Certified Ethical Hacker - Part 6-1 Malware Threat

by Riazul H. Rozen
Dec. 6, 2017 0 comments 3 minute read Pen Testing & Audits CEH
Download PDF

Introduction of Malware

Malwares are programs written for the intention of being malicious. They cause damage to the systems, by giving the programmer limited or full access to the target system. These malware can be introduced into the system through various means; removable devices, fake programs, downloading or opening unsecured sites, instant messenger etc. Some of the known malware are rootkit, Trojan, botnet, adware, virus and worms.

Malware

Trojan horses

Trojans can be used to damage an organizations system, and can be slipped in without being noticed. This is because Trojans usually disable antiviruses or firewalls. The purpose of the Trojan horse once it is in the system is dependent on the attackers’ goals. Some have been known to delete important files from target systems; others have been known to cover reconnaissance on the target system, by gaining information on videos, audios e.t.c on the victims’ computer.

Ports used by Trojans

The Trojan horse could also be used to perform DDoS attacks, implement backdoors to switch or divert the operating system’s activities without the target systems administrators’ knowledge. The Trojan horse could also be used to wreck even more havoc on the Victim’s system, as the attacker could use this as a means to download other malicious programs; spyware, adware, e.t.c

Wrappers

These are methods used to keep a Trojan horse from being noticed by a host system. Wrappers attach the Trojan to a seemingly harmless .EXE application such as games. The wrapper installs the Trojan in the background, before it installs the main application. Other things an attacker use for implementing Trojans is through birthday messages.

Exploit Kit.

Exploit kits are used by malicious attackers to transfer viruses, spyware, adware, botnot and other malicious codes to a target system. This is done when a victim tries to access a site. The attacker redirects the victim to a different site, and uses the exploit kit to extract sensitive information.

How to infect a system with a Trojan horse

  • Attackers use Trojan horses to infect a host system with a Trojan horse construction kit.
  • A dropper is necessary to execute the malicious code, once it is in the system.
  • A wrapper is used to install the Trojan on the host system.
  • Send the Trojan.
  • Implement the dropper.
  • Initiate the damage routine.
Trojan Mechanism

How to hide a Trojan horse from firewalls

Firewalls are increasingly advancing with growing technology. Hence, it is important to figure out different ways to slip Trojans past an anti-virus without it being detected.

  • It is necessary to write the Trojan that will be used to infect a Target system. This is because downloaded systems will be detected easily by the anti-virus
  • It is also important to break down the Trojan into smaller pieces and put it into a zip file.
  • It is necessary to encrypt the file to prevent it from being seen by the victim.
  • It is possible to edit the Trojan file using a hex editor.
  • It is possible to hide the Trojan in an application by changing the file extensions. For instance hiding the Trojan in a DOC.EXE file will go pass the anti-virus undetected, especially in windows. This is because windows hide the .exe and show the file as .doc.

Types of Trojan

There are various types of Trojans, which work according to specific goals and objectives. These Trojans range from mild to destructive. These Trojans are Destructive Trojan, HTTP Trojan, Botnet Trojan, Notification Trojan, Mobile Trojan, FTP Trojan, VNC Trojan.

Types of Trojans

E-banking Trojans

These types of Trojans are used to gain sensitive information from victims before it is encoded. This information is sent to the attackers command center.

E-banking trojan

ZeuS and SpyEye are types of e-banking Trojans that are used to steal credit card details and other confidential information for infected computers. SpyEye is used to implement an online transaction. Information such as credit card details is being stolen. The Trojan can work in three different ways -

  • TAN grabber: The Trojan attack works by interrupting and swapping the transaction authentication number with a random number that the bank rejects. The malicious attacker can use the TAN number to gain information on the victim’s login details.

  • Injection: Malicious attackers use this means to extract credit card details from target systems, by creating forms on banking pages. Once this information is gleaned, the attacker uses this to impersonate the victim’s account.

  • Form Grabber: Trojan attackers interrupts the scramble pad input when the victim inputs their numbers and access code. The attackers do this by examining and investigating the POST responses and requests transmitted to the victim’s phone.

Command shell Trojan

This allows the attacker have access to a command shell on the target systems computer. The Trojan is installed and opens a port for the attacker to control the victim’s system.

Defacement Trojans

This is used by attackers to tamper with strings, logos and bitmaps, on window programs. This means the attackers have the opportunity to deface applications on windows operating systems, using user-styled custom applications.

Botnet Trojans

This is used by attackers to cover a lot of ground with systems in the same geographical location. Attackers work by targeting a number of systems, and creating what is termed a network of bots. This collection is controlled in the command and control center. The botnet Trojan is special, in the sense that it allows for varying types of attacks; click fraud, spamming, DOS attacks and credit card information theft.

Proxy server Trojans

This is used by attackers to gain access to the internet, through a victim’s system. This works with a lot of systems on the internet today without being detected by the machine’s defense system. This is because, once the Trojan is introduced into the system, a hidden proxy server is initiated on the target system.

FTP Trojans

These are used by attackers to gain unlimited access to files existing on the target system’s machine. This is done by implementing and FTP server to the host system, which in turn opens an FTP port.

VNC Trojan

This Trojan is difficult to discover, and can be well hidden in the target system for a while, without the system’s defense system noticing. This works by initiating a VNC server daemon in the target system, after it has been implemented with the VNC Trojan.

Published with the express permission of the author.