Chapter 9: Malware and Other Digital Attacks

The difference between a threat and a treat is one letter. Malware is a treat depending on which side of the malware you're on. Malware is probably one of the biggest threats we have from a security perspective, for our networks in a professional capacity as well as our own private networks and devices.

As you read through this chapter, you will gain a greater understanding and awareness regarding what malware is, what it's designed to do, and the various methods of how malware infects a target.

In this chapter, we will cover the following main topics:

• So, what is malware?
• What is a Trojan?
• Viruses and worms
• Denial of Service (DoS) threats
• Session-hijacking threats
• Master list of countermeasures

One of the hardest struggles information technology (IT) people and end users deal with is the fact we've gotten so complacent and stuck in the mindset of networks that we don't care how they work.

Nathaniel Branden stated: "The first step towards change is awareness. The second step is acceptance." This reminds me of The Untouchables, one of my favorite movies, starring Sean Connery and Kevin Costner.

Kevin plays Eliot Ness, one of the Untouchables, while Sean plays a street cop who's very much aware of the environment. On telling him he is going to go after Al Capone, Sean reveals to him all the stuff that's going on and then proceeds to ask: "What are you willing to do about it?" The question is, are we going to be complacent, or are we going to think a little bit differently here?

That's my goal for this chapter: to get us thinking differently.

So, what is malware?

Simply stated…it's a piece of software or computer program used to perform malicious actions or attacks on a target. Its name gives away what it does. Malware is a blend of two words: malicious and software. We have malware for computers, phones, tablets, and so on. The mobile industry is huge with malware right now. Once installed, attackers can potentially gain total control over your devices, or at least over the data on your devices.

Attackers can infect any computing device—including tablets and smartphones—with malware. Any person, company, or device is a target. The more computers and devices an attacker can infect, the more money they can make. In fact, they don't care who they infect—they just want to infect as many devices and people as possible. It's a numbers game. And guess what? It comes in various forms. Malware is just a categorization of security threats.

What's the purpose of malware?

The goals of malware include the following:

• Stealing data off your machine
• Access to customer lists
• Accounting data
• Harvesting usernames and passwords
• Deleting files
• Changing system settings
• Occupying space on your systems and encrypting it

If an attacker is not after you personally, they're after your resources and their access to others. Therefore, you have an obligation to make sure your machine is not compromised for the safety of others.

People who create, deploy, and benefit from malware can range from the whole scope of individuals who are just trying to hack their own internal network, to organized crime and government organizations. This is such a big business that people who create these sophisticated malware products are often dedicated to this purpose. It can end up growing like a snowball accumulating more and more snow as it rolls along. If I can get one piece of malware installed on any of your devices, I can use it to add additional pieces of malware.

This is so profitable that it has become a full-time job. And how do they make money off this? Once an attacker has developed and deployed their malware, they often sell the machines they've infected to other individuals or organizations. Those individuals start installing more pieces of malware, and that's where the snowball comes into play; eventually your machine ends up being a member of a botnet. This botnet is basically a mishmash of systems out there that are totally controlled by the attacker. The button can be remotely controlled, which cyber criminals then go and use for their purposes, and sometimes, they sell it to other cyber criminals. The reason we see such an influx of malware right now is that it is massively profitable.

You need a good understanding of how to speak Trojan (more about this in the next section) to survive. The people who create malware—and the attackers out there creating malware—use components that can help them achieve the goals they have in mind.

The basic components of malware include the following:

• Crypter—This software program conceals the existence of malware. Attackers and hackers use this software to elude antivirus from detecting it. It also protects the malware from undergoing reverse-engineering analysis.
• Downloader—This type of Trojan downloads other types of malware or even malicious code and files off the internet. Attackers install downloaders when they first gain access to the system.
• Dropper—If an attacker needs to install malware or some code on the system to make it run, a dropper will do this covertly. The dropper can contain unidentifiable malware code that's undetected by antivirus scanners. It's capable of downloading additional files as needed to execute the malware on the target system.
• Exploit—This part of the malware contains the code or sequence of commands needed to take advantage of your device. It's the code an attacker uses to breach the system securely or breach the system security. Based on the vulnerabilities an attacker might use, the exploits have different categories, including local exploits and remote exploits.
• Injector—This program injects the exploit or the code from the malware into the system. It's a way of hiding or preventing malware from being removed.
• Malicious code—This piece of code is malicious. It defines the basic functionality of malware and comprises the commands, resulting in the security breach itself. It can take the form of ActiveX controls, published content, Java applets, and browser plugins.
• Obfuscators—These are programs attackers use to conceal malware or malicious code using different techniques. It makes it a lot harder for security programs, antivirus programs, and professionals to find it and remove it.
• Packer—This software compresses the malware file and converts the code and data of the malware to an unreadable format, making it hard for your antivirus software to detect it.
• Payload—This is the file that is activated. It can be used for deleting your files, infecting the system, encrypting; it's basically the big bad boy.

Next, let's look at the different types of malware.

Types of malware

How does malware get in? Malware itself can be broken down into a couple of types, as outlined here:

• Viruses—These require human assistance. You must execute the file to get infected with a virus.
• Worms—These are automatic. They're called worms because they squirm throughout your network infrastructure and infect targets all on their own. They don't need any human interaction.
• Backdoor—This allows unauthorized user access by installing malicious code and exploiting system vulnerabilities. Allows continued access to an attacker.
• Rootkit—This is a malicious program or group of programs that installs and executes malicious code without being recognized by the end user.
• Botnets—Botnets are a group or network of electronic devices used for fraudulent and malicious cyberattacks. Bots are a tool used to automate large-scale group attacks such as data theft, malware distribution, and attacks on servers.
• Ransomware—This malicious software can limit, prevent, block access, or publish information. Usually, some type of ransom is demanded to allow user access again.
• Spyware—This allows an attacker to covertly gather information about user activity without being noticed. The data gathered could be used for malicious purposes by the attacker or a third-party attacker.
• Adware—Adware is unwanted or unsolicited advertisement-supported software installed on a computer. It generally shows up as pop-up ads while using a web browser.

Next, let's look at the life cycle of malware.

The life cycle of malware

As with any good little monster, there are phases or stages we go through within this life cycle, as outlined here:

• Stage 1—We create the malware. Anyone who has any type of programming knowledge can create a type of malware or worm. In fact, if you don't have that skill set, you can also use some cool things out there for script kiddies, such as a construction kit.
• Stage 2—Replicate the malware, meaning that we need to get it onto a target machine, plan how we will do that, and make sure it gets implemented.
• Stage 3—This is the discovery stage. When somebody discovers something is on their machine or is causing it to act a little different or funny, we refer to this as the detection stage.
• Stage 4—The resolution stage. This is typically done by the manufacturers of the antivirus products because they will try to create different types of defenses against the malware, and then of course they deploy those out.
• Stage 5—The purging stage is when we eliminate the malware itself, and then the whole process starts over. This is because one piece of malware will not necessarily last the test of time. We're always creating new and improved ones.

As far as the malware itself is concerned, once we get to Stage 2 between replication discovery, we have two different phases.

Phase 1 – Infection phase

Several different things happen during this phase. The malware replicates and attaches itself to the targeted file or program we specified when we created it.

The malware needs to implement itself. It needs some way of implementing itself, so we have what's referred to as an event. For example, let's set it up so that the malware fires off when someone installs an application by infecting the startup files. Every time someone installs the program, the malware gets reinstalled. This is extremely prominent right now in the pirating world. You download pirated material; you may get a surprise!

We can also set up a startup setting that would modify certain sections of the registry, to make sure the malware activates every time it starts up.

Another thing we might implement, albeit a little old-school, is creating a terminate-and-stay-ready (TSR) program, which is basically where we hide the malware inside of memory, and it just executes or waits for a trigger, but waiting inside of random-access memory (RAM). In fact, there are some pieces of malware where you reboot the machine and they just get loaded right back into RAM again.

Phase 2 – Attack phase

The attack phase is where we see things such as corruption taking place. During the attack phase, the malware executes and does things to corrupt our files, such as deleting them completely, maybe going through and saying, Find all JPEGs and whack them, or Find all COM files and delete those and anything you can do to make the system unstable. I might have it alter the file contents or, better yet, I just change the file content, which could result in the system slowing down because the operating system (OS) doesn't understand how to handle the modified files. We can also execute tasks. This is in reference to having tasks performed that aren't related to the application at all. As you already know, the unexpected happening is a good indication you've got malware, meaning that the application did something it's not designed to do.

Phase 3 – Camouflage

This phase is where the malware will hide itself so that it can't be detected. In fact, some of the better malware has been written so that it doesn't execute until it has spread as thoroughly as it can, throughout the environment, host machine, or network, and then executes.

Next, we'll talk about how these pieces of malware get into the target systems.

How is malware injected into a target system?

There are several ways a piece of malware can get into your environment, as outlined here:

• Untrusted sources for software—This not only applies to desktop platforms but also mobile devices. Apple once announced as many as 4,000 apps were infected by the XcodeGhost malware product. When searching for a piece of software on your PC—for example, WinZip—do you go to winzip.com or just click on the first link, which may not be the actual vendor? Of course, when end users see a popup such as this, they always hit Yes—they never hit No. Why? Because they want the software.
• Installation—When installing a program, I always select Custom install. I never do a basic install. I'm always watching, and I never hit click, click, click, click. I take my time because many times, the application or the vendor is generating additional revenue by installing toolbars on your PC, which can lead to other malware infecting you.
• Propagation—Once you get one, I guarantee you're going to start getting more.
• Email attachments—Usually with malicious attachments.
• Pirated software—This would include not just the main software being pirated, but also crackers that claim (and some do work, while they inject malware) to turn trial software into full products.
• Disabling security products or firewalls—These actions will compromise any system's security.
• Logic bomb—This is a type of malware that gets triggered when the conditions for its operation are met. Logic bombs can be activated by events such as a particular date, time, or system count. For example, if an attacker corrupted your computer with a remote access Trojan (RAT) and you attempted to remove it, the RAT may be programmed to activate and delete your files at that moment or the next time you boot up.
• Not updating or running antiviruses and malware—Antiviruses don't get all the malware and all the malware don't get all the antiviruses. You need to use both. Not updating and running them is a huge detriment.

You can ask yourself the following questions to help you assess this:

• Does it have an icon associated with it or is it a process that's running? Look at the description. Any reputable process, when the developer creates it, will list a description with it.
• Does the application itself, or the process running, live inside of a Windows or user profile directory? It's important to know this because those directories are accessed by any user on the device.
• Are there any weird Uniform Resource Locators (URLs) in their strings—especially if somebody sends you a link? Be careful about the latest trend whereby people are creating shortcut links to websites.
• Also, look for any open Transmission Control Protocol/Internet Protocol (TCP/IP) endpoints where your machine is just listening on a port that you can't explain.

Now, let's talk about something really interesting—something that we see from nation-state organizations.

Advanced persistent threats

Advanced persistent threats, also referred to as APTs, should be a concern for any organization because they can damage not only resources but also your reputation.

What is an APT? Well, this is a type of network attack where the attacker gains access to your environment and then remains there for a long time without being detected. The term advanced is a representation of using technologies to exploit underlying vulnerabilities, the term persistent references the external command-and-control (C2) process that is continually pulling data and monitoring the victim's network, and threat signifies human involvement and coordination.

As I mentioned before, these types of attacks are extremely sophisticated. They involve well-planned and coordinated techniques, techniques that include things such as erasing evidence of our activities after we've done our evil tasks. The information that can be extrapolated by an attacker through an APT attack includes things such as classified documents, credentials for your users, personal information, network information, transaction information, credit card details, business strategies, and control system access.

Overall, the main objective is to try to obtain sensitive information, rather than destroying a network or sabotaging it. One of the best examples—and the most sophisticated piece of malware ever detected—was probably Stuxnet. This worm was used against Iran in 2010. Its complexity tells us that only a nation-state actor could have been involved with it.

Initially, this worm was introduced via infected Universal Serial Bus (USB) drives and contained three modules: a worm that executed the main payload, a link file that automatically executed the propagated worm copies, and a rootkit that hid all the malicious files. The worm itself went across the network, searching for the Siemens Step7 software on computers controlling programmable logic controllers, or PLCs. Once it found target machines, the malware injected its rootkit into the PLC and the Step7 software, modified its code, and sent commands to the PLC while displaying normal operations. This was specifically targeted against the centrifuge for Iran's uranium-enrichment facilities. The malware forced the centrifuges to spin very fast for 15 minutes, and then returned them to normal speed. Within 5 months of the attack, the excessive speed changes caused the centrifuges to break, resulting in the loss of about 1,000 centrifuges. So, yes—pretty sneaky.

APTs have different characteristics, and these characteristics are the how, what, and why attackers design and plan their attacks. Let's have a look at this more closely:

• First, we have the objectives. The main objective of any of these types of attacks is to gather as much sensitive information by gaining access to an organization's network. But it shouldn't be limited to that—we could also include spying for political or strategic goals as well.
• There are also timelines, which refers to the time that is utilized by the attacker for looking at the target system for any vulnerabilities.
• Then there are the resources—the amount of knowledge, tools, and techniques that are going to be required to perform an attack. These types of attacks, again, are more sophisticated and are typically performed by highly skilled attackers, and when it comes to APTs, to have those levels of resources, it really does point us a lot to nation-state actors.
• There's also risk tolerance, which we define as the level up to which an attack remains undetected. This helps attackers to remain undetected on the network for extensive periods. There are also the skills and methods that are used by attackers to perform these types of attacks. This could include things such as social engineering techniques to gather information or even open source intelligence (OSINT) tools.
• We then have the actions. This is what makes them different from other types of cyberattacks. Again, our objective typically is to maintain our presence, so we've got to make sure that whatever actions we're taking don't get flagged.
• There's also the characteristic of attack points. This refers to the numerous attempts made to gain entry into a targeted network. To be successful in gaining initial access, we need to make sure (or, I should say, the attacker) to do a ton of research to again identify vulnerabilities.
• Then, there are the numbers involved in the attack. Remember we talked about botnets earlier? Well, in the case of a government agency, they're going to have their own botnet, and these host systems will be used as part of APT attacks against either organized crime or other nation states.
• Then, there's the knowledge source, which is defined as the gathering of information through online sources about specific threats.
• We then have multi-phases. This is one of the more important characteristics for APTs—that they follow multiple phases to execute an attack, and typically, those include reconnaissance, access, discovery, capture, and data exfiltration.
• We are tailored for vulnerabilities or to vulnerabilities. We want to make sure that the code we create, or the attacker creates is written and designed in such a way that the targets on the network have those specific vulnerabilities.
• And then, we have multiple entry points. What this means is an attacker, once they've made their initial connection or entry, they're going to create additional entry points so if one gets discovered, they can still get back in.

Now, when it comes to APTs, it's important to note that they are very similar to zero-day exploits because they are going to be made up of malware that hasn't been available or existed in the wild before. The issue with Stuxnet was that it accidentally got released into the wild, and that's how we found out about it. But typically, it's going to be able to bypass all your security mechanisms, your firewalls, your antivirus, your intrusion prevention systems (IPSs), your intrusion detection systems (IDSs), and email spam filters because it hasn't been used before.

APT attacks are usually impossible to detect, but unexpected user account activities or the presence of a backdoor Trojan, such as if we see even tons of data leaving the network or being transferred, might be a warning that you have an APT somewhere on your network.

Next, let's talk about Trojans.

What is a Trojan?

A Trojan is a type of malicious software disguised or included with a legitimate piece of software. It's hiding inside. The reason we hide it is that it's easy to install. The easiest way to get something done is to have the user do it for us. When it comes to Trojans, some people get this confused.

The Trojan horse gets its background from Greek mythology about the Trojan War, where the Greeks attacked the city of Troy. At the end of the war, the Greeks came up with a final plan of attack—they would build a giant hollow wooden horse (and for some strange reason, they were sacred to Trojans), and the hollow horse would be filled with soldiers. The Trojans brought the horse into the city and when they went to bed, the soldiers came out, including Brad Pitt, all glistening, and they ransacked the city. That's basically the same concept here. We're going to have a legitimate program, but our Trojan will contain some type of spyware, keylogger, a rootkit, or some other type of program we can use to get back in. We're going to have the victim bring the software onto their computer. Once executed, the Trojan can relay information or steal the data outright.

As far as the life cycle is concerned, the following steps occur:

1. We start off by creating the payload. This is the program we are going to design to do some specific things—for example, finding credit card numbers or personal information.
2. After creating this payload, we take our legitimate programs, such as Office, the latest version of Windows, an mp3, a movie, or an antivirus.
3. We inject the payload inside the legitimate program and put it out there via torrents, websites, or even a USB drop—dropping a USB thumb drive somewhere in the parking lot of a company or in the hallway of a company and waiting to see who plugs it in—or Internet Relay Chat (IRC) channels. This transmission method relies heavily on a social engineering concept, which is I want something for nothing—for example, if Microsoft just released the latest version of Office and you see it up on a torrent site, download, and install it. Why did somebody put that up on a torrent site?
4. After downloading it, you simply install the program. As you install the application, the Trojan gets the same permission as the user that's currently logged in. It can then start modifying itself. There are Trojans that morph themselves to make it harder to detect them. They transmit themselves and start infecting other nodes inside of your environment.

There are many different types of Trojans—let's discuss them next.

Types of Trojans

It's important to understand and know the different types of Trojans and how they are used.

Notification Trojans

There are several different types of notification Trojans. The whole purpose of a notification Trojan is to send the IP address of the target it has infected back to the attacker. We can do that at different times or in different aspects, depending on the type of notification Trojan you have installed. Here are some examples:

• IRC Trojan—This simply uses the IRC channels out there to communicate with the attacker.
• PHP Hypertext Preprocessor (PHP) notification Trojan—This Trojan sends its data by connecting to the PHP server the attacker owns or has pwned.
• NetSend notification Trojan—This basically sends information or commands to the targeted machine via the NetSend command.
• Internet Chat Query (ICQ) notifications—These are just different mechanisms or communication channels to talk with the attacker from the target that lets you know, "Hey, I got installed". Remember—the purpose of a Trojan is mass distribution. So, I'm just sitting here waiting via one of these channels for my payload to report back to me so that I can use the ICQ channels or through email.

Botnet Trojans

A botnet Trojan helps me combine multiple pwned systems together so that I can issue one command and control all the machines that have been infected with this Trojan simultaneously. One of the biggest targets for these types of Trojans would be educational, government, and military systems.

Another phrase you might hear when we talk about botnets is a zombie computer, which is simply a computer that's been infected with botnet Trojans. The attacker can bring these machines online at their whim to use them for things such as sending spam or launching a DoS attack against another company. The attacker, remotely with one command, can implement a DoS attack through their botnet. They could also use it for sending out mass mailings via spam, Simple Mail Transfer Protocol (SMTP), or click fraud.

We could also use it for stealing product keys, login identifiers (IDs), credit card numbers—all kinds of information. The reason why educational, government, and military systems are very popular for these types of Trojans is because of how many computers are in an educational environment, especially computer labs.

Proxy-server Trojans

A proxy-server Trojan starts proxying out for us once it gets loaded on our target, meaning the attacker can use the victim's machine or pass through it. We turn the victim's machine into a proxy server to make it possible for us to go after another target and get all the blame put on the first victim. It's like creating a proxy chain, and—believe it or not—there are thousands of machines out on the internet currently infected with proxy servers running as a hidden service on a machine without the end user or the enterprise admin knowing it.

FTP-server Trojans

If I can inject your system with this type of Trojan, I will install a File Transfer Protocol (FTP) server on your machine. Once it's been infected, the Trojan sends connection information back to the attacker almost like a notification, but we're simply going to use port 21 for that machine. And then, of course, at that point, the attacker will be given full access via the FTP protocol. They will also install additional malware to make it a little bit easier to get into the life cycle of a Trojan.

Again, the type of information an attacker can pull off a target machine would include things such as credit card information, confidential information, documents named password.docx, or email addresses, but as far as the connection is concerned, you'll just see an FTP service running.

Common Trojans

Let's review some common Trojans and what they can do.

VNC Trojan

A Virtual Network Computing (VNC) Trojan has two aspects to it, as outlined here:

• First, we simply infect your machine with a VNC Trojan, which fires up a VNC server daemon. After the attacker is notified the VNC server is up and running, they simply hook into it with a VNC viewer with the password. VNC is extremely popular—a lot of IT people use it for remote administration. And because it's so popular, it's classified as a utility, and therefore, it's unlikely your antivirus will pick it up as being any type of infection.
• Second, you can go on the internet and do a search for VNC software. If you've ever done that before, you know you'll get a plethora of cuckoo results. Obviously, not all of them are legitimate VNC products—most have been modified. There's RealVNC, TightVNC, and Chicken of the VNC, but the end user may not understand what they're doing, so as an attacker, I could create my own VNC, which basically has a built-in backdoor, and they just install it for me and, more than likely, with administrative privileges.

HTTP and HTTPS Trojans

Back in the old days, we used some pretty archaic technologies in order to gain access to resources—in particular, email. Back then, we had something—at least in the Microsoft world—called Outlook Web Access (OWA), which simply used HyperText Transfer Protocol (HTTP) and HTTP Secure (HTTPS) to allow me to gain access to my email. Microsoft and some other companies have taken that technology and made it in a way we could create a tunnel. The issue we have here is most of these tunnels are created on port 80 or 443. Using those ports to create a tunnel, the security administrator or specialists will simply see standard HTTP traffic or web browsing traffic—they have no idea it's a tunnel.

Once we infect the target, a Trojan is executed on that target and spawns what we refer to as a child. The child program simply appears to be a target to the firewall, which then allows it to access the internet because it's going across ports 80 and 443. So, all the traffic technically gets converted to a Base64-type structure and given a value in a Common Gateway Interface (CGI) string. This way, the attacker's commands are hidden from the security professional and, in most cases, security appliances. With that, an attacker can use HTTP/HTTPS-based commands such as GET, so the GET command of the internal target is just the command prompt of the shell and the answer is an encoded ls command from the attacker.

As far as the administrator is concerned, when they open the connections to the attacker server and try to connect to it themselves in an attempt to track this thing down, the attacker just sees a broken web server because there's no token or password in the encoded CGI GET request. The kicker on this one is the programs are relatively small. In fact, there are some out there that are under 300 lines per file. These types of Trojans are not limited to PCs. Lately, they infect any device using a web browser or having access to the internet.

Command-shell Trojans

These are Trojans that install a server on the target machine, which in turn opens a port for the attacker to connect to. Once the attacker hits that client, they're given remote control of a command shell—hence the name command shell—on that target's machine. One of the most popular command-shell Trojans is Netcat. With Netcat, an attacker can open a full Telnet session into a shell on the target machine. They can create inbound and outbound connections using either TCP or User Datagram Protocol (UDP) and provide full Domain Name Server (DNS) forwarding and reverse checking so that they are able to transverse your environment.

To avoid raising any suspicions, we can implement slow motion. Here, we slow down the speed at which we send information back and forth. That way, it makes it harder for the security specialists to figure out what's going on—very similar to using Paranoid mode with Nmap. When using Nmap to scan, you can put it in paranoid mode to prevent it from being too noisy or loud on the network.

Document Trojans

When it comes to document Trojans, what we're doing is simply embedding our Trojan inside of the document. We then send the document to people via email: "Dear Sir, Kindly find attached a new IRS form the government requires you to fill out to avoid being penalized." That sounded all official, didn't it? Believe it or not, a high percentage of people would click on that email attachment and of course, as an attacker, nothing is better than getting people to do my work for me. If it's a really cool, funny, or important document, they'll even forward the document for me.

Some of the biggest document Trojans out there right now exist in Portable Document Format (PDF) documents. Do me a favor—do not open PDF documents from people you don't know or from emails you are not expecting. I know this is a big list of things to remember not to do, which does interfere with our day-to-day productivity, but one of the bigger Trojans out there is the email-based Trojan. This bad boy fires off as soon as you open an email, and then it sends the commands via email back and forth to the Trojan. Those commands can include executing applications, searching for files, or opening files, as well as showing the attacker files on the victim's system.

Remote-access Trojans

Remote-access Trojans (RATs) are my favorite, and there are countless ones out there. The more famous ones are relatively old, such as Back Office, as well as NetBus.

Most of the RATs today are custom-made. In fact, recently, the latest RATs allow the attacker to turn on the victim's webcam. That's why I have a little cover I put over my webcam, just as a precautionary mechanism.

So, with a RAT, what we're doing is simply installing a small application on the target machine. This is known as the server side. The attacker hits that server from the outside to get remote access. From that point on, they can affect administrative controls, raise privileges, implement a keylogger, and so on. And there are several preconfigured RATs out there including DarkComet, Apocalypse, and Beast.

Backdoor Trojan

This is a program that can bypass most of the system authentication products you have in place, such as IDSs and firewalls. In these types of attacks, a black hat—a bad guy—uses a backdoor program to access the target system. The difference between this type of malware and other types of malware is that the installation of the backdoor is done without the user's knowledge. They don't recognize it's being done. This allows the attacker to perform all types of activities on the target, including transferring, modifying, and corrupting files, installing malicious software, rebooting the machine—all kinds of fun things. Backdoor Trojans are often used to group victim computers together to create a botnet or a zombie network, which can then be used against other targets.

So, what's the difference?

Now, you may be wondering, what's the difference between a RAT and a traditional backdoor? A RAT has a user interface (UI), but a backdoor doesn't. One RAT that will make your hair stand on the back of your neck is the Poison Ivy RAT kit. It consists of a graphical UI (GUI) and the backdoors are really small—like, 10 kilobytes in size. Good luck finding that! Once the backdoor is executed, it copies itself into the Windows folder or the Windows system32 folder. As the creator of the backdoor, you get to choose where it'll copy the filename and the locations.

There are some variations of Poison Ivy that can copy themselves into alternate data streams (ADS). If you're not aware of these, read about system hacking and look at ADS.

You can also create a registry entry for the backdoor so that it starts up every time the computer is booted. The server, when it connects to the client, can use the address you defined when you created the server part. The communication between the server and the client is encrypted and compressed.

Poison Ivy can also be configured to inject itself into a browser process before making any type of connection that will bypass any firewall. I'm sure you're aware of how evil, bad, and wicked ransomware is. If you're not, you should be.

This type of Trojan can do several things, from encrypting files stored on your system hard drive to simply locking the system and tricking the user into thinking they need to pay. This is typically done through a web interface or a web page that pops up with no bars or anything and gives them a link they must go through and make a payment. It tells them their system has been encrypted, but it hasn't really. Payments are done with Bitcoin, making it hard to track down the attacker.

I know you can't take any more, but there's more. You thought your phone was safe? No. An attacker can trick victims into installing malicious applications, and when the victim downloads the malicious app, the Trojan then performs things such as getting your banking credentials and social networking credentials, encrypting your device, and so on.

Next, let's look at the motive behind executing these attacks.

Trojan creators' goals

So, what's the goal when it comes to what the Trojan creators are after? Initially, they are after an endgame, which includes any of the following or a combination of them.

Disabling the firewall

The first thing they may be after is to disable your firewall. Have you seen before where your firewall won't enable? Often, people will tell me they disable it anyway. Firewalls make it harder for us to configure things, but disabling it is being complacent.

Deleting the OS

Another endgame option would be to replace or delete OS files. If I can replace (with my Trojan) an OS file that does the exact same thing the OS file did—let's say, for example, Notepad—if I can replace it with my own version of Notepad or, better yet, an executable that's used all the time in the OS, every time you launch it, my Trojan would repopulate out, especially if you've deleted it. If I'm trying to be destructive, I might delete some very important OS files.

Opening a backdoor

Another goal might be to open a backdoor, create a Trojan, and put it on the internet, and somebody then launches it, effectively opening the back door. In many cases, it gets rid of all the issues of having to go do reconnaissance and footprinting.

Disabling the antivirus

Why do malware creators disable the antivirus? Because they don't want to be detected. And when I say disable both on the firewall and the antivirus, I mean you cannot enable it. In fact, one famous trick by attackers is taking the icon for the antivirus. When most antiviruses are disabled, you get a specific-looking icon. Remember to replace and delete OS files. How about if you just replace the disabled antivirus icon with one that looks like it's enabled?

Turning the target into a proxy

Another goal an attacker might use is to turn the target into a proxy so that they can issue attacks on other machines within your network. You would just think the machine was Dick Grayson's creating the traffic on your network and grabbing up stuff. I might even go down the road of adding you to my botnet. If you're not familiar with a botnet, do yourself a favor and do some googling. A botnet is an army of systems that I, as an attacker, have infiltrated and taken control of, and at a specific time and date, I can have all my botnet members do a specific command such as attack Citibank or send out spam email messages. And the real kicker is, I will do this late at night when you're asleep and your system is just sitting there.

Generating bogus traffic

The Trojan creator can generate bogus traffic on your network to create a DoS attack because sometimes, the motivation of the attacker is to cause disruption. Many times, that disruption is designed to create problems for that company. Other times, it could open vulnerabilities if I overload the system with too much traffic.

We could also use it to download and install additional spyware, malware, and adware. Think about all the toolbars out there you've seen. Every installation of a toolbar gives me the option to use a custom install, or a quick and easy install. Please—whatever you do, don't ever choose a quick install! Don't be lazy. Take the custom route so that you can see what's happening. If you do select the quick install, it could also say Please install XYZ toolbar, because the attacker probably gets an affiliation fee for every installation of the XYZ toolbar and all the traffic it generates. It's a money-making venture for the attacker. As an attacker, if I can get you to install additional spyware and malware, sometimes not even without your knowledge, I'll make more money.

Grabbing screenshots

Another goal is grabbing screenshots, especially when the target logs on to a financial website. As an attacker, I can get my Trojan to start recording video from your webcam, and no—there will be no flash because I will turn the light off so that you will not be able to tell. If you don't think that's dangerous, ask the Miss Teen USA who opened an email and clicked on the link she had been socially engineered to click on. The link installed a Blackshades application, and then the attacker proceeded to capture a video from her laptop of her during some personal moments. The attacker then tried to extort her with pictures captured of her for a nominal fee that, if paid, the attacker wouldn't reveal to the rest of the world.

The attacker ended up being her 19-year-old former classmate from high school. He was arrested and charged with multiple crimes, not only for extortion but taking control of someone else's computer remotely without their permission, which is a federal crime.

Stealing passwords and personal data

Stealing passwords, codes, financial data, and personal data is one of the things I would also do. In fact, if I were an attacker, I would use my Trojan to search your computer for any document named password, passwords, or pwds, because most IT people write down their passwords digitally. Attackers love it when IT people do that! An attacker will also look for documents that may be named network layout or spreadsheets named user accounts or employee information. I know you want to stop reading right now to rename all your files, right?

Targeting you for spamming

We could also use you as a target for spamming. If all else fails, I'm going to use your resources to send my Trojan to all your Outlook clients. Have you ever gotten an email from a friend that says, "Hey, I found a cool link, click here"? If you did click on the link, you got pwned.

Let's talk next about how a Trojan does what it does.

How Trojans communicate and hide

Let's take the hiding mechanism first. When you build a Trojan, we're going to attach it to a legitimate piece of software. So, technically, there are two different communication paths to a Trojan, as outlined here:

• The first one is an overt channel. Overt is something explicit, evident, or obvious. So, overt would be something such as the newest version of Office, or an mp3 file that everybody wants. An attacker must make the overt channel enticing for you to want to install it. And this is what happens with malware, and that's why there are so many pieces of malware out there.
• The second channel is the illegal side or the covert channel. It's the hidden path that is used to transfer data across the network. It's built into our payload. Most attackers will rely on the tunneling technique to make sure it's not visible to somebody monitoring the network. Maybe, as an attacker, I tunnel it across HTTP or HTTPS so that you can't see it—at least, anybody monitoring the network can't see it—because it gets encrypted. You may want to make sure you understand the differences between these two channels.

There are a plethora of ports used by different Trojans, and this is just a partial list. You'll notice that some of them utilize ports you would not suspect—for example, port 21 for BladeRunner. Typically, that's FTP port 80—the Executioner Trojan uses that one. What else runs on port 80? One of my favorites and very appropriately named—port 666. That's Satan's backdoor…

Again, this is a partial list—you need to be doing research and finding out the newest Trojans, which ports they're utilizing, and when you see traffic going across that port, you need to investigate. I know that's hard, especially in port 80. One of the things you will definitely want to do if you suspect a system is being infected by a Trojan is a fresh reboot of the system and see which ports are currently listening. There are actually different states for ports. When a port is in the listening state, it's there because the system put it in that state to listen or to wait to make a connection to another system.

Next, let's look at some of the symptoms of Trojan infection.

Symptoms of Trojan infection

How can you tell if you have a Trojan? Well, this is like asking: How do you know when you're getting sick? We get symptoms, right? When it comes to a Trojan, I say: "Oh, this is way too late, you're already infected."

Disabled antivirus

If your antivirus is disabled and you can't enable it, there's a chance you have a Trojan infection. In fact, I've seen Trojans that have made it so that you can't do your updates through Microsoft updates, you can't launch Task Manager to see which processes are running, or you can't edit the host file. Every time you try to open Command Prompt, it shuts right back down.

Keys failing

You might also see things such as the Ctrl + Alt + Del keys failing to work altogether. Often, the user will just simply reset the PC and when you get to log in, the Ctrl + Alt + Del screen works there, but as soon as they get in, it stops working and they think there's something wrong with the software.

System restart and shutdown

Another thing that is likely to happen is that your system will just restart or shut down all by itself. If you have ever experienced that, you know the reason now.

Changing screensaver

The other common symptom is that your screensaver just arbitrarily changes. Maybe there's something displayed that you would never have chosen.

Disappearing taskbar

Your taskbar could also disappear on you. This can be caused by a Trojan, or possibly just me visiting you because I'm a wanted man at the local Sam's Club or Costco. When I get bored, my wife drags me off there to go shopping and I eat all the free samples, which, if you think about it, are nothing but social engineering. After I'm full on the free samples, I go over to the computer section and start playing around with some Group Policy Object (GPO) settings to take away the taskbar or Start button or find out what's going on with the system. One of my favorite things to do is making a print screen of the desktop, saving it as the background, and hiding all the icons, except for the Recycle Bin. There's probably a security photo of me in the employee break room that says, Watch out for this guy!

Screen orientation keeps changing

Another symptom of infection could be when you turn on the machine, the screen comes up and suddenly it starts flipping around or inverts.

Background changes

Sudden background changes are another symptom of Trojan infection. As you are working in your OS, everything could be working just fine, and suddenly, your background changes. It might be a photo of your cute little puppy, and you may think it's cute when it happens, but you need to find out why it happened.

Start button disappears

The disappearance of the Start button is another sign of Trojan infection. Imagine the frustration when you take away the Start button, taskbar, and disable the Ctrl + Alt + Del buttons. A good Trojan, even though some of these were initially designed for entertainment purposes, is one that you don't suspect is installed, so you don't necessarily see these things taking place. You might see the system rebooting because maybe I needed to reboot because of configuration changes I made.

Redirection

This symptom could include things such as your browser going somewhere other than what you've typed. For example, you type in microsoft.com only to end up on an inappropriate website. Again, the attacker just made money off you because they get paid for everybody who gets directed to that site.

DVD drive ejects

Another symptom is the DVD drive ejects randomly out of the blue, or you hear it spin up.

Documents printing

Documents might also start printing, and they will not be documents you sent to the printer.

Reversed mouse keys

Your mouse keys could also get reversed. An attacker could get people all confused with this one.

A lot of hard drive activity

A lot of hard drive activity is another telltale sign of infection. Look at your system when nobody's using it. Sometimes, we might see hard drive activity because the system is doing defragmentation, system maintenance, or backup. But knowing is half the battle. If there's a lot of activity with the hard drive or network and I'm just reading a Word document, I might be a little suspicious. Most of the maintenance tasks that OSs perform will wait until the system is not being used.

A lot of traffic

Another common symptom is that your internet service provider (ISP) calls you to say: Listen, you've got a lot of traffic coming from your router. This is something I had to deal with when I had my own ISP service. I had people get infected all the time, and I would see a ton of traffic coming out of their antenna that would start flooding our network and I had to shut off their antennas. I always thought it was interesting when I tried to contact them—I could never get ahold of them, but as soon as I disconnected their internet, within 2 minutes, people would call me.

Unknown credit card transactions

The mother of all symptoms is getting your credit card bill and there are some really weird and expensive purchases.

Next, let's talk about how we infect a target.

How to infect a target with a Trojan

There are three steps to create these little monsters, as follows:

• Step 1—We will need some type of toolkit to create them for us. There are many products we can use, including Kali Linux, which has a whole lot already built into it.

There's a Trojan Horse construction kit out there, but you can just use some basic technologies that are built into the OS. For example, I can quickly create a script or a batch program that would do some damage—in the case here, delete a lot of important system files—and then use it along with my legitimate program. You can do it as you like, but the concept of this step is that you're creating damage you want to cause.

• Step 2—Create a dropper. Here, we basically take the monster we've created and tell it how to install itself utilizing the desired or legitimate program.
• Step 3—We are ready to take our monster and turn it into a cute little teddy bear. "Go ahead, double-click on it—he won't hurt you!" We will combine the two together by doing wrapping. This is software we use to combine the two programs together. There are a couple of programs out there you can utilize, including Petite, Graffiti, EliteWrap, and I'm sure you might have your favorites too.

The concept behind the wrapper is to be able to take those files and combine them. We can also combine multiple monsters together so that when somebody installs the latest antivirus, Office suite, or any other free software they downloaded from a pirated site, they're going to get multiple Trojans installed. By using some of these wrappers, they can do compression of the binary, making it possible for the Trojan to get in without being detected by most antivirus software. This is because most antivirus software is unable to detect the signatures of a file. And not executing programs will not work out either, because most of the time, the infection takes place via a socially engineered attack. For example, I will send you a file that contains adult material or a cool program such as a new screensaver.

More than likely, though, we see a lot of these Trojans being infected via email attachments because of actual files being attached, or links to files. I always tell people when they get an email that they should never click on links because it might look like the link is taking you to some type of cloud storage company such as Dropbox or OneDrive, but the code behind that link could be taking you to a different location.

Many times, we're being socially engineered, especially our end users. They get socially engineered all the time because of popups and usually, it's done in such a way that is designed to scare the end user or affect the greed factor. What's interesting with popups is whether you hit Yes or No or click anywhere on the pop-up window, you could inject the Trojan. In fact, there are really tricky ones where the pop-up ads look like a window that will show Close, Minimize, and Maximize buttons in the standard upper right-hand corner (or the left corner for Apple users) but guess what? I can make a web page look like that interface but those are not real buttons. If you click on it, the window will close but still go ahead and inject the Trojan.

With some of the more popular ones, a user would go to a malicious website or just get a piece of malware that would activate an interface that looks like some type of system application and looks like it's trying to protect us. Many times, it would give you false positives back, pretending it was helping you out when in fact they were just installing more Trojans and getting more information off your system.

The big one in 2015 was a product called Crypto Blocker. Whoever came up with it needs to be put in a maximum prison's padded room because it would encrypt your drives and data, including any mapped drive. We refer to this as extortionware because you had to pay them money to get the decryption key and, of course, the odds are they would drain your account. Or, we might use the fear technique: "Oh, my computer's been locked. There's something wrong with my OS; I don't want to get in trouble. If I want to unlock it, I better pay $200. And I have 72 hours to take care of this, or else I'm going to be in trouble!"

They could also say your IP address was used to visit websites containing pornography, child pornography, zoophilia, and child abuse—that your computer has those files on it. Sometimes, they would indicate you've been sending out spam messages to terrorists. This was a famous one for scaring people into paying for something when they weren't guilty of anything.

Just recently, emails have been going out saying: "Hey, you can upgrade for free—just click here." The email looks like it's from Microsoft—it has their logo and their address on the bottom. All you need to do to upgrade for free is follow the attached installer and get started. Well, you will just get started giving up your data.

Let's discuss how Trojans get into systems next.

How do Trojans get into our systems?

Trojans will get into your system in several different ways.

Physical access

As an attacker, I can implement a Trojan via physical access. If I have my Trojan built into a thumb drive that I've dropped and somebody has picked up and plugged in, I'll have an auto-start in there that injects the Trojan. I could also inject it if somebody walks away from their system without logging off.

Email

Another way Trojans get into our systems is via email. You may be thinking, "Well, I'm not going to open up an email from somebody I don't know." Okay—go back and think about what we've covered this whole time. As an attacker, I can very easily spoof. Let's say that Bruce Wayne sends Clark Kent emails all day long. If I've done my due diligence, I could simply create an email, make it look like it came from Bruce Wayne, and trick Clark into double-clicking on this file. It happens all the time. In fact, at least twice a month if not a week, I get emails from family members saying, "I thought you'd be interested in this", and there's a link, and that's all there is in the email.

Fake application

Another way into a system is via a fake application. So, you're out there looking for an application that helps you organize your garage. All you do is put in the dimensions of your garage or carport area, and it's supposed to help you organize it—at least, that's the promise. Well, the victim goes and downloads the program, and when they double-click on it to install it, they mark it as being trusted because they want the program so badly.

In fact, there's an interesting one I've seen out there many times. It mostly deals with an mp3 where kids go out and say, "Hey, I'm looking for this hit song", and they do a standard Google search that shows a site with that file, but they really don't have the file there. Attackers are extremely creative in how they lure someone into a trap. An attacker has taken popular search terms and leads people into thinking they have it on their site, but it's not. You would go to download the file and double-click on the mp3, only for the Trojan to execute. Sometimes, you might not see anything happen, or if they're nice, you'll get the song.

My favorite are programs that call themselves anti-Trojan software programs, yet they are in fact our Trojan. Make sure that you do your research on the programs you're installing.

Using torrents

You're in trouble if you watch videos from a torrent site thinking you got them for free. As I always say…nothing is free out there. More than likely, someone is using your greed to pwn you.

Freeware

There are some cool freeware products out there—for example, VNC. It's great, but make sure you download it from the right place because there are hundreds of sites out there that say: "This is the website for VNC—this is where you download it."

Shrink-wrapped software

The software could have Trojans in it. More than likely, this is done by a disgruntled employee who's thinking: "Man, I could totally pwn thousands of people because everybody wants a copy of this program." Large software companies have quality assurance (QA) mechanisms in place to stop that from happening, but that's not to say all software vendors take the same precautions.

Viruses

Many times, viruses will execute and install additional Trojans for us. In fact, there are times Trojans will help to install viruses. At this point, usually, most people think they need to go back and format their hard drive and start all over.

PDFs

Do yourself a favor—google Trojans PDF documents or just PDF. PDFs are horrendous right now because everybody puts up PDFs. You want a white paper? Yes—open that PDF and watch exploits from some of the PDF readers kick in, and somebody ends up getting into your system.

How Trojans avoid being picked up by antivirus

Trojans can evade antivirus. Now, I'm not telling you antivirus is your solution or your countermeasure. These are just ways to avoid being picked up by antivirus, and there are several different ways we can do this, such as these:

• Changing the checksum of the file itself because most antivirus programs will look at the checksum of known viruses and Trojans.
• Writing your own Trojan is another way you can avoid being picked up by an antivirus. That would technically make your Trojan a zero-day attack mechanism.
• Using a hex editor to make modifications will help hide your Trojan from antivirus software.
• You can also break the Trojan into multiple files because most antivirus programs are looking for specific files that represent the Trojan. By breaking it up, it would never be detected.
• We can also modify the syntax. A lot of antivirus programs are looking for specific syntaxes within the Trojans themselves and, of course, one of the best things to do—this goes back to writing your own Trojan—don't ever use Trojans that have already been identified by antivirus products. Always do a little bit of research.

Next, let's discuss viruses and worms.

Viruses and worms

So, what's the difference between a virus and a worm? Well, to look at these, we need to compare what they are designed to do. Some people say we're comparing apples with apples because these two are really close to each other. However, when it comes to a virus, you need to understand it's simply a piece of malware that's designed to execute. When it executes, it likes to associate or attach itself to a file or program.

Those files and programs could be almost any file or program, but as a virus creator, I want to make sure the virus executes every time the OS fires up. So, many times, the virus creator will make sure it replaces system files such that every time the OS boots up, we make sure the machine is infected.

We can also infect other types of files or programs. For example, I can make my virus attach itself to Word, but that virus would only become active once the application is launched.

One of the biggest differences between a virus and a worm is that, to execute, a virus requires some type of human interaction. Isn't that the case with a real virus? You don't get sick unless you meet somebody that has the virus. So, how do we get in contact? Typically, viruses are transmitted via downloads. I am a big proponent of not downloading programs, no matter how cool you think they may be or how bad you want them, unless they're coming from the manufacturer. This includes movies, music, books, games, and videos.

We can also get or transmit viruses via different types of drives. Today, most of this is done by USB drives. Remember the classic USB drop whereby we drop a USB drive in a parking lot or in a hallway and have someone plug it in? The victim might see a file in there named TopSecretDon'tRun.doc, and out of the same curiosity that killed the cat, they will execute from the USB drive, and they infect the machine.

A more productive way of transmitting viruses today is through email or social media. You just post things on social media sites that direct users to websites with malicious code injected into them. The email could also just include an attachment.

When it comes to worms, there are some very strong similarities to viruses. They will still want to attach themselves, but they'll copy themselves and replicate all on their own. They don't require any humans; they'll just execute by themselves. So, if one machine in your environment gets infected, it'll start working its way throughout your network environment. It does this through a vulnerability. It starts looking for vulnerabilities within your network. As far as transportation or transmission of worms is concerned, they still will enter the environment via the same techniques as viruses, but once inside, the worms—because they're all automated—use our standard file transport features to hook into multiple machines or all the machines within our network, sometimes even outside of our network.

One of the worst worms was SQL Slammer, which was created as a DoS attack and slowed down internet traffic. It attacked Microsoft SQL, both the server and the desktop engine database.

SQL Slammer infected 75,000 machines within 10 minutes. Now, I mentioned that SQL Slammer was a DoS attack and it slowed down the internet. The reason for this slowdown was that it caused routers to be flooded with traffic from the infected servers.

Normally, when a router gets a lot of traffic, the router is supposed to delay or temporarily stop network traffic. Instead, the routers crashed. When this happened, a neighboring router would notice these routers had stopped, and they would update their routing tables. So, the router started sending notices to other routers they knew about. Because these routing tables are being updated so fast, because so many nodes were being infected, it caused additional routers to fail because the bandwidth was being consumed by these routers trying to communicate with each other, trying to update the tables.

Now, this was so bad, stats show 300,000 cable modems in Portugal went out. South Korea basically went black—there was no cell phone or internet service for over 25 million people and 5 of the internet's 13 root name servers went down. Websites stopped responding, automated teller machines (ATMs) went down, and airline ticketing systems went down. For those of us in the United States (US), this thing hit at 12:30 a.m. Eastern Time and, 30 minutes later, the number of slave servers doubled every 8.5 seconds.

This was a wake-up call to many, especially companies, and many started looking at security or at least protecting themselves with patches.

Types of viruses and worms

You can definitely say there is a plethora of viruses and worms. I often think of the phrase "Daddy, make the bad man go away" when I start to see all these things because they come at you from different angles, and they do different things.

Standard file virus

These viruses execute based on a file they've attached themselves to. There are tons of different types of file viruses out there currently. Typically, file viruses target files such as executables, or COMs. We can categorize them based on how they attack or attach themselves. For example, we have prepending file viruses, which write themselves to the beginning of the host file code. We also have appending ones, which I'm sure you can figure out. We also have overriding ones, which basically overwrite the host code with their own code, and inserting ones, which inject themselves inside gaps within the host file code.

Most of these types of viruses will target themselves specifically at OS files.

Cluster virus

A cluster virus doesn't change the targeted file or put any information inside the file. Instead, it just goes through and modifies the directory information, making the entry point to the virus code, instead of the actual program itself.

Boot sector viruses

Most OSs get divided into different areas referred to as sectors, which is where we store the programs for the OS. The most common is the Master Boot Record (MBR). How I envisioned the MBR is very similar to back in my day when I went to the library. If I wanted to find a book, I would go to this big, huge box that had all these drawers. Inside the drawers were index cards. If I wanted to find a book on unidentified flying objects (UFOs), all the books would be listed on each index card, which would provide me with titles to books about UFOs and a location. It could be found in Section 104.5, and you could go to Section 104 and look for the book in the .5 section. Well, that's like what the MBR does. It tracks everything on the hard drive—and if I can infect and destroy the boot sector, say goodbye to your data.

The DOS boot virus

The DOS boot sector or record, or the DBR, is executed whenever the OS is turned on or boots up. Again, this could be another place we could send an attack. Based on this, I could infect your boot sector with the virus codes. So, with the boot sector virus, we moved the MBR to a different location altogether and replaced it or retained it at the original location with our own virus code.

After the virus code is executed—because it was in the MBR—it passed on to where we moved the MBR to so that the OS would continue to launch, but the whole time, the OS was infected.

Polymorphic virus

This is a little scary, and you might see something about this type of virus in your future exam. Polymorphic viruses modify their code on their own to avoid detection. This morphing or mutation is executed by a polymorphic engine—also called a mutation or mutating engine. This engine is used to change the encryption module and the instruction sequence. So, it's always changing, which makes it harder for antivirus products to discover a zero-day-type virus.

Metamorphic viruses

These viruses rewrite themselves completely each time they infect a new file. So, talk about Skynet—these bad boys will reprogram themselves by taking their own code, translating them into a temporary representation, and then back to normal code. One of the most popular ones out there was Simile, which was written in an assembly language, and 90% of its code got rewritten every time it found a different machine, so there were a bazillion renditions of the Simile virus.

Zmist

Zmist used a technique called code integration, where the code inserted itself into other code, then regenerated the code and rebuilt the executable. Talk about a smart virus!

Cavity-based viruses

Also commonly referred to as file-overwriting viruses, cavity-based viruses were known as space fillers. The virus would take a document—assuming it was a Word document that was 1.5 megabytes (MB) in size— and overwrite the host file with consistent null statements. It would do this without increasing the length of the file, so the virus would then be able to technically install itself in unoccupied space without destroying any of the original code. Luckily, these types of viruses are very difficult to write, therefore we don't see them often.

Encryption viruses

You can pretty much guess what these bad boys do, right? With these, for each of the infected files that get hit, the virus is encrypted using a different combination of keys. And because they're encrypted, it's not possible for a virus scanner to directly detect the virus via the signature of the virus—because it's encrypted. Now, associated with these viruses is a decrypting module. So, even though you might find the decrypted module, you probably won't get ahold of the files that have been encrypted.

Camouflage

This is an old, tricky one. If you had a program called word.exe, a camouflage virus would make a copy of that executable, but give it a .com extension, and, of course, the file would be infected with the virus itself. Anybody who knows about Windows knows the order in which these files execute. If you have three files, all of them are called Batman—you have batman.com, batman.exe, batman.bat, or a batch file. If you were to go to a DOS prompt and type in batman, what executes? Well, if you're an old DOS dog like me, you'll know a COM would execute first, followed by the executable, and then batch files would be executed after that. So, by renaming the word.exe program or creating a copy of it and calling it word.com, if somebody were to type in word, the COM edition with the virus would automatically execute.

Shell viruses

This virus code forms a shell around the actual program code, making itself the original program and the host code a sub-routine.

Tunneling viruses

Sometimes, people refer to these as stealth viruses because they hide themselves from antivirus programs by hiding the original size of the file, or possibly creating a temporary place in a copy of itself in some other drive in the system. These viruses will hide the modifications they make. They take control of the system's function that reads and writes files and system sectors so that the antivirus can't identify them.

More and more files get created every day. Being aware of what's going on will help you defend yourself against these nasty little monsters.

Why a virus and signs you've got one

Why do people make viruses? Here are some possible reasons:

• Financial gain—If I can trick you into thinking your machine is broken and you have to pay me to get it fixed, that can be quite beneficial to me. Also, maybe I want to infect my competitors. There are several cases where people have gotten in trouble for attacking their competitors via viruses and digital means—which, by the way, is illegal.
• Research projects.
• Trying to figure out the ins and outs or whys of different viruses.
• To play with people's minds—One of my favorites is, "Hey, that's a funny joke". It's not funny, but some people do think pranking people is humorous.
• Vandalism, especially when it comes to defacing or destroying content.
• Political reasons—One of the most notable examples of this was a worm, WANK, rumored to have been created by some attackers in Melbourne. Its political message, when you got infected, was the acronym WANK, which stood for Worms Against Nuclear Killers. This worm made its way around into some systems at the National Aeronautics and Space Administration (NASA) and the Department of Energy. In fact, the computers at NASA were infected just a couple of days before the shuttle launch that was to take the Galileo spacecraft up into orbit so that it could go and explore Jupiter and its moons.

Signs of infection

When a virus shows up, you need to know what some of the signs are. Here are some pointers:

• Drive issues—You might have a hard drive issue, or your hard drive may be flashing, even though nothing is running on the drive at the time and the system is not under a load.
• Video issues—You might experience video issues, either not seeing what you'd expect to see or even, possibly, the display looking strange.
• Full memory—Another symptom is the memory filling up completely so that the system slows way down in some cases, creating vulnerabilities or exploits.
• Applications running slowly—Applications running slowly when launched.
• Strange filenames—Filenames could turn strange. So, if you start seeing strange characters show up in the filename, you might be infected.
• System freezes or locks up—The system could also freeze or lock up.

So, how do viruses get spread or injected? We'll talk about that next.

Deployment of viruses

Deployment of viruses and worms is very similar to what we just saw with Trojans because they're just malware.

So, how do viruses and worms get around? They do it very easily, especially with so many different devices out there and with today's technology.

Downloads

People are sharing so much information that we see viruses and worms being deployed via downloads.

Email attachments

Email attachments and social networking links are probably the bigger ones right now.

Not updating the OS

These bad boys also get around when people fail to update their OS, applications, or antivirus. My favorite scenario, which I get at least once a year, comes via family members. They will bring their laptop to me and say: "Hey, I bought this new laptop and it's starting to act kind of funny—I think I have a virus." My first question to them is: "Besides the 30-day or 90-day evaluation of the antivirus product, have you paid for it so that you can continue to get updates, and when was the last time you downloaded the updates?" Guess what? 9 times out of 10, they say: "It's funny you should mention that…", to which I say: "It's also funny you should call me." This is a real issue for most. I know we see updates all the time for OSs, but the same thing applies to your applications.

Microsoft is great about updating its applications, but which other applications are you running? Are your custom applications being updated to protect them from possible vulnerabilities allowing these viruses to get in? You also need to watch your plugins.

One of the biggest issues I see happening today is we install an application on our smartphones or tablets, and we receive updates. Are you one of the handfuls of people who take time to review what the updates are going to update? Many times, it's getting more permission for your resources, contacts, and so on. The same thing happens with plugins for applications.

Compromised legitimate sites are one of the trickiest things today. If you don't know how they do that, I highly recommend doing a little research on hacking web servers because if I can hack your web server, I can make it inject the virus on your machine when you get online or hit my website. I can also do it via drive-by downloads. This happens when somebody visits a website, looks at an email message, or gets a pop-up window from a website that makes it look like an application. One of the most famous such instances is making it look as though your antivirus is scanning your hard drives, and by clicking on the window to dismiss the advertisement, we install the virus.

Spear phishing

Spear-phishing sites are another way to deploy. This is basically where an email or a website is purporting to be something it's not. For example, if I can DNS poison you so that you come to my version of a Citibank website, that would be a spear-phishing site. On here, I might ask you for things such as: "Hey, you need to reset your password—please tell us what your current one is." You might also get an email from eBay or PayPal saying: "Dear Sir, We need to verify you. Please verify your birth date."

Clickjacking

In what is known as a UI redress attack (UIRA), the attacker uses multiple transparent layers on the image. You will think you're closing or minimizing the window, but you're clicking on OK. Your countermeasure for that one is, anytime you get a popup, never use the buttons to close or minimize, and if you can't or don't have the capability of closing it down via Task Manager, do yourself a favor—I know it's a long process—restart your machine. Leave it up and running, go to the Start button and restart the machine, and whatever you do, don't go back to that website.

Search engine optimization

If you're looking for WinZip, you'll first do a simple search for winzip. It's possible that the first selection in my Google search might not be the WinZip website. It could be an attacker who has made use of search engine optimization (SEO) to make sure their website appears before the legitimate site. If I download that version of WinZip, I'm in trouble. So, even though I want to grab a program quickly, I still need to be careful about where I'm getting the program from.

Is the virus real or fake, and does it even matter? Well, that really depends on your victim. Sometimes we might get an email message that reads: "Hey, your computer is infected with a virus, and in turn, you have spread this virus to friends, family, and co-workers just by sending them an email. Please read this and pass this on to anyone that you've sent email since September 11." This was an actual email people received. It was referred to as the Baby New Year virus. It was totally fake, but obviously, what do they play on here? Well, when it comes to hoaxes, all the attacker is trying to do is to play on fear. In this case, the fear was surrounding September 11. That date has a significant influence on those of us who live in the US or even worldwide.

A fake virus is simply just that—fake. It's a bluff. It may try to get us to do something we normally wouldn't do. My favorite is when they tell you to send this out to everybody and make sure you include them in the header, or how some people just forward an email and leave everybody's email address in the header, including the attacker, who then gets a nice spam list. Sometimes, the fake virus warning message contains a virus as well.

To avoid this, check email headers and be suspicious if the email says it's from one person but the email address doesn't look right.

Sometimes, attackers do fake viruses to sell you something or a service. They can insinuate your antivirus isn't very good and get you to buy something very similar, which is a fake antivirus. As I mentioned earlier, the fake itself could have an attachment that has a virus. A good example is an email that went around saying: "Hey, everybody gets Windows 10 for free. Click on this link to get your free copy."

What you can do to avoid falling for the fake is cross-checking. Don't believe it just because somebody says, "Hey, this was on Oprah" or "This was on the Coca-Cola company's website". Be careful if it's posted in a newsgroup if you're getting information from somebody you don't know or from an email address you are not sure about. It might also be a real issue, and maybe the government has said this virus needs to be killed. You need to check your hard drive to see if it's on there. However, if that type of information is going out, the governing body that issued the release will have it somewhere on their own website, so do a cross-check.

You can also look for websites supporting hoax viruses—they tell you all about them. As I mentioned before, be very careful about hoax or fake antivirus products or applications that promise to optimize your system for free. Nothing is ever free.

Next, we'll look at how we investigate what malware is doing.

Investigation of malware

So, how do we investigate or look at what malware is doing?

We start with a sheep dip. This system is set up to check the physical media, device drivers, and other files before the malware infects a machine to make sure you start off with an extremely clean environment. A great candidate for a sheep-dip computer would be a virtualized machine. In fact, some of the steps you go through to set up your lab environment are very similar to the steps you follow to configure a sheep-dip system.

Typically, this computer is used for nothing but a way of isolating and monitoring everything that's going on as you execute the piece of malware. You can do that with several different pieces of software, including antivirus software, some tools for monitoring registry entries, and even ports.

In an actual setup for a sheep dip, we start with the following:

1. Installing a type of virtualization on our host machine.
2. Quarantining the network so that anything we do on this machine won't affect our production environment.
3. Disabling any type of shared folder services going on or any service that might leak out from the virtual into the host environment, although most of the time, you are good to go if you quarantine the network.
4. Copying over the malware you've discovered. This can sometimes be a challenge because you may be wondering how to get the malware into the virtual machine (VM). This depends on the virtualization you're dealing with. You can transfer files between the VM and the host machine and disconnect the host machine so that it no longer talks to the VM. Some virtualization technologies support the ability to map out to physical USB drives. That works if you have a thumb drive you've copied the malware profile over to.

After that…start rubbing your hands together because it's about to get exciting.

Before launching it, use utilities that will help you track what's going on. There are several different pieces of software out there that can help you do your analysis of malware at different levels.

Types of analysis

There are two types of analysis: static and dynamic.

Static analysis

This is investigating an executable file without running or installing it. When it comes to static analysis, one of the techniques you can use is fingerprint analysis. This is the process of computing the hash value of the binary file to identify it to make sure it's the same file. So, we're going to compare an original file with what we suspect to be a piece of malware.

One of the more popular products out there to help you with this is HashMyFiles, a tool that has several functions to it, including the ability to create a fingerprint of a suspect file so that you can compare it.

It's important to consider the fact that almost all programs, whether malware or regular products, have file dependencies. When any software program needs dependencies, such as a built-in library from the OS to help perform a specific function such as copying or pasting, that's provided by the OS. The programs need to be able to work with these internal systems or files.

Being able to see which dependencies a particular file has is very important. A cool little product called Dependency Walker goes through and lists all the dependency modules of an executable file, and then builds a hierarchy or tree. It also records any outside calls for a particular file or program, and anything that might try to export out.

Dynamic analysis

This is where we look at the behavior of the malware as it's running on a monitored environment. When it comes to dynamic analysis, we will fire up the actual suspected file in a sandboxed environment because we want to protect ourselves.

We need to have a good system baseline of that system. Taking a snapshot of the virtualized machines will help us with that, but we should be able to capture the current state so that we have something to compare after the file is executed.

Another item is the host integrity monitor. This process looks at which changes have taken place across the system, not just within the app itself but the whole system. To cover all your bases, you'll probably want to make sure that you're monitoring ports, processes, and registry services.

When it comes to Windows service monitoring, attackers design malware so that they can install or run in the form of a service. As an attacker, I'll call that service something that you would never suspect—something that sounds technical. The goal here is for the attacker to run a service, and most of our services will run as a system account that has some good privileges on a particular machine.

You should also be keeping an eye out on things such as startup programs—that is, which programs get placed into the startup of the OS so that they launch every single time. Also, monitor your registry. This is important because you want to be notified of any changes a particular piece of malware or suspect file might have.

We also need to be checking event logs, system logs, and security logs of any application, and service logs will also be extremely helpful to you.

You might also want to compare string values. Luckily, there are several different products out there that can help with this. One of the more popular ones is Bintext, which allows you to extract text from any of your files, including the ability to define string values that may be in a binary file. This will help you find any files that have been wrapped inside of the executable.

You can also use a product such as Ultimate Packer for Executables (UPX). This is a free portable executable packer for several different platforms, including Linux, Windows, Windows Embedded Compact (CE), macOS, Disk Operating System (DOS), and FreeBSD. With it, you're able to decompress files without having to install a file. UPX is an open source product, so you don't have to worry about shelling out any money for it.

Another option to consider is software that will monitor your ports, checking to see which activity fires up when you execute your suspected file.

Other products you can use out there happen to be popular because they're less than a penny—for example, Wireshark. Microsoft has its own port monitoring software as well, and you've probably come across your own favorite version of this type of software.

Another option is Sysinternals, which has a fantastic suite of tools. One of my favorites is Process Explorer and Process Monitor, which allows you to see everything going on in real time—in both filesystems and registries. On the other hand, Process Explorer shows you all the processes that are currently executing.

You'll want to analyze your malware and debug some stuff. So, what we're looking for are the installation instructions and installation locations.

There are specific locations whereby if I can get my piece of malware inside of them (for example, the registry or some specific directories), I can make sure the application, or my piece of malware, will execute every single time.

One of my favorite programs to use when looking for stuff that's been installed is Autoruns. This is also done by Sysinternals. When debugging, you obviously don't want to install the malware just to see where it put the code in. Instead, I can use something such as IDA Pro, a product by a company called Hex-Rays, that has built into it a disassembler as well as a debugger system. It allows you to look at any software vulnerabilities as well as the interaction it will have when it installs. This is a neat little program used by most antivirus companies and anybody involved in security research.

I once came across an article that said the National Security Agency (NSA) was making everybody aware of the zero-day malware technologies being utilized, but it wouldn't reveal whether it was using them itself.

There are other resources that can help you out. There are several different companies that have online malware testing.

VirusTotal

This is one of the most popular ones. It allows you to take a file you suspect is corrupt and upload it to them, and they will check it to see if it has any type of suspicious programming associated with it. They also have the ability to check any questionable websites for you.

The issue here is this: when you look at a URL, you might not be willing to click on it, but the bigger issue is we have the latest trend—especially in the social networking side of things—of shortening URLs and putting links in. Be very careful about clicking on a shortcut URL, because it could take you to a site that is completely malicious.

Malware protection centers

A good example of a malware protection center is the Microsoft Malware Protection Center (MMPC), an anti-malware research and response center made up of seasoned malware protection researchers and engineers. They identify the latest and most harmful viruses and other malware and then provide tools to guard and protect against them.

There are several of these sites out there—just make sure they're legitimate sites because I've seen some sites that say they will help you scan, that all you need is to go to their site, and they'll tell you if your machine is infected or not. While they will deliver on this promise, they themselves are a website that's injecting malware on you.

Avast

Avast is another resource that you can utilize. It has its own online scanner as well.

When it comes to training end users, you need to make sure they completely understand that when we get links in an email, we don't assume that the link will go where it says it will. It may say www.microsoft.com, but the HyperText Markup Language (HTML) code on the backend might be taking you to youjustbeenhacked.com.

My general rule of thumb, even if I get an email from a friend—because people's email accounts can be compromised—if there's a URL listed in the email, I will highlight what's being shown to me visually, copy it, and then paste it inside of my browser because I can't guarantee that link.

It's been said, you cannot have too many tools…let's talk about some of them next.

Tools in our utility belt

As an IT security professional, you should be familiar with some of the following tools or—better yet—have them in your own little arsenal.

TCPView

This is very much like netstat but through an application. With TCPView, you can see everything going on all your connections being made via the network or the internet itself.

Autoruns

Autoruns shows everything going on with your machine at a particular time and breaks it down into different tabs of focus so that you can see everything that's currently running, the login information, what's starting up on login, and so on.

DriverView

This nifty tool is exactly what it sounds like. It's a program that shows you everything about the drivers you currently have loaded on your machine. You can go through and see different drivers. It tells you some of them that may be borderline. You'll want to make sure you understand every driver that has been installed on your machine.

System File Checker (SFC)

This nifty tool is built into all our Windows platforms. It's one of the cool tools out there because it scans your system for any corruption of Windows system files and restores the corrupted files. If they've been deleted, it will also restore them.

All we do is open Command Prompt. You'll need to make sure you've opened it with administrative-level privileges, which means you're going to right-click on it and select Run as administrator. From there, you just simply type in sfc /?. It will do a /SCANNOW operation, which goes through and checks and repairs any files if it's able to. You can do a /VERIFYONLY operation, which scans but doesn't do any type of repair. You can get specific if you're looking for a particular file you suspect is corrupt by doing a /SCANFILE or a /VERIFYFILE operation. You can see an illustration of this in the following screenshot:

Figure 9.1 – SFC

As far as virus discovery methods are concerned, you need to know there's no single great solution out there. It's a combination of things.

Scanning

Scanning is basically having some type of antivirus solution installed on your systems to help protect them. I can't tell you which is the best antivirus to install because usually, that's all based on the timeframe. The best antivirus today can drop in position within 1 to 3 months.

I will throw a little plug in—I know Microsoft's forefront security solutions have up to five antivirus scanning engines for the Exchange servers, which is kind of cool. I wish we had more solutions that were that flexible. Unfortunately, that also slows things down, right? And you must remember these antivirus products are only able to find malware they're aware of.

Common sense

Now, there are also some commonsense items we need to make sure we teach our users, and that is dealing with email. Here's a golden rule for you: if it looks suspicious, then consider it suspicious. If you're not expecting an email from somebody and they send one to you out of the blue with weird subjects or "Hey, check out this link", or the header looks as though it's an email address of a relative or someone that you know, do me a favor—don't click on it.

In the background of what's happening during scanning, when a virus gets detected, the antivirus vendors are going to start to look at different ways they can identify this virus. They usually do this with a signature string. These strings are extracted from the virus and are added as a declaration of being infected to their antivirus database. So, as they scan your system, if the strings match, you'll be warned. One of the tricky things here is, when a malicious attacker writes a virus, they'll often try to create viruses just by modifying existing ones. That's why we always have variations of the same virus over and over. For example, MyDoom had several different variations.

Malicious attackers do this because the frequent changes throw scanners off as new signature strings are being generated. They not only rely on these signature strings, but the antivirus companies will use code analysis. This is typically the difference between a quick scan and a thorough scan. A quick scan is just looking at strings, while in-depth scans are typically looking a little bit deeper into your files to see if any of the code resembles what they've already discovered off these new pieces of malware.

Integrity checking

These types of products can verify the integrity of your systems. Some of them are built into our OSs, especially when it comes to the Windows platform. The OS checks to see if the core files or system files have been modified. If they have, it will consider them corrupt, and if so, it'll try to recover those for you. In your immediate future, you might see something about integrity-checking two different products. The first one is called TripWire. This is a company that makes a file-integrity and change-monitoring system designed for the enterprise level. TripWire monitors in real time and tells you where and when a file was modified and who or what did this. The second product for integrity checking is built into the OS by Microsoft and that is Sigverif, which simply helps to verify the integrity of critical files on your system.

Interception

This method utilizes interceptors. An interceptor simply maintains or looks at the requests that are made to the OS for network access, as well as some specific actions that help to identify threats that are being made to programs. If it sees one of these threats come up, the interceptor will typically have a popup to notify the user they're about to do something, or something is about to take place that makes a change. If you're from the Windows world, we refer to it as a User Account Control (UAC), which is a Windows feature everybody seems to disable because they don't understand that UAC is designed to protect us.

We have the same thing when it comes to both Linux and iOS when you get the prompts to enter in a root password, right? You can see that because there are different methods of discovery, this is a continual battle. Personally, I don't think there's a single best solution—I think it's always a combination of things. It's not always software-driven, although software does help us. To me, there's a lot of common sense that needs to be deployed.

Now let's take a look at some DoS threats.

DoS threats

DoS threats are among the most common threats faced by organizations. A DoS attack can be mounted against any organization, regardless of size or industry.

There are many different types of DoS attacks, but all have the same goal: to prevent legitimate users from accessing the organization's resources. Some of the most common types of DoS attacks include the following:

• Flooding attacks—In a flooding attack, the attacker sends a large number of requests to the organization's servers, overwhelming them and preventing legitimate users from accessing the resources they need.
• SYN floods—A synchronize (SYN) flood occurs when the attacker sends a large number of SYN packets to the organization's servers. Because the request is not complete, the servers are unable to send a SYN-ACK message, where ACK stands for acknowledgment. The servers become overwhelmed and legitimate users cannot access them.
• Application layer assaults—These attacks focus on specific applications or services that an organization uses. For example, there may be an attack against an organization's email server that prevents messages from being sent or received.

Any organization can be the target of a DoS attack, but some industries are more at risk than others. Healthcare organizations, for example, are often targeted because they hold sensitive data that can be used for identity theft or other malicious activities. Financial institutions are also frequently targeted in DoS attacks, as are government agencies and critical infrastructure providers.

Next, let's talk about DoS on steroids.

Distributed DoS (DDoS) attack

DDoS attacks, which are a type of DoS attack, are becoming increasingly common. A DDoS attack is when multiple systems are used to send overwhelming amounts of traffic to a target system, preventing it from functioning normally. Some of the most common types of DDoS attacks include the following:

• UDP floods—In a UDP flood attack, the attacker sends a large number of UDP packets to the target system. Because UDP is an unreliable protocol, there is no mechanism for the server to determine whether a request was sent. The target system becomes overwhelmed by UDP requests and cannot respond to legitimate users.
• Internet Control Message Protocol (ICMP) floods—In this type of attack, the attacker sends a large number of ICMP packets to the target. These packets spoof the source IP address so that it appears to be coming from the target system. As a result, the target system is overwhelmed with requests and cannot respond to legitimate users.
• HTTP floods—In an HTTP flood attack, the attacker sends a large number of HTTP requests to the target system. Because HTTP is a stateless protocol, there is no way for the server to determine whether a request has been sent before. The target system becomes overwhelmed and cannot respond to legitimate users.

DDoS attacks can be very difficult to defend against, especially if they are launched from multiple sources. Organizations should implement DDoS mitigation strategies to protect themselves from these types of attacks.

Botnets

One of the most common methods used to launch a DoS attack is using a botnet. A botnet is a collection of compromised devices that are controlled by the attacker. The attacker can then use these devices to launch a flood of requests at the organization's servers, overwhelming them and preventing legitimate users from accessing the resources they need.

Mitigation strategies

There are many ways to protect an organization from a DoS attack. The most important step is to have a good security posture, which includes having strong firewalls in place and ensuring that your systems are up to date. You should also regularly test your systems for vulnerabilities so that you can identify and fix any weaknesses before they can be exploited by an attacker.

It is also important to have a plan in place for responding to a DoS attack. This plan should include steps for identifying the source of the attack, stopping it, and restoring services to normal. Having a plan in place will help you to minimize the effects of an attack and ensure that your organization can return to normal operations as soon as possible.

There are several different mitigation strategies you can use to protect yourself from a DDoS attack. Some of these are listed here:

• Use a DDoS protection provider—A DDoS protection provider will monitor incoming traffic toward your server and filter out any malicious requests. This helps you to reduce the effects of an attack but does not prevent it entirely.
• Implement network segmentation—Segmenting your network will allow you to isolate each server so that attackers cannot target multiple systems at once. To limit the impact of an attack, try implementing micro-segmentation through software such as Virtual Routers (vRouters). This will allow you to separate your systems and protect yourself from a mass attack.
• Implement application-layer protections—The application layer is one of the most vulnerable parts of an architecture, but it can also be one of the easiest to protect against DDoS attacks. Software such as vArmour protects the application layer by providing an additional security layer for your servers.
• Use DDoS detection tools—There are many different network-based methods that can be used to detect a potential attack. These include mitigating DNS floods with Berkeley Internet Name Domain (BIND); Cisco IOS global rate limiting; and router access control lists (ACLs), blackhole routing, null routing, and source-based routing. You should also monitor your system logs for any signs of an attack.

Next, let's look at session hijacking.

Session-hijacking threats

Session-hijacking attacks are a type of attack in which an attacker diverts the session of a user to their machine. In this process, attackers try to capture users' packets and hijack their active sessions by cracking encryption codes or altering configurations. Sometimes, these attacks are conducted on a large scale for illegal activities that lead to economic gains, including credit card frauds and e-commerce scams. Attackers make use of easy-to-exploit and common vulnerabilities and attack victims where they are unprotected (open networks). However, session hijacking is more complex than other exploits because it depends on the attacker's ability to crack encryption codes.

Today, there are different types of session-hijacking attacks that are performed based on the level of access the attacker has to the network. The most common form of session hijacking is IP hijacking, where attackers divert traffic by acquiring the IP address of the victim and fooling the server into thinking that they are the original user. This can be done in several ways, such as Address Resolution Protocol (ARP) spoofing, DNS spoofing, or session splicing.

Some of the most common session hijacks are described next.

Cross-Site Scripting

In another type of attack called Cross-Site Scripting (XSS), attackers inject malicious scripts into web pages viewed by the victim. When the user visits the infected page, the script is executed and the attacker gains access to the session. This type of attack is more common in public networks where users are not aware of the security risks involved.

Man-in-The-Middle attacks

Session hijacking can also be used to gain access to confidential information. In Man-in-the-Middle (MitM) attacks, the attacker intercepts all communication between the victim and the server and can see all data that is being exchanged. This allows the attacker to steal passwords, credit card numbers, or any other sensitive information.

Spoofing versus hijacking

You might be thinking that spoofing attacks are the same as hijacking. However, spoofing is different from session hijacking because, in spoofing, the attacker gains access to the place of the victim and gets the same privileges as the real user, such as accessing network resources or intercepting information sent by users. In session hijacking, attackers do not get such full access to resources, and they only get access to the sessions of users. This is why session hijacking is more dangerous than spoofing attacks.

Predicting session tokens

Many web servers create session IDs using algorithms that generate a unique token for each new session. This makes it difficult for attackers to hijack sessions, as they would not know the session ID unless they captured it during the initial login process. However, some servers do not implement such security measures and use easily guessable tokens or session IDs. In these cases, it is possible for the attacker to know the session token in advance and hijack user sessions.

The steps an attacker would use to predict a session token include the following:

1. Identifying the session management mechanism used by the server
2. Identifying the algorithm used to generate session tokens
3. Identifying weaknesses in the algorithm that could allow for the prediction of session tokens
4. Extracting a few session tokens and analyzing them to identify any patterns
5. Generating a list of possible token values based on the analysis of the extracted tokens
6. Trying out the possible token values to see if any of them matches the actual session token
7. Eventually, identifying the correct session token value that can be used to hijack user sessions

Man-in-the-Browser attacks

There are many security applications such as antivirus software, web filters, and virtual private networks (VPNs) that sit between the browser and server to protect user information. However, these security tools can be exploited by attackers through Man-in-the-Browser (MitB) attacks. This type of attack uses JavaScript code to manipulate the behavior of applications running on a client machine. When the user visits a malicious website, the script is executed by their browser and can perform any action controlled by the attacker. For example, it could send financial information to a different server.

Session-fixation attacks

Session-fixation attacks are similar to session hijacking because they allow attackers to steal user sessions. However, instead of manipulating the flow of data, attackers use this type of attack to create a new session for themselves and then trick users into using it.

In most cases, these types of attacks involve sending links or embedding links with session IDs in emails or instant messages. When the user clicks on the link, they are redirected to a website where their session is hijacked. Session-fixation attacks can also be used to exploit vulnerabilities in web applications.

Session ID spoofing

In session ID spoofing, attackers use fake session IDs to hijack user sessions. This type of attack is also known as a phishing attack because it tricks users into entering sensitive information on a website they believe is genuine. Attackers can create fake session IDs using tools that allow them to easily guess the underlying algorithm used by the application.

Attacking from public networks

In most cases, attackers use session-hijacking attacks from public networks such as the anonymous Tor network. They use tools such as Firesheep to sniff out session information on unsecured Wi-Fi networks and hijack user sessions with ease.

Other ways of hacking into accounts

Attackers also resort to other types of attacks, depending on the type of application they are targeting or their individual skills. For example, in pharming attacks, attackers use malicious DNS servers to redirect users to fake websites where they are asked to enter their login credentials. Once the user enters their information, it is sent to the attacker who can then log in and take over the account.

Preventing session hijacking

Session hijacking can be prevented by using strong authentication methods and by being aware of the security risks involved in using public networks. Users should also be careful when clicking on links or opening attachments in emails, especially if they don't know the sender.

Web application developers can also protect their applications from session-hijacking attacks by using strong authentication mechanisms and by verifying the authenticity of session tokens. They should also avoid using easily guessed session tokens or embedding them in URLs.

To protect yourself from session-hijacking attacks, you should always use strong passwords and install security patches as soon as they are available. You should also avoid using public networks to access your personal accounts.

Finally, you can reduce the risk of attacks by using a strong antivirus or internet security suite with features such as URL filtering, web filtering, keystroke encryption, data shredding, and a virtual keyboard.

I know, I've scared you a lot. Tell you what—let's now talk about some of the things we can do to protect ourselves from these monsters.

Master list of countermeasures

These are my own best practices that I've come up with based on my experience. Some of them have also been discussed in various publications.

There are three levels or different areas we need to make sure we're protecting, as follows:

• Server level—We have different products and solutions for our servers than we have for our desktop machines, laptops, or mobile devices. Please, please, please protect your mobile devices.
• Desktop solutions level—Just because you have protection in place at the server level doesn't mean that desktops don't need to be covered as well. Some people say: "We have antivirus on our servers that scans everything." So, what happens when somebody plugs in a USB thumb drive they picked up in the parking lot? How is the server going to handle that? You should have desktop solutions as well as server solutions and vice versa because if you have stuff installed on your desktops, that doesn't mean your servers are completely safe.
• Physical security level—When it comes to ethical hacking, you need to understand attackers are not only looking for ways of getting into your environment, but even easier is getting into your environment by stealing your laptop, phone, or tablet. So, to guarantee physical security, we need to ensure we have things in place such as locked doors. I can't count the number of times I have seen a server sitting in an open room, or my favorite—the hallway closet in an office environment.

Other obvious solutions for physical security is to control who has physical access to the office environment itself. And then there are different things you can do to solve that—for example, having a man trap: a man trap where one door locks behind you after you have walked through, and you can't open the next door until it has locked, or somebody has approved you. Therefore, it locks you inside of this area.

So, what's on my list of countermeasures? Let's discuss some of these solutions.

Antivirus

You need to make sure you have antivirus solutions for your desktop machines, mobile devices, and servers. You might have antivirus solutions for products. Many antivirus software solution providers or vendors don't just have the basics such as scanning desktops, servers, and all their files for viruses or malware—they might have a plugin specific to an application such as SQL, Exchange, or SharePoint, and how many people are running antivirus on your mobile devices?

Creating a security policy

The people in your company need to understand how to handle malware. Creating a policy will help ensure everyone tries to maintain security. It's not going to be just one policy; you will need a policy for antivirus to ensure everyone knows what to do if they think they have been infected. You will also need an email server policy that dictates how we plan on protecting the email server. You need email malware scanning policies to let people know when to scan, how often to scan, and who oversees updating those definitions.

You also need to come up with a policy on which file attachments people need to block. I know some companies who block not only the standard things—executables, batch programs, and so on—but also ZIP files, screen saver files (SCRs), or registration files. The policy needs to tell people what to do if they detect it. Should they quarantine it? Quarantine, then delete it after so many days? Or do we just whack it the first chance we get?

We also need a network exploit protection policy. This is the policy we use to inform people on how to handle remote users and mobile devices. For example, if I come in from the outside via VPN and I'm using my home PC, hopefully, you're going to limit me so that I don't have the same access to all the files on the network as I would have when at my office physically.

After creating these policies, you must make sure you share them and have training on them in your networked environment. In fact, I know my wife's company has them sign something to say they've read the policy because guess what? Doing certain things will get you an extended leave of absence.

Watching the download

When you go to install an application, you may be given some instructions on how to download and install it. I'm sure you've experienced this before…you'll go to download a piece of software and there's a big green button that says Download and you think that is the link to download the file you're looking for, but you're downloading something else.

The instructions for downloading on the website might also tell you to disable certain things. Sometimes, they'll be in these forums or blog sites, and they'll say: "Hey, in order to install this, you've got to jump through these hoops—disable your antivirus because you might get a false positive." If you really want to have a good laugh, go look at some of these torrent sites and look at some of the comments that people make about installing. "Hey, you know, my antivirus said there was a piece of malware in there", and the author will say: "Oh, no, that's just a false positive because of the hack that we used."

Updating your software

This is obvious, so most informed people religiously keep their software up to date. What about the OS? Most people say: "You know, I wait until patches have been released for 30 or 60 days before implementing them." Well, guess what? That's 30 or 60 days that you're open to that vulnerability.

When it comes to Microsoft patches, you must install critical updates. They are not necessarily designed to do anything crippling to your environment—it's to patch a hole that's in your environment that Microsoft, Apple, or Linux is aware of. They're trying to help you, and critical updates get deployed immediately.

Updating applications

It's also important to make sure your applications are updated, whether it's the desktop-application or the server-application side of things. Server applications run on a server such as Exchange and SQL. Keep them up to date. And please, whatever you do, don't forget updates on your mobile devices.

Attachment issues

What do we mean by attachment issues? It's simple: try not to open attachments. I know we typically say: "Our users just don't get it—can you believe they did this?" Okay, I get it. But you know what? They're not as dumb as they used to be. Those of us who have been in this industry for 10 to 20 years remember our users as having been intelligence-challenged when it came to handling emails, but attackers are getting very tricky—they can trick anyone.

In fact, my wife recently got an email that said, "Dear valued member, we've been receiving complaints of unauthorized usage of your USAA online banking system and due to concerns regarding safety integrity of your membership, we hereby issue this warning message", and then they told her how to update her records. And how did they want her to update? Download and open the document they attached to the email and follow the instructions.

It looked like a document, but only if you don't finish the sentence out. In this email, they even copyrighted at the bottom and quoted things such as Member FDIC, which is how I knew it was spam. Of course, this was besides the fact we don't have a normal bank.

My wife's response was simple: "We don't have a United Automobile account."

The other thing you want to do is ensure you block file attachments with more than one file type extension associated with them, such as form.doc.txt or form.doc.bat.

Legitimate source

Where is this coming from? Who is the source of this file? When I go to download a piece of software, I always make sure I go to the legitimate source. It's the same with drivers—I don't go to Billy Bob's download driver page to get my drivers. I got burned on that one once before.

Keeping informed

The one thing you want to do as a security expert or an ethical attacker is to stay current—daily, if not hourly in some cases. When a zero-day attack is announced, keep up to date with what's going on with it. This is obviously more than just scanning your environment.

Antivirus

This countermeasure speaks for itself. Your antivirus should be running daily.

Checking your media

Always check your media, which includes DVDs, CDs, as well as USB drives. Many people burn DVDs at home because they have documents and stuff they want to bring to work—documents, a collection of their favorite music, or a movie they would like to share with a colleague. The problem is their systems might be infected. You should have a policy about what is allowed to be brought in.

In fact, I am not a big fan of having optical drives in desktop systems just because of that issue. A friend who went to China came back with a DVD and handed it to me with a big smile: "You're welcome." He thought it was all cool, but you should have seen the look on my face when I asked: "What's this?" "Oh, I bought it for $15; it's every product Microsoft makes!" It was pirated software and as I recall, it also had Symantec antivirus for free.

Watching your popups

Make sure your pop-up blocker in your web browser is turned on and remember: malware creators are getting quite creative with popups. They trick people by socially engineering them by making the popup look like something it's not. For example, it might look like antivirus but when you look at the border, you realize it's an Internet Explorer (IE) pop-up window without the URL bar. And because they're smart, they might make it an animated Graphics Interchange Format (GIF) file to make it look like it's scanning. No matter where you click, you will end up getting infected, even if you click the Close button. So, be very careful and vigilant about blocking popups.

Chat files

The reason this is important to check is because of the social networking environment where people are chatting back and forth. For example, Oswald Cobblepot, whom you just met on the internet, could say: "Hey, I happen to like Batman too, do you want to see a really cool Batman screensaver? Let me send you a file."

Firewall and UAC

Who doesn't hate Microsoft firewall and the UAC? It is that annoying popup that asks: "Are you sure you want to do this?" I get it. As an administrator, I think: "Of course I want to do it. I'm the one who typed in regedit."

Sometimes, we feel it's too much of a hassle to configure Windows Firewall. Well, guess what? Some of your attacks will not come from the outside—most are going to come from the inside. And believe it or not, the UAC is there to just remind you: "Hey, you're about to make a change that is going to make a change to the system itself. Are you really sure you want to do this?"

What's so funny is Microsoft gets hammered for this thing, yet what does Linux do? And Apple? Okay, full disclosure here. I have a laptop that I travel with for training purposes. I do turn the UAC off on it because I don't want to have to waste time by clicking OK when I'm doing presentations or demos. However, the UAC and firewall are enabled on all the servers at my house, my kids' machines, my wife's machine, and every other machine in my environment.

Again, you can turn your UAC and firewall off, but only if you know the consequences of that action. I'm using the word consequences because it worked with my kids—they always ran out of the room because that's the word we used instead of grounding. It's the same thing with users and for yourself—there are good consequences and bad consequences. Every choice you make has a consequence. Now, go to your room.

Summary

We first talked about what malware is and why it's created. It's critical we grasp the nature of malware because it's the number-one issue for us right now as far as security is concerned. We also talked about DoS threats, which can be devastating. We covered the dangers of session hijacking and how attackers try to predict and overtake a user's session to use their credentials to continue their attacks, and finally, we calmed your nerves by looking at countermeasures.

In the next chapter, we'll talk about sniffing and the different types of sniffing available to us. We'll also cover how sniffing can be used in an attack and how to protect ourselves from these attacks.

Questions

As we conclude, here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:

1. To protect against Trojan attacks, how does Tripwire and other similar applications assist us?
   1. It's a file-integrity checking tool that detects and rejects malware designed for the kernel.
   2. It's an antivirus solution that quarantines and removes malware right away. 
   3. It's a file integrity checker that alerts you when a system file is changed.
   4. It's an antivirus program that detects and removes viruses during a scan.
2. To continually pull data and monitor a network, what is typically used?
   1. Trojan
   2. APT
   3. A rootkit
   4. A virus
3. What component can be used to install malware on a target?
   1. Crypter
   2. Dropper
   3. Exploit
   4. Obfuscator
4. What is the name of a program that is concealed within another program?
   1. Multipart
   2. Ransomware
   3. Trojan
   4. Stealth