Pentesting

Malware Types

  • Malware

    • is software designed to harm or secretly access a computer system without the owner's informed consent

    • based on the intent of the creator rather than specific features

  • Overt channels - legitimate communication channels used by programs across a system or a network

  • Cover channels - used to transport data in unintended ways

  • Wrappers

    • programs that allow you to bind an executable of your choice

    • They have their own signatures and can show up on AV scans

  • Crypters - use a combination of encryption and code manipulation to make malware undetectable to AV and other security monitoring products

  • Packers - use compression to pack the malware executable into a smaller size

  • Exploit Kits - platforms from which you can deliver exploits and payloads

    • Examples:

      • Infinity

      • Bleeding Life

      • Crimepack

      • Blackhole Exploit Kit

Trojans

  • Software that seems to perform a desirable function for the user before running or installing but instead steals information or harms the system

    • a method to gain and maintain access to a target machine

    • they are the means of delivery and the backdoor provides the open access

  • Types

    • Defacement Trojan

    • Proxy server Trojan - allows an attacker to use the target system as a proxy

    • Botnet Trojan - (Chewbacca and Skynet)

    • Remote Access Trojan - (RAT, MoSucker, Optix Pro and Blackhole)

      • Covert Channel Tunneling Trojan (CCTT) - form of remote access Trojan that uses a variety of exploitation techniques to create data transfer channels in previously authorized streams

        • provides an external shell from within an internal environment

        • e-banking Trojan (Zeus and Spyeye)

    • Command shell Trojan

      • provide a backdoor to the system that you connect via cli

    • Common Trojan Ports

Monitoring Tools

  • Fport - reports all open TCP/IP and UDP ports and maps them to the owning applications

  • What'sRunning

    • TCPView

    • IceSword

    • Process Explorer

    • SysAnalyzer

    • Tiny Watcher

    • Active Registry Monitor

    • Regshot

    • Tripwire

    • SIGVERIF

Viruses and Worms

  • Viruses

    • program that creates copies of themselves in other programs and activate on some sort of trigger event

    • they usually get installed on a system via file attachments, user clicks on embedded e-mails, or the installation of pirated software

    • virus hoax or fake antivirus lets a target know about a terrible virus running and provides them an antivirus program to protect themselves with.

  • Ransomware

    • Type of malicious software designed to deny access to a computer system or data until a ransom is paid

    • Typically spreads through phishing emails or visiting infected websites

    • Examples

      • WannaCry

      • Eternal Blue

      • Cryptobit

      • CryptoLocker

      • CryptoDefense

      • police-themed

        • Locky

        • Petya

  • Worms

    • A self-replicating malware program that uses a computer network to send copies of itself to other systems without human intervention

    • resides in active memory and duplicates itself, eating resources and wreaking havoc along the way

    • Often used in the creation of botnets

    • Examples

      • Conficker

        • disabled services

        • denied access to administrator shared drives

        • locked users out of directories

        • restricted access to security-related sites

      • Ghost Eye Worm - tool that uses random messaging on Facebook and other sites to perform a host of malicious effort.

      • Code Red

        • exploited indexing software on IIS servers in 2001

        • used a buffer overflow and defaced hundreds of thousands of servers

      • Darlloz

        • Linux based worm that targets running ARM, MIPS and PowerPC architectures (usually routers, set-top boxes and security cameras)

      • Slammer

        • Also known as SQL Slammer, Sapphire, SQL_HEL and Helkern

        • A denial-of-service worm attacking buffer overflow weaknesses in Microsoft SQL services

        • Spreads quickly using UDP and can bypass sensors because of its small size (entire worm fits in a single packet)

      • Nimda

        • File infection virus that modified and touched nearly all web content on a machine

        • Spreads through e-mail, open network shares, and websites

        • Takes advantage of backdoors left on machines infected by the Code Red Worm

      • Bug Bear

        • Propagates over open network shares and e-mail

        • Often sets up a backdoor for later use and has keylogging capabilities

      • Pretty Park

        • Spreads via e-mail

        • Takes advantage of IRC to propagate stolen passwords

Related Notes

  • Malware Analysis

  • Denial of Service

PreviousMalware Analysis PrimerNextRootkits

Last updated