File000145

Module XXXII – Investigating Virus,
Trojan, Spyware and Rootkit Attacks

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Police ‘Find’ Author of
Notorious Gpcode Virus
Source: http://www.infoworld.com/
September 30, 2008
The infamous Gpcode "ransomware" virus that hit computers in July was the work of a single person who is
known to the authorities, a source close to the hunt for the attacker has told Techworld.
The individual is believed to be a Russian national, and has been in contact with at least one anti-malware
company, Kaspersky Lab, in an attempt to sell a tool that could be used to decrypt victims' files.
Initially sceptical, the company was able to verify that the individual was the author of the latest Gpcode attack --
and probably earlier attacks in 2006 and 2007 -- using a variety of forensic evidence, not least that he was able
to provide a tool containing the RC4 key able to decrypt the work of the malware on a single PC.
The 128-bit RC4 keys, used to encrypt the user's data, are unique for every attack. The part that had stymied
researchers was that this key had, in turn, been encrypted using an effectively unbreakable 1,024-bit RSA public
key, generated in tandem with the virus author's private key. But the tool did at least prove that the individual
had access to the private "master" key and must therefore be genuine.
Kaspersky Lab set about locating the man by resolving the proxied IP addresses used to communicate with the
world to their real addresses. The proxied addresses turned out to be zombie PCs in countries such as the United
States, which pointed to the fact that Gpcode's author had almost certainly used compromised PCs from a single
botnet to get Gpcode on to victim's machines.
Tracking down the owners of these PCs proved extremely difficult, with service provider Yahoo, for one,
allegedly refusing to cooperate with the investigation on privacy grounds. Foreign police were informed,
however, as were the Russian authorities. Armed with enough circumstantial evidence, "they were interested,"
the Kaspersky source confirmed.

EC-Council
News: Researchers - Banks Need
Better Security
Source: http://www.mxlogic.com/

EC-Council
News: Worms Attack Facebook,
MySpace
05 December, 2008 12:49:00
Panda Security has detected Boface.G, a new worm that uses the Facebook and MySpace social
networks to spread.
“Worms are programmes that make copies of themselves in different places on a computer,” says
Jeremy Matthews, head of Panda Security’s sub-Saharan operations. “The objective of this type of
malware is usually to saturate computers and networks, preventing them from being used.”
The Boface.G worm posts a link on the infected users’ profile or contacts panel to a fake YouTube
video. Alternatively, it sends the infected users’ contacts a private message with the link. When they
try to watch the video (which seems to come from one of their friends) they are taken to a web page
where they are encouraged to download a Flash Player update to watch it. However, if they do so, they
will let a copy of the worm into their computers and will infect of all their contacts.
“Social networks attract millions of users and have become one of cyber-crooks’ favourite ways to
spread their malicious creations,” says Matthews. “Users of these social networks should try to
confirm the origin of these messages before following links or downloading items to their computers”.
According to PandaLabs, one of the two social networks under attack has already taken measures to
protect users from this malware. For protection against attacks like these, Facebook and MySpace
users are encouraged to have an updated antivirus.
Source: http://mybroadband.co.za/

EC-Council
News: Webroot® Threat Advisory: Hackers Using
Continental Flight 1404 Headlines to Scam
Online News-Seekers
Source: http://news.prnewswire.com /

EC-Council
News: Rootkit Unearthed in Network
Security Software
Source: http://www.theregister.co.uk/

EC-Council
News: PandaLabs’ 2009 Predictions -
Malware Will Increase in 2009
Banker Trojans, Fake Antivirus Software, SQL Injection Attacks, Customized Packers & Obfuscators among the Most Popular
Expected Cybercriminal Tactics
Glendale, CA (PRWEB) December 21, 2008 -- PandaLabs, Panda Security's malware analysis and detection laboratory, today announced
that a significant increase in the volume of malware (viruses, worms, Trojans, etc.) is expected in 2009. Panda Security's laboratory
detected more malware strains in the eight months between January and August of 2008 than in the previous 17 years combined.
Summing up, malware in 2009 is expected to grow and become more sophisticated and more difficult to detect. There
will also be an increase in Web-based attacks and attacks through social networks, which allow for more silent
infections The financial crisis will also bring an increase in malware and false job offers.
In addition to an overall growth in malware, PandaLabs made the following predictions:
1. Banker Trojans and fake antivirus solutions will be the most prevalent forms of malware in 2009. Banker Trojans are designed to
steal login passwords for banking services, account numbers, etc., whereas fake antivirus solutions try to pass themselves off as real
antivirus products to convince users they have been infected by malicious codes.
2. Social Networks will be a focal attack point by cybercriminals. We will continue to see worms in social networks spread malware from
one user to another. Malicious codes designed to steal confidential data from unsuspecting users will also become more prevalent.
3. SQL injection attacks will continue to rise. SQL injection attacks involve vulnerabilities on the servers that host specific sites. Cyber-
criminals exploit these vulnerabilities by infecting users that visit these Web pages without realizing they've been attacked.
4. Customized packers and obfuscators will grow in popularity. These tools are used by cybercriminals to compress malware and make
detection more difficult. Criminals capitalizing on this form of attack will often successfully avoid the standard tools available in
forums, websites, etc., and instead turn to their own obfuscators in an attempt to evade 'signature-based' detection by security
solutions.
5. Expect a resurgence of classic malicious codes. The use of increasingly sophisticated detection technologies will drive cyber-crooks to
turn to old codes, adapted to new needs.
6. Attacks on new operating systems and computing platforms will be on the rise. PandaLabs forecasts a significant proliferation of
malware targeting new platforms such as Mac OS Leopard X, Linux or iPhone in the coming year. However, these new codes will
never be as numerous as those for Windows systems.
7. Increased targeted attacks around issues stemming from the financial crisis will continue into 2009. Over the last few months of
2008, PandaLabs has reported a clear correlation between the financial crisis and an increase in malware strategies and techniques.
Source: http://www.prweb.com/

EC-Council
Module Objective
• Viruses and Worms
• How to know a Virus Infected System
• Characteristics of a Virus
• Symptoms of Virus-Like Attack
• Indications of Virus Attack
• Stages of Virus Life
• Virus Detection Methods
• How to Prevent a Virus
• Trojans and Spywares
• Indications of a Trojan Attack
• Remote Access Trojans (RAT)
• Anti virus Tools
• Anti Trojan Tools
This module will familiarize you with:

EC-Council
Module Flow
Viruses and Worms
Virus Detection Methods Indications of Virus Attack
Anti Trojan Tools Antivirus Tools
Remote Access Trojans (RAT)Trojans and Spyware
Characteristics of a Virus

EC-Council
Statistics of the Malicious and
Potentially Unwanted Programs

EC-Council
Virus Top 20 for January 2008

EC-Council
Virus
Computer viruses are malicious software programs that infect
computers and corrupt or delete the data on them
Viruses spread through email attachments, instant messages,
downloads from the Internet, contaminated media etc.
• File infectors: Attach themselves to program files
• System or boot-record infectors: Infect executable code
found in certain system areas on a disk
• Macro viruses: Infect Microsoft Word application
Viruses are generally categorized as:

EC-Council
Worms
A worm is a special type of virus that can replicate itself and use
memory, but cannot attach itself to other programs
It is considered as a sub class of a virus
It takes advantage of file or information transport features on
the system allowing it to travel independently
It spreads through the infected network automatically but a
virus does not

EC-Council
Characteristics of a Virus
Resides in the memory and replicates itself while the program where it
attached is running
It does not reside in the memory after the execution of program
• Encrypts itself into cryptic symbols
• Alters the disk directory data to compensate the additional virus
bytes
• Uses stealth algorithms to redirect disk data
Hides itself from detection by three ways:

EC-Council
Working of a Virus
Trigger events and direct attack are the common modes which cause a virus to “go off” on a target system
Most viruses operate in two phases:
• Virus developers decide when to infect host system’s programs
• Some infect each time they are run and executed completely
•Ex: Direct Viruses
• Some virus codes infect only when users trigger them which include a day, time, or
a particular event
•Ex: TSR viruses which get loaded into memory and infect at later stages
Infection Phase:
• Some viruses have trigger events to activate and corrupt systems
• Some viruses have bugs which replicate and perform activities such as file deletion,
increasing session time
• They corrupt the targets only after spreading completely as intended by their
developers
Attack Phase:

EC-Council
Working of a Virus: Infection
Phase
File HeaderFile Header
IP IP
Start of Program
End of Program
Virus Jump
. EXE File . EXE File
Before
Infection
After
Infection
Start of
Program
End of Program
Attaching .EXE File to Infect the Programs

EC-Council
Working of a Virus: Attack Phase
Page: 3Page: 2Page: 1 Page: 3Page: 2Page: 1
Unfragmented File Before Attack
File: A File: B
Page: 1
File: B
Page: 3
File: B
Page: 1
File: A
Page: 2
File: A
Page:2
File: B
Page: 3
File: A
File Fragmentation Due to Virus Attack
Slowdown of PC due to Fragmented Files

EC-Council
Symptoms of a Virus-Like Attack
If the system acts in an unprecedented manner, you can suspect a virus attack
• Example: Processes take more resources and are time consuming
However, not all glitches can be attributed to virus attacks, examples include::
• Certain hardware problems
• If computer beeps with no display
• If one out of two anti-virus programs report virus on the system
• If the label of the hard drive change
• Your computer freezes frequently or encounters errors
• Your computer slows down when programs are started
• You are unable to load the operating system
• Files and folders are suddenly missing or their content changes
• Your hard drive is accessed too often (the light on your main unit flashes rapidly)
• Microsoft Internet Explorer "freezes"
• Your friends mention that they have received messages from you but you never sent such messages

EC-Council
Indications of a Virus Attack
• Programs take longer to load than normal
• Computer's hard drive constantly runs out of free space
• Files have strange names which are not recognizable
• Programs act erratically
• Resources are used up easily
Indications of a virus attack:

EC-Council
Modes of Virus Infection
Viruses infect the system in the ways such as:
• Loads itself into memory and checks for executables
on the disk
• Appends the malicious code to a legitimate program
without the knowledge of the user
• Since the user is unaware of the replacement, he/she
launches the infected program
• As a result of the infected program being executes,
other programs get infected as well
• The above cycle continues until the user realizes the
anomaly within the system

EC-Council
Stages of Virus Life
Computer virus involves various stages right from its design to elimination
Replication
Design
Launch
Detection
Incorporation
Elimination
Users are advised to install anti-virus
software updates thus creating awareness
among user groups
Anti-virus software developers assimilate
defenses against the virus
A virus is identified as threat infecting
target systems
It gets activated with user performing certain actions like
triggering or running a infected program
Developing virus code using programming languages
or construction kits
Virus first replicates for a long period of time within the target
system and then spends itself

EC-Council
Virus Classification
Viruses are classified based on the below criteria:
What they Infect
How they Infect

EC-Council
Virus Classification (cont’d)
• Infects disk boot sectors and records
System Sector or Boot Virus:
• Infects executables in OS file system
File Virus:
• Infects documents, spreadsheets and databases such as Word, Excel and Access
Macro Virus:
• Overwrites or appends host code by adding Trojan code in it
Source Code Virus:
• Spreads itself via email by using command and protocols of computer network
Network Virus:

EC-Council
How Does a Virus Infect?
• Can hide from anti-virus programs
Stealth Virus:
• Can change their characteristics with each infection
Polymorphic Virus:
• Maintains same file size while infecting
Cavity Virus:
• They hide themselves under anti-virus while infecting
Tunneling Virus:
• Disguise themselves as genuine applications of user
Camouflage Virus:

EC-Council
Storage Patterns of a Virus
Shell Virus:
• Virus code forms a shell around target host program’s code, making itself the original program and host code as its
sub-routine
Add-on Virus:
• Appends its code at the beginning of host code without making any changes to the latter one
Intrusive Virus:
• Overwrites the host code partly, or completely with viral code
Direct or Transient Virus:
• Transfers all the controls to host code where it resides
• Selects the target program to be modified and corrupts it
Terminate and Stay Resident Virus (TSR):
• Remains permanently in the memory during the entire work session even after the target host program is executed and
terminated
• Can be removed only by rebooting the system

EC-Council
Virus Detection
Use an anti virus software to detect the virus
Scan the system for any unwanted programs running on it
Anti-virus software uses two methods of virus detection:
• Virus signature definitions
• Heuristic algorithm
Virus signature definitions examines the content of the computer's
memory and compares them with the database of known virus signatures
Heuristic algorithm finds the viruses based on their behavior
Heuristic algorithms help in creating a virus signature for new and
unknown viruses

EC-Council
Virus Detection Methods
• Once a virus has been detected, it is possible to write
scanning programs that look for signature string
characteristic of the virus
Scanning
• Integrity checking products work by reading your entire disk
and recording integrity data that acts as a signature for the
files and system sectors
Integrity Checking
• The interceptor monitors operating system requests that
write to disk
Interception

EC-Council
Virus Incident Response
Detect the Attack: Not all anomalous behavior can be attributed to
Viruses
Trace processes using utilities such as handle.exe, listdlls.exe,
fport.exe, netstat.exe, pslist.exe, and map commonalities between
affected systems
Detect the virus payload by looking for altered, replaced or deleted
files
Check for new files, changed file attributes or shared library files
Acquire the infection vector, isolate it; Update anti-virus and rescan
all systems

EC-Council
Investigating Viruses
When a file is infected with virus make a copy of the file and perform the actions on
that file
For a serious kind of virus attack, have an expert to dissert the virus to check for
modifications
Check for the date and time of last changed of infected files
When a first computer infected is found check for the non-standard programs which
are not part of the company’s normal applications
Question the compute r user for the source of the infected file

EC-Council
Trojans and Spyware
• Trojan horse is a malicious, security-breaking program that
is disguised as any useful program
• They are executable programs that installs when a file is
opened
• They get activated without the intervention of the user
• As like viruses, Trojans do not distribute itself from one
system to another
• Trojans let others control a user’s system
Trojans:
• Spyware is the software installed on the computer without
the knowledge of the user
• Spyware pretends to be programs that offer useful
applications, but they actually acquire the information of the
computer and sends it to remote attacker
• Spyware is also know as adware
Spyware:

EC-Council
Working of Trojans
Attacker gets access to the Trojaned system as the system goes online
By way of the access provided by the Trojan, the attacker can stage different
types of attacks
Internet
Trojaned SystemAttacker

EC-Council
How Spyware Affects a System
Most of the spyware infects the system through warez and porn sites
Peer to peer software is also used in installing spyware
Some websites trick the user to download software claiming to be a legitimate
one, that when installed performs illicit actions
The other source of attacks are porn dialers and premium rate dialers

EC-Council
What Spyware Does to the
System
Once spyware enters a system it gathers information about the
computer without user’s knowledge
It gathers information such as personal data, passwords, bank account
information and send it to an illegitimate user through the Internet
Keyloggers are used to track the information about the data that is
typed by the user on the computer
The PC and the web browser can also be hacked making the user
navigate to unwanted websites

EC-Council
What Do Trojan Creators
Look For?
Credit card information
Account data (email addresses, passwords, user names, and so on)
Confidential documents
Financial data (bank account numbers, social security numbers, insurance information, and so on)
Calendar information concerning victim’s whereabouts
Using the victim’s computer for illegal purposes, such as to hack, scan, flood, or infiltrate other machines on the network or
Internet
Hacker

EC-Council
Different Ways a Trojan Can Get
into a System
Instant Messenger applications
IRC (Internet Relay Chat)
Attachments
Physical access
Browser and email software bugs
NetBIOS (FileSharing)
Fake programs
Untrusted sites and freeware software
Downloading files, games, and screensavers from Internet sites
Legitimate "shrink-wrapped" software packaged by a disgruntled employee

EC-Council
Identification of a Trojan Attack
CD-ROM drawer opens and closes by itself
Computer screen flips upside down or inverts
Wallpaper or background settings change by themselves
Documents or messages print from the printer by themselves
Computer browser goes to a strange or unknown web page by itself
Windows color settings change by themselves
Screensaver settings change by themselves

EC-Council
(cont’d)
Right and left mouse buttons reverse their functions
Mouse pointer disappears
Mouse pointer moves and functions by itself
Windows Start button disappears
Strange chat boxes appear on the victim’s computer
The ISP complains to the victim that his/her computer is IP
scanning

EC-Council
(cont’d)
People chatting with the victim know too much personal information about him or his
computer
Computer shuts down and powers off by itself
Taskbar disappears
The account passwords are changed, or unauthorized persons can access legitimate accounts
Strange purchase statements appear in credit card bills
The computer monitor turns itself on and off
Modem dials and connects to the Internet by itself
Ctrl+Alt+Del stops working
While rebooting the computer, a message flashes that there are other users still connected

EC-Council
Remote Access Trojans (RAT)
Remote Access Trojans (RATs) are malicious software programs used to control
the users computer through his/her Internet connection
It lets the intruders view and change the computer files and functions
It monitors and records the activities, and use the computer to attack other
computers without the user’s knowledge
It gets into the computer as hidden in illicit software and other files and programs
that is downloaded from the Internet
It takes advantage of the vulnerabilities in the software or the Internet and affects
the computer without any action being performed

EC-Council
Remote Access Trojans (RAT)
(cont’d)
• Expose to the scams
• Find the files
• Record the typing
• Capture video and audio
• Run or end a program, process or connection
• Create pop –ups
• Attack other computers
This ability can be used by the intruders to:
• Have a safe online community
• Use a firewall
• Update the computer regularly
• Use anti virus and anti spyware software
To protect from RAT attacks:
RAT provides a remote control to the computer through an Internet connection

EC-Council
Ports Used by Trojans
Trojan Protocol Ports
Back Orifice UDP 31337 or 31338
Deep Throat UDP 2140 and 3150
NetBus TCP 12345 and 12346
Whack-a-mole TCP 12361 and 12362
NetBus 2 Pro TCP 20034
GirlFriend TCP 21544
Masters Paradise TCP
3129, 40421, 40422,
40423 and 40426

EC-Council
Anti virus Tools

EC-Council
AVG Antivirus
www.grisoft.com
Security protection against viruses, worms, Trojans and potentially unwanted programs
• Quality proven by all major antivirus certifications (VB100%, ICSA, West Coast Labs
Checkmark)
• Improved virus detection based on better heuristics and NTFS data streams scanning
• Smaller installation and update files
• Improved user interface
Features:

EC-Council
AVG Antivirus: Screenshot

EC-Council
Norton Antivirus
www.symantec.com
• Protects from viruses, and updates virus definitions
automatically
• Detects and repairs viruses in email, instant
messenger attachments and compressed folders
• Monitors network traffic for malicious activity
Features:
• Full system scan
• Custom scan
• Schedule scan
• Scan from the command line
Scan options provided by Norton
antivirus are:

EC-Council
McAfee
www.mcafee.com
Features:
• SpamKiller:
• Stops spam from infecting the inbox
• SecurityCenter:
• Lists computer security vulnerabilities
• Offers free real-time security alerts
• VirusScan:
• ActiveShield: Scans the files in real time
• Quarantine: Encrypts the infected files in the
quarantine folder
• Hostile Activity Detection: Examines computer
for malicious activity

EC-Council
Kaspersky Anti-Virus
Provides traditional anti-virus protection based on the latest protection technologies
Allows users to work, communicate, surf the Internet, and play online games on
computer safely and easily
Protects from viruses, Trojans and worms, spyware, adware, and all types of
keyloggers
Protection from viruses when using ICQ and other IM clients
Detects all types of rootkits
Provides three types of protection technologies against new and unknown threats:
•Hourly automated database updates
•Preliminary behavior analysis
•On-going behavior analysis

EC-Council
BitDefender
BitDefender 2008 is an outstanding product with a user–
friendly interface
It scans all existing files on computer, all incoming and
outgoing emails, IM transfers, and all other network traffic
It has also improved their existing B–HAVE feature that runs
pieces of software on a virtual computer to detect code that
could be an unknown virus
• “Privacy Protection” for outgoing personal information
• “Web Scanning” while you are using the Internet
• “Rootkit Detection and Removal,” which detects then removes
hidden virus programs
Features:

EC-Council
Anti Virus Tools (cont’d)
SocketShield is a zero-day exploit blocker
It can block exploits from entering the computer,
regardless of how long it takes for the vendors of
vulnerable applications to issue patches
CA Anti-Virus provides comprehensive
protection against viruses, worms, and Trojan
horse programs
It detects viruses, worms, and Trojans

EC-Council
F-Secure Anti-Virus 2007 is an anti-virus tool software
developed by F-Secure Corporation
It offers an easy to use protection for your computer
against viruses, worms, and rootkits
F-Prot Antivirus is an antivirus software package,
which protects your data from virus infection and
removes any virus that may have infected your computer
system
It features real-time protection and email scanning, as
well as heuristic detection of suspected viruses

EC-Council
Panda Antivirus Platinum transparently eliminates
viruses at the desktop and TCP/IP (Winsock) level
It detects and disinfects viruses before they can touch your
hard drive
avast! Virus Cleaner removes selected virus & worm
infections from your computer
It deactivates the virus present in memory

EC-Council
Norman Virus Control uses the same core components
as the corporate version, except network and network
management functionality
The unique Norman SandBox II technology protects
against new and unknown computer viruses, worms, and
trojans
ClamWin detects and removes a wide range of viruses and
spyware and offers email scanning
It performs automatic Internet updates, scheduled scans,
and email alerts on virus detection

EC-Council
Anti Trojan Tools

EC-Council
TrojanHunter
TrojanHunter is an advanced Trojan scanner and toolbox, that searches for and
removes Trojans from your system
It uses several proven methods to find a wide variety of Trojans such as file
scanning, port scanning, memory scanning, and registry scanning
TrojanHunter also allows you to add custom Trojan definitions and detection rules

EC-Council
Comodo BOClean
Comodo BOClean protects your computer against Trojans, malware, and other
threats
It constantly scans your system in the background and intercepts any recognized
Trojan activity
The program can ask the user what to do, or run in unattended mode and
automatically shutdown and remove any suspected Trojan application
Features:
•Destroys malware and removes registry entries
•Does not require a reboot to remove all traces
•Disconnects the threat without disconnecting you
•Generates optional report and safe copy of evidence
•Automatically sweeps and detects INSTANTLY in the background
•Configurable "Stealth mode" completely hides BOClean from users
•Updates automatically from a network file share

EC-Council
Trojan Remover: XoftspySE
Xoftspy detects and removes all the spyware trying to
install on your PC
It scans for more than 42,000 different Spyware and
Adware parasites
It finds and removes threats including: Spyware, worms,
hijackers, Adware, Malware, keyloggers, hacker tools, PC
parasites, Trojan Horses, spy programs, and trackware
It get alerts about potentially harmful websites

EC-Council
Trojan Remover: Spyware Doctor
Spyware Doctor is an adware and spyware removal utility that detects and cleans thousands of potential spyware, adware,
Trojans, keyloggers, spyware, cookies, trackware, spybots, and other malware from your PC
This tool allows you to remove, ignore, or quarantine identified Spyware
It also has an OnGuard system to immunize and protect your system against privacy threats as you work
By performing a fast detection at Windows start-up, you will be alerted with a list of the identified potential threats

EC-Council
SPYWAREfighter
SPYWAREfighter is a powerful and reliable software that allows you
to protect your PC against Spyware, Malware, and other unwanted
software
Uses a security technology that protect Windows users from
spyware and other potentially unwanted software
Reduces negative effects caused by spyware, including slow PC
performance, annoying pop-ups, unwanted changes to Internet
settings, and unauthorized use of your private information
Continuous protection improves Internet browsing safety by
scanning for more than 220.000 known threads

EC-Council
Evading Anti-Virus Techniques
Never use Trojans from the wild (anti-virus can detect these easily)
Write your own Trojan and embed it into an application
• Convert an EXE to VB script
• Convert an EXE to a DOC file
• Convert an EXE to a PPT file
Change Trojan’s syntax
Change the checksum
Change the content of the Trojan using hex editor
Break the Trojan file into multiple pieces

EC-Council
Sample Code for Trojan
Client/Server
Trojanclient.java Trojanserver.java

EC-Council
Evading Anti-Trojan/Anti-Virus
Using Stealth Tools
It is a program that helps to
send Trojans or suspicious
files that are undetectable to
anti-virus software
Its features include adding
bytes, bind, changing strings,
creating VBS, scramble/pack
files, split/join files

EC-Council
Backdoor Countermeasures
Most commercial anti-virus products can automatically scan
and detect backdoor programs before they can cause damage
An inexpensive tool called Cleaner
(http://www.moosoft.com/cleaner.html) can identify and
eradicate 1,000 types of backdoor programs and Trojans
Educate users not to install applications downloaded from the
Internet and email attachments

EC-Council
Tool: Tripwire
Tripwire will automatically calculate cryptographic
hashes of all key system files or any file that is to be
monitored for modifications
It is a System Integrity Verifier (SIV)
Tripwire software works by creating a baseline
“snapshot” of the system
It will periodically scan those files, recalculate the
information, and see if any of the information has
changed and, if there is a change, an alarm is raised

EC-Council
System File Verification
Windows 2000 introduced Windows File Protection
(WFP), which protects system files that were installed by
the Windows 2000 setup program from being
overwritten
The hashes in this file could be compared with the SHA-
1 hashes of the current system files to verify their
integrity against the factory originals
The sigverif.exe utility can perform this verification
process

EC-Council
MD5sum.exe
It is an MD5 checksum utility
It takes an MD5 digital snapshot of system files
If you suspect a file is Trojaned, then compare the MD5 signature with the snapshot checksum
Command: md5sum *.* > md5sum.txt

EC-Council
Tool: Microsoft Windows
Defender
Windows Defender is a free program that helps
protect your computer against pop-ups, slow
performance, and security threats caused by
spyware and other unwanted software
It features Real-Time Protection, a monitoring
system that recommends actions against spyware
when it's detected

EC-Council
Introduction of Rootkit
Rootkit is a group of programs that install a Trojan logon replacement with a backdoor,
along with a packet sniffer, on UNIX systems as well as Windows systems
The sniffer can be used to capture network traffic, including user credentials
Rootkit hides its presence on the target host
It act by modifying the host operating system so that the malware is hidden from the user
It will remain undetected and can prevent a malicious process from being reported in the
process table

EC-Council
Attacks Approach
Modifying of data structures, which display the processes currently running on the system
System call interception
• Modifying the system call table
• Modifying the system call handler code
Interrupt Hooking
• Modifying the interrupt descriptor table
• Modifying the interrupt handler (in particular for the system calls)
Modifying the kernel memory image (/dev/kmem)
Intercepting calls handled by the VFS
Virtual memory subversion

EC-Council
Types of Rootkits
• It is associated with malware that activates each time the system boots
Persistent Rootkits
• These are malware that has no persistent code and therefore does not survive a reboot
Memory-Based Rootkits
• It might intercept all calls to the Windows FindFirstFile/ FindNextFile APIs
User-mode Rootkits
• It intercept the native API in kernel-mode, and can also directly manipulate kernel-
mode data structures
Kernel-mode Rootkits
Rootkits are differentiated into:

EC-Council
Rootkit Detection
Detour Functions
• This approach is directed towards detecting hidden processes
Diff-based approach
• This approach uses kernel data structures in-order to view the processes running in the system
Comparing symbol address
• It detects system call interception events
Binary Analysis
• This approach observes the locations in the kernel address space
Execution Path Analysis
• Change in the execution path of the normal system call is observed
Virtual Machines
• VMware virtual machine is used to detect rootkits
Depending on the type of attack different rootkit detection approaches are implemented as
follows:

EC-Council
Windows Rootkit

EC-Council
Fu Rootkit
Fu rootkit hides or stealth files and registry keys
It is often used in conjunction with other malware
FU rootkit manipulates Kernel Object directly to hide processes, elevate process
privileges, fake out the Windows Event Viewer so that forensics is impossible

EC-Council
Vanquish
Vanquish is a DLL injection based rootkit
It hides files, folders, registry entries and logs passwords
It is installed without user interaction through security exploits, and can severely
compromise system security

EC-Council
AFX Rootkit
AFX Rootkit is created by Aphex in 2004
AFX Rootkit uses the driver "mc21.tmp" located in the Temp folder
AFX RootKit installs the hidden service to the Windows subfolder
AFX Rootkit hides:
Processes Handles
Modules Files & Folders
Registry Values Services
TCP/UDP Sockets Systray Icons

EC-Council
Linux Rootkits

EC-Council
Knark
Knark is a kernel-based rootkit
The hidden directory /proc/knark is created after the knark is loaded
• Files:
• List of hidden files on the system
• Nethides:
• List of strings hidden in /proc/net/[tcp|udp]
• Pids:
• List of hidden pids, ps-like output
• Redirects:
• List of exec-redirection entries
Files created in the directory:

EC-Council
Adore
Adore digs up the inode for the root file system, and replaces that
inode's readdir() function pointer
Adore hooks itself into the lookup function for /proc
It replaces the show() function for /proc/net/tcp

EC-Council
Ramen
Ramen is a rootkit that exploit the problems in rpc.statd and wu-ftpd
programs in the Linux system
It replaces the web server's default page and installs a rootkit
It sends e-mail to two web-based accounts and starts scanning the network for
its next victim
The author or some one else use the rootkit to access the infected system

EC-Council
Beastkit
Beastkit rootkit was found on a Red Hat 7.2 System
The rootkit setup script includes the line "#Beastkit 7.0 - X-Org edition“
It uses the open port 56493
Search these files for the presence of the Beastkit rootkit:
• usr/local/bin/bin
• usr/man/.man10
• usr/sbin/arobia
• usr/lib/elm/arobia
• usr/local/bin/.../bktd

EC-Council
Rootkit Detection Tools

EC-Council
UnHackMe
UnHackMe detects the AFX Rootkit and kills it

EC-Council
UnHackMe Procedure
Click the Check button
If a Trojan is found you will see the
Results page
Click on the Stop button and restart
your computer

EC-Council
F-Secure BlackLight
F-Secure BlackLight detects hidden files, folders and processes
It also remove hidden malware by renaming them
Figure: F-Secure BlackLight Examining the process list

EC-Council
RootkitRevealer
RootkitRevealer detects rootkits including AFX, Vanquish and HackerDefender
It compares the results of a system scan at the Windows API with raw contents of a file
system volume or Registry hive
Usage:
• rootkitrevealer [-a [-c] [-m] [-r] outputfile]

EC-Council
Microsoft Windows Malicious
Software Removal Tool
The Microsoft Windows Malicious Software Removal Tool checks
computers for infections by specific, prevalent malicious software
After detection and removal process is complete, the tool displays a
report describing the outcome

EC-Council
Rkhunter
Rkhunter detect rootkits, sniffers, and backdoors
It runs a series of test to check default files used by rootkits
It also searches for default directories, wrong permissions, hidden files, and
suspicious strings in kernel modules
Command used for running Rkhunter:
• # rkhunter –c
Series of tests conducted are as follows:
• MD5 tests to check for any changes
• Checks the binaries and system tools for any rootkits
• Checks for Trojan specific characteristics
• Checks for any suspicious file properties of most commonly used programs
• Scans for any promiscuous interfaces

EC-Council
Screenshot: Rkhunter
Figure: Rkhunter conducting a series of tests
Figure: Rkhunter checking for rootkits

EC-Council
chkrootkit
chkrootkit is a common Unix-based program intended to check
system for known rootkits
Commands used by chrootkit are:
• # chkrootkit –l: list out all the tests conducted on system
• # chkrootkit -x : runs chrootkit in expert mode

EC-Council
chkrootkit (cont’d)
Function Description
Chkrootkit
Shell script that checks system binaries for rootkit
modification
ifpromisc.c Checks if the interface is in promiscuous mode
chklastlog.c Checks for lastlog deletions
chkwtmp.c Checks for wtmp deletions
check_wtmpx.c Checks for wtmpx deletions
chkproc.c Checks for signs of LKM trojans
chkdirs.c Checks for signs of LKM trojans
strings.c Quick and dirty strings replacement
chkutmp.c Checks for utmp deletions
chkrootkit uses the below functions to check for signs of a rootkit:

EC-Council
IceSword
IceSword is a tool which loads a kernel driver IsPubDrv.sys
It lists processes, services, open/listen ports, kernel drivers, System Service
Descriptor Table entries, BHOs, messages hooks, registry keys

EC-Council
Summary
Computer viruses are the software programs meant to infect computers from one to
another and interrupt computer operations
A worm is a special type of virus that can replicate itself and use memory, but cannot
attach itself to other programs
Most viruses operate in two phases: Infection Phase, Attack Phase
Virus Detection Methods are: Scanning, Integrity Checking, Interception
Trojan horse is a malicious, security-breaking program that is disguised as any useful
program
Spyware is software installed on the computer without the knowledge of the user

EC-Council

File000145

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (9)

Ähnlich wie File000145

Ähnlich wie File000145 (20)

Mehr von Desmond Devendran

Mehr von Desmond Devendran (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

File000145