution of program • Encrypts itself into cryptic symbols • Alters the disk directory data to compensate the additional virus bytes • Uses stealth algorithms to redirect disk data Hides itself from detection by three ways:
  15. 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working of a Virus Trigger events and direct attack are the common modes which cause a virus to “go off” on a target system Most viruses operate in two phases: • Virus developers decide when to infect host system’s programs • Some infect each time they are run and executed completely •Ex: Direct Viruses • Some virus codes infect only when users trigger them which include a day, time, or a particular event •Ex: TSR viruses which get loaded into memory and infect at later stages Infection Phase: • Some viruses have trigger events to activate and corrupt systems • Some viruses have bugs which replicate and perform activities such as file deletion, increasing session time • They corrupt the targets only after spreading completely as intended by their developers Attack Phase:
  16. 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working of a Virus: Infection Phase File HeaderFile Header IP IP Start of Program End of Program Virus Jump . EXE File . EXE File Before Infection After Infection Start of Program End of Program Attaching .EXE File to Infect the Programs
  17. 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working of a Virus: Attack Phase Page: 3Page: 2Page: 1 Page: 3Page: 2Page: 1 Unfragmented File Before Attack File: A File: B Page: 1 File: B Page: 3 File: B Page: 1 File: A Page: 2 File: A Page:2 File: B Page: 3 File: A File Fragmentation Due to Virus Attack Slowdown of PC due to Fragmented Files
  18. 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Symptoms of a Virus-Like Attack If the system acts in an unprecedented manner, you can suspect a virus attack • Example: Processes take more resources and are time consuming However, not all glitches can be attributed to virus attacks, examples include:: • Certain hardware problems • If computer beeps with no display • If one out of two anti-virus programs report virus on the system • If the label of the hard drive change • Your computer freezes frequently or encounters errors • Your computer slows down when programs are started • You are unable to load the operating system • Files and folders are suddenly missing or their content changes • Your hard drive is accessed too often (the light on your main unit flashes rapidly) • Microsoft Internet Explorer "freezes" • Your friends mention that they have received messages from you but you never sent such messages
  19. 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Indications of a Virus Attack • Programs take longer to load than normal • Computer's hard drive constantly runs out of free space • Files have strange names which are not recognizable • Programs act erratically • Resources are used up easily Indications of a virus attack:
  20. 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Modes of Virus Infection Viruses infect the system in the ways such as: • Loads itself into memory and checks for executables on the disk • Appends the malicious code to a legitimate program without the knowledge of the user • Since the user is unaware of the replacement, he/she launches the infected program • As a result of the infected program being executes, other programs get infected as well • The above cycle continues until the user realizes the anomaly within the system
  21. 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Stages of Virus Life Computer virus involves various stages right from its design to elimination Replication Design Launch Detection Incorporation Elimination Users are advised to install anti-virus software updates thus creating awareness among user groups Anti-virus software developers assimilate defenses against the virus A virus is identified as threat infecting target systems It gets activated with user performing certain actions like triggering or running a infected program Developing virus code using programming languages or construction kits Virus first replicates for a long period of time within the target system and then spends itself
  22. 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Classification Viruses are classified based on the below criteria: What they Infect How they Infect
  23. 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Classification (cont’d) • Infects disk boot sectors and records System Sector or Boot Virus: • Infects executables in OS file system File Virus: • Infects documents, spreadsheets and databases such as Word, Excel and Access Macro Virus: • Overwrites or appends host code by adding Trojan code in it Source Code Virus: • Spreads itself via email by using command and protocols of computer network Network Virus:
  24. 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited How Does a Virus Infect? • Can hide from anti-virus programs Stealth Virus: • Can change their characteristics with each infection Polymorphic Virus: • Maintains same file size while infecting Cavity Virus: • They hide themselves under anti-virus while infecting Tunneling Virus: • Disguise themselves as genuine applications of user Camouflage Virus:
  25. 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Storage Patterns of a Virus Shell Virus: • Virus code forms a shell around target host program’s code, making itself the original program and host code as its sub-routine Add-on Virus: • Appends its code at the beginning of host code without making any changes to the latter one Intrusive Virus: • Overwrites the host code partly, or completely with viral code Direct or Transient Virus: • Transfers all the controls to host code where it resides • Selects the target program to be modified and corrupts it Terminate and Stay Resident Virus (TSR): • Remains permanently in the memory during the entire work session even after the target host program is executed and terminated • Can be removed only by rebooting the system
  26. 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Detection Use an anti virus software to detect the virus Scan the system for any unwanted programs running on it Anti-virus software uses two methods of virus detection: • Virus signature definitions • Heuristic algorithm Virus signature definitions examines the content of the computer's memory and compares them with the database of known virus signatures Heuristic algorithm finds the viruses based on their behavior Heuristic algorithms help in creating a virus signature for new and unknown viruses
  27. 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Detection Methods • Once a virus has been detected, it is possible to write scanning programs that look for signature string characteristic of the virus Scanning • Integrity checking products work by reading your entire disk and recording integrity data that acts as a signature for the files and system sectors Integrity Checking • The interceptor monitors operating system requests that write to disk Interception
  28. 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Incident Response Detect the Attack: Not all anomalous behavior can be attributed to Viruses Trace processes using utilities such as handle.exe, listdlls.exe, fport.exe, netstat.exe, pslist.exe, and map commonalities between affected systems Detect the virus payload by looking for altered, replaced or deleted files Check for new files, changed file attributes or shared library files Acquire the infection vector, isolate it; Update anti-virus and rescan all systems
  29. 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Viruses When a file is infected with virus make a copy of the file and perform the actions on that file For a serious kind of virus attack, have an expert to dissert the virus to check for modifications Check for the date and time of last changed of infected files When a first computer infected is found check for the non-standard programs which are not part of the company’s normal applications Question the compute r user for the source of the infected file
  30. 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Trojans and Spyware • Trojan horse is a malicious, security-breaking program that is disguised as any useful program • They are executable programs that installs when a file is opened • They get activated without the intervention of the user • As like viruses, Trojans do not distribute itself from one system to another • Trojans let others control a user’s system Trojans: • Spyware is the software installed on the computer without the knowledge of the user • Spyware pretends to be programs that offer useful applications, but they actually acquire the information of the computer and sends it to remote attacker • Spyware is also know as adware Spyware:
  31. 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working of Trojans Attacker gets access to the Trojaned system as the system goes online By way of the access provided by the Trojan, the attacker can stage different types of attacks Internet Trojaned SystemAttacker
  32. 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited How Spyware Affects a System Most of the spyware infects the system through warez and porn sites Peer to peer software is also used in installing spyware Some websites trick the user to download software claiming to be a legitimate one, that when installed performs illicit actions The other source of attacks are porn dialers and premium rate dialers
  33. 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited What Spyware Does to the System Once spyware enters a system it gathers information about the computer without user’s knowledge It gathers information such as personal data, passwords, bank account information and send it to an illegitimate user through the Internet Keyloggers are used to track the information about the data that is typed by the user on the computer The PC and the web browser can also be hacked making the user navigate to unwanted websites
  34. 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited What Do Trojan Creators Look For? Credit card information Account data (email addresses, passwords, user names, and so on) Confidential documents Financial data (bank account numbers, social security numbers, insurance information, and so on) Calendar information concerning victim’s whereabouts Using the victim’s computer for illegal purposes, such as to hack, scan, flood, or infiltrate other machines on the network or Internet Hacker
  35. 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Different Ways a Trojan Can Get into a System Instant Messenger applications IRC (Internet Relay Chat) Attachments Physical access Browser and email software bugs NetBIOS (FileSharing) Fake programs Untrusted sites and freeware software Downloading files, games, and screensavers from Internet sites Legitimate "shrink-wrapped" software packaged by a disgruntled employee
  36. 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identification of a Trojan Attack CD-ROM drawer opens and closes by itself Computer screen flips upside down or inverts Wallpaper or background settings change by themselves Documents or messages print from the printer by themselves Computer browser goes to a strange or unknown web page by itself Windows color settings change by themselves Screensaver settings change by themselves
  37. 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identification of a Trojan Attack (cont’d) Right and left mouse buttons reverse their functions Mouse pointer disappears Mouse pointer moves and functions by itself Windows Start button disappears Strange chat boxes appear on the victim’s computer The ISP complains to the victim that his/her computer is IP scanning
  38. 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identification of a Trojan Attack (cont’d) People chatting with the victim know too much personal information about him or his computer Computer shuts down and powers off by itself Taskbar disappears The account passwords are changed, or unauthorized persons can access legitimate accounts Strange purchase statements appear in credit card bills The computer monitor turns itself on and off Modem dials and connects to the Internet by itself Ctrl+Alt+Del stops working While rebooting the computer, a message flashes that there are other users still connected
  39. 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Remote Access Trojans (RAT) Remote Access Trojans (RATs) are malicious software programs used to control the users computer through his/her Internet connection It lets the intruders view and change the computer files and functions It monitors and records the activities, and use the computer to attack other computers without the user’s knowledge It gets into the computer as hidden in illicit software and other files and programs that is downloaded from the Internet It takes advantage of the vulnerabilities in the software or the Internet and affects the computer without any action being performed
  40. 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Remote Access Trojans (RAT) (cont’d) • Expose to the scams • Find the files • Record the typing • Capture video and audio • Run or end a program, process or connection • Create pop –ups • Attack other computers This ability can be used by the intruders to: • Have a safe online community • Use a firewall • Update the computer regularly • Use anti virus and anti spyware software To protect from RAT attacks: RAT provides a remote control to the computer through an Internet connection
  41. 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ports Used by Trojans Trojan Protocol Ports Back Orifice UDP 31337 or 31338 Deep Throat UDP 2140 and 3150 NetBus TCP 12345 and 12346 Whack-a-mole TCP 12361 and 12362 NetBus 2 Pro TCP 20034 GirlFriend TCP 21544 Masters Paradise TCP 3129, 40421, 40422, 40423 and 40426
  42. 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti virus Tools
  43. 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited AVG Antivirus www.grisoft.com Security protection against viruses, worms, Trojans and potentially unwanted programs • Quality proven by all major antivirus certifications (VB100%, ICSA, West Coast Labs Checkmark) • Improved virus detection based on better heuristics and NTFS data streams scanning • Smaller installation and update files • Improved user interface Features:
  44. 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited AVG Antivirus: Screenshot
  45. 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Norton Antivirus www.symantec.com • Protects from viruses, and updates virus definitions automatically • Detects and repairs viruses in email, instant messenger attachments and compressed folders • Monitors network traffic for malicious activity Features: • Full system scan • Custom scan • Schedule scan • Scan from the command line Scan options provided by Norton antivirus are:
  46. 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited McAfee www.mcafee.com Features: • SpamKiller: • Stops spam from infecting the inbox • SecurityCenter: • Lists computer security vulnerabilities • Offers free real-time security alerts • VirusScan: • ActiveShield: Scans the files in real time • Quarantine: Encrypts the infected files in the quarantine folder • Hostile Activity Detection: Examines computer for malicious activity
  47. 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Kaspersky Anti-Virus Provides traditional anti-virus protection based on the latest protection technologies Allows users to work, communicate, surf the Internet, and play online games on computer safely and easily Protects from viruses, Trojans and worms, spyware, adware, and all types of keyloggers Protection from viruses when using ICQ and other IM clients Detects all types of rootkits Provides three types of protection technologies against new and unknown threats: •Hourly automated database updates •Preliminary behavior analysis •On-going behavior analysis
  48. 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BitDefender BitDefender 2008 is an outstanding product with a user– friendly interface It scans all existing files on computer, all incoming and outgoing emails, IM transfers, and all other network traffic It has also improved their existing B–HAVE feature that runs pieces of software on a virtual computer to detect code that could be an unknown virus • “Privacy Protection” for outgoing personal information • “Web Scanning” while you are using the Internet • “Rootkit Detection and Removal,” which detects then removes hidden virus programs Features:
  49. 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti Virus Tools (cont’d) SocketShield is a zero-day exploit blocker It can block exploits from entering the computer, regardless of how long it takes for the vendors of vulnerable applications to issue patches CA Anti-Virus provides comprehensive protection against viruses, worms, and Trojan horse programs It detects viruses, worms, and Trojans
  50. 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti Virus Tools (cont’d) F-Secure Anti-Virus 2007 is an anti-virus tool software developed by F-Secure Corporation It offers an easy to use protection for your computer against viruses, worms, and rootkits F-Prot Antivirus is an antivirus software package, which protects your data from virus infection and removes any virus that may have infected your computer system It features real-time protection and email scanning, as well as heuristic detection of suspected viruses
  51. 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti Virus Tools (cont’d) Panda Antivirus Platinum transparently eliminates viruses at the desktop and TCP/IP (Winsock) level It detects and disinfects viruses before they can touch your hard drive avast! Virus Cleaner removes selected virus & worm infections from your computer It deactivates the virus present in memory
  52. 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti Virus Tools (cont’d) Norman Virus Control uses the same core components as the corporate version, except network and network management functionality The unique Norman SandBox II technology protects against new and unknown computer viruses, worms, and trojans ClamWin detects and removes a wide range of viruses and spyware and offers email scanning It performs automatic Internet updates, scheduled scans, and email alerts on virus detection
  53. 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti Trojan Tools
  54. 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited TrojanHunter TrojanHunter is an advanced Trojan scanner and toolbox, that searches for and removes Trojans from your system It uses several proven methods to find a wide variety of Trojans such as file scanning, port scanning, memory scanning, and registry scanning TrojanHunter also allows you to add custom Trojan definitions and detection rules
  55. 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Comodo BOClean Comodo BOClean protects your computer against Trojans, malware, and other threats It constantly scans your system in the background and intercepts any recognized Trojan activity The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected Trojan application Features: •Destroys malware and removes registry entries •Does not require a reboot to remove all traces •Disconnects the threat without disconnecting you •Generates optional report and safe copy of evidence •Automatically sweeps and detects INSTANTLY in the background •Configurable "Stealth mode" completely hides BOClean from users •Updates automatically from a network file share
  56. 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Trojan Remover: XoftspySE Xoftspy detects and removes all the spyware trying to install on your PC It scans for more than 42,000 different Spyware and Adware parasites It finds and removes threats including: Spyware, worms, hijackers, Adware, Malware, keyloggers, hacker tools, PC parasites, Trojan Horses, spy programs, and trackware It get alerts about potentially harmful websites
  57. 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Trojan Remover: Spyware Doctor Spyware Doctor is an adware and spyware removal utility that detects and cleans thousands of potential spyware, adware, Trojans, keyloggers, spyware, cookies, trackware, spybots, and other malware from your PC This tool allows you to remove, ignore, or quarantine identified Spyware It also has an OnGuard system to immunize and protect your system against privacy threats as you work By performing a fast detection at Windows start-up, you will be alerted with a list of the identified potential threats
  58. 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SPYWAREfighter SPYWAREfighter is a powerful and reliable software that allows you to protect your PC against Spyware, Malware, and other unwanted software Uses a security technology that protect Windows users from spyware and other potentially unwanted software Reduces negative effects caused by spyware, including slow PC performance, annoying pop-ups, unwanted changes to Internet settings, and unauthorized use of your private information Continuous protection improves Internet browsing safety by scanning for more than 220.000 known threads
  59. 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evading Anti-Virus Techniques Never use Trojans from the wild (anti-virus can detect these easily) Write your own Trojan and embed it into an application • Convert an EXE to VB script • Convert an EXE to a DOC file • Convert an EXE to a PPT file Change Trojan’s syntax Change the checksum Change the content of the Trojan using hex editor Break the Trojan file into multiple pieces
  60. 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Code for Trojan Client/Server Trojanclient.java Trojanserver.java
  61. 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evading Anti-Trojan/Anti-Virus Using Stealth Tools It is a program that helps to send Trojans or suspicious files that are undetectable to anti-virus software Its features include adding bytes, bind, changing strings, creating VBS, scramble/pack files, split/join files
  62. 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Backdoor Countermeasures Most commercial anti-virus products can automatically scan and detect backdoor programs before they can cause damage An inexpensive tool called Cleaner (http://www.moosoft.com/cleaner.html) can identify and eradicate 1,000 types of backdoor programs and Trojans Educate users not to install applications downloaded from the Internet and email attachments
  63. 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Tripwire Tripwire will automatically calculate cryptographic hashes of all key system files or any file that is to be monitored for modifications It is a System Integrity Verifier (SIV) Tripwire software works by creating a baseline “snapshot” of the system It will periodically scan those files, recalculate the information, and see if any of the information has changed and, if there is a change, an alarm is raised
  64. 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System File Verification Windows 2000 introduced Windows File Protection (WFP), which protects system files that were installed by the Windows 2000 setup program from being overwritten The hashes in this file could be compared with the SHA- 1 hashes of the current system files to verify their integrity against the factory originals The sigverif.exe utility can perform this verification process
  65. 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5sum.exe It is an MD5 checksum utility It takes an MD5 digital snapshot of system files If you suspect a file is Trojaned, then compare the MD5 signature with the snapshot checksum Command: md5sum *.* > md5sum.txt
  66. 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Microsoft Windows Defender Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software It features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected
  67. 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Introduction of Rootkit Rootkit is a group of programs that install a Trojan logon replacement with a backdoor, along with a packet sniffer, on UNIX systems as well as Windows systems The sniffer can be used to capture network traffic, including user credentials Rootkit hides its presence on the target host It act by modifying the host operating system so that the malware is hidden from the user It will remain undetected and can prevent a malicious process from being reported in the process table
  68. 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Attacks Approach Modifying of data structures, which display the processes currently running on the system System call interception • Modifying the system call table • Modifying the system call handler code Interrupt Hooking • Modifying the interrupt descriptor table • Modifying the interrupt handler (in particular for the system calls) Modifying the kernel memory image (/dev/kmem) Intercepting calls handled by the VFS Virtual memory subversion
  69. 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Rootkits • It is associated with malware that activates each time the system boots Persistent Rootkits • These are malware that has no persistent code and therefore does not survive a reboot Memory-Based Rootkits • It might intercept all calls to the Windows FindFirstFile/ FindNextFile APIs User-mode Rootkits • It intercept the native API in kernel-mode, and can also directly manipulate kernel- mode data structures Kernel-mode Rootkits Rootkits are differentiated into:
  70. 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Rootkit Detection Detour Functions • This approach is directed towards detecting hidden processes Diff-based approach • This approach uses kernel data structures in-order to view the processes running in the system Comparing symbol address • It detects system call interception events Binary Analysis • This approach observes the locations in the kernel address space Execution Path Analysis • Change in the execution path of the normal system call is observed Virtual Machines • VMware virtual machine is used to detect rootkits Depending on the type of attack different rootkit detection approaches are implemented as follows:
  71. 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Windows Rootkit
  72. 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Fu Rootkit Fu rootkit hides or stealth files and registry keys It is often used in conjunction with other malware FU rootkit manipulates Kernel Object directly to hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible
  73. 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Vanquish Vanquish is a DLL injection based rootkit It hides files, folders, registry entries and logs passwords It is installed without user interaction through security exploits, and can severely compromise system security
  74. 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited AFX Rootkit AFX Rootkit is created by Aphex in 2004 AFX Rootkit uses the driver "mc21.tmp" located in the Temp folder AFX RootKit installs the hidden service to the Windows subfolder AFX Rootkit hides: Processes Handles Modules Files & Folders Registry Values Services TCP/UDP Sockets Systray Icons
  75. 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Linux Rootkits
  76. 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Knark Knark is a kernel-based rootkit The hidden directory /proc/knark is created after the knark is loaded • Files: • List of hidden files on the system • Nethides: • List of strings hidden in /proc/net/[tcp|udp] • Pids: • List of hidden pids, ps-like output • Redirects: • List of exec-redirection entries Files created in the directory:
  77. 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adore Adore digs up the inode for the root file system, and replaces that inode's readdir() function pointer Adore hooks itself into the lookup function for /proc It replaces the show() function for /proc/net/tcp
  78. 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ramen Ramen is a rootkit that exploit the problems in rpc.statd and wu-ftpd programs in the Linux system It replaces the web server's default page and installs a rootkit It sends e-mail to two web-based accounts and starts scanning the network for its next victim The author or some one else use the rootkit to access the infected system
  79. 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Beastkit Beastkit rootkit was found on a Red Hat 7.2 System The rootkit setup script includes the line "#Beastkit 7.0 - X-Org edition“ It uses the open port 56493 Search these files for the presence of the Beastkit rootkit: • usr/local/bin/bin • usr/man/.man10 • usr/sbin/arobia • usr/lib/elm/arobia • usr/local/bin/.../bktd
  80. 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Rootkit Detection Tools
  81. 81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited UnHackMe UnHackMe detects the AFX Rootkit and kills it
  82. 82. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited UnHackMe Procedure Click the Check button If a Trojan is found you will see the Results page Click on the Stop button and restart your computer
  83. 83. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited F-Secure BlackLight F-Secure BlackLight detects hidden files, folders and processes It also remove hidden malware by renaming them Figure: F-Secure BlackLight Examining the process list
  84. 84. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited RootkitRevealer RootkitRevealer detects rootkits including AFX, Vanquish and HackerDefender It compares the results of a system scan at the Windows API with raw contents of a file system volume or Registry hive Usage: • rootkitrevealer [-a [-c] [-m] [-r] outputfile]
  85. 85. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Microsoft Windows Malicious Software Removal Tool The Microsoft Windows Malicious Software Removal Tool checks computers for infections by specific, prevalent malicious software After detection and removal process is complete, the tool displays a report describing the outcome
  86. 86. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Rkhunter Rkhunter detect rootkits, sniffers, and backdoors It runs a series of test to check default files used by rootkits It also searches for default directories, wrong permissions, hidden files, and suspicious strings in kernel modules Command used for running Rkhunter: • # rkhunter –c Series of tests conducted are as follows: • MD5 tests to check for any changes • Checks the binaries and system tools for any rootkits • Checks for Trojan specific characteristics • Checks for any suspicious file properties of most commonly used programs • Scans for any promiscuous interfaces
  87. 87. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: Rkhunter Figure: Rkhunter conducting a series of tests Figure: Rkhunter checking for rootkits
  88. 88. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited chkrootkit chkrootkit is a common Unix-based program intended to check system for known rootkits Commands used by chrootkit are: • # chkrootkit –l: list out all the tests conducted on system • # chkrootkit -x : runs chrootkit in expert mode
  89. 89. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited chkrootkit (cont’d) Function Description Chkrootkit Shell script that checks system binaries for rootkit modification ifpromisc.c Checks if the interface is in promiscuous mode chklastlog.c Checks for lastlog deletions chkwtmp.c Checks for wtmp deletions check_wtmpx.c Checks for wtmpx deletions chkproc.c Checks for signs of LKM trojans chkdirs.c Checks for signs of LKM trojans strings.c Quick and dirty strings replacement chkutmp.c Checks for utmp deletions chkrootkit uses the below functions to check for signs of a rootkit:
  90. 90. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IceSword IceSword is a tool which loads a kernel driver IsPubDrv.sys It lists processes, services, open/listen ports, kernel drivers, System Service Descriptor Table entries, BHOs, messages hooks, registry keys
  91. 91. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Computer viruses are the software programs meant to infect computers from one to another and interrupt computer operations A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs Most viruses operate in two phases: Infection Phase, Attack Phase Virus Detection Methods are: Scanning, Integrity Checking, Interception Trojan horse is a malicious, security-breaking program that is disguised as any useful program Spyware is software installed on the computer without the knowledge of the user
  92. 92. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  93. 93. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

×