Trojans
Below is the step-by-step process that attackers follow to infect a target machine using a Trojan:
Step 1: Create a new Trojan packet using a Trojan Horse Construction Kit. New Trojan horses of your choice can be constructed using various Trojan horse construction Kits such as DarkHorse Trojan Virus Maker. New Trojans have a higher chance of succeeding in compromising the target system, as the security mechanisms might fail to detect them. Step 2: Create a dropper, which is a part of a Trojanized packet that installs the malicious code on the target system. Step 3: Create a wrapper, using various wrapper tools such as petite.exe, Graffiti.exe, IExpress Wizard, and Elite Wrap, to help bind the Trojan executable to legitimate files to install it on the target system. Step 4: Propagate the Trojan, implementing various methods such as sending it via email and instant messengers, tricking users to download and execute it. An active Trojan can perform malicious activities such as irritating users with constant pop-ups, changing desktops, changing or deleting files, stealing data, creating backdoors, etc. Step 5: Execute the Dropper, software used by attackers to disguise their malware (viruses, Trojans, worms, etc.). It is an executable file containing other compressed files. Dropper appears to users to be a legitimate application or well-known and trusted file. However, when run, the Dropper extracts the malware components hidden in it and executes them, usually without saving them to the disk, to avoid detection. Droppers include images, games, or benign messages in their package, which serve as a decoy to focus attention away from malicious activities. Step 6: Execute the damage routine. Most of the malware contains a damage routine that delivers payloads. Some payloads just display images or messages, whereas other payloads can even delete files, reformat hard drives, or cause other damage. .
Communication Paths: Overt and Covert Channels
"Overt" refers something that is explicit, obvious, or evident, whereas "covert" refers to something that is secret, concealed, or hidden. An overt channel is a legal channel for the transfer of data or information in a company network and works securely to transfer data and information. On the other hand, a covert channel is an illegal, hidden path used to transfer data from a network. Covert channels are methods attackers can use to hide data in an undetectable protocol. They rely on a technique called tunneling, which enables one protocol to transmit over the other. Any process or a bit of data can be a covert channel. This makes it an attractive mode of transmission for a Trojan because an attacker can use the covert channel to install a backdoor on the target machine. The table below lists the primary differences between overt and covert channels: .
Backdoor Trojans
A backdoor is a program which can bypass the standard system authentication or conventional system mechanism like IDS, firewalls, etc. without being detected. In these types of breaches, hackers leverage backdoor programs to access the victim's computer or a network. The difference between this type of malware and other types of malware is that the installation of the backdoor is performed without the user's knowledge. This allows the attack to perform any activity on the infected computer which can include transferring, modifying, corrupting files, installing malicious software, rebooting the machine, etc. without user detection. Backdoors are used by the attacker to have uninterrupted access to the target machine. Most of the backdoors are used for targeted attacks. Backdoor Trojans are often used to group victim computers to form a botnet or zombie network that can be used to perform criminal activities. Backdoor Trojans are often initially used in the second (point of entry) or third (command-and-control [C&C]) stage of the targeted attack process. The main difference between a RAT and a traditional backdoor is that the RAT has a user interface, the client component, which can be used by the attacker to issue commands to the server component residing in the compromised machine whereas a backdoor does not. For e.g., a hacker who is performing a malicious activity identifies vulnerabilities in a target network. Hacker implants networkmonitor.exe backdoor in the target network, and the backdoor will be installed in a victim machine on the target network without being detected by network security mechanisms. Once installed, networkmonitor.exe will provide uninterrupted access to the victim's machine and target network to the attacker.
Exploit Kit
An exploit kit or crimeware toolkit is used to exploit security loopholes found in software applications such as Adobe Reader, Adobe Flash Player, etc. by distributing malware such as spyware, viruses, Trojans, worms, bots, backdoors, buffer overflow scripts, or other payloads to the target system. Exploit kits come with pre-written exploit codes. Thus it is easy to use for an attacker who is not an IT or security expert. They also provide a user-friendly interface to track the infection statistics and a remote mechanism to control the compromised system. Using Exploits kits, an attacker can target browsers, programs that are accessible using browser, zero-day vulnerabilities, and exploits updated with new patches. Exploit kits are used against users running insecure or outdated software applications on their systems.
Rootkit Trojans
As the name indicates, rootkit consists of two terms "Root" and "Kits" where "Root" is a UNIX/Linux term that is the equivalent of Administrator in Windows. The word "kit" denotes programs that allow someone to obtain root/admin-level access to the computer by executing the programs in the kit. Rootkits are, potent backdoors, which specifically attack the root or OS. Compared to backdoors, rootkits cannot be detected by observing services, system task list or registries. Rootkits provide full control of the victim OS to the attacker. Rootkits can not propagate by themselves, and that fact has precipitated a great confusion. In reality, rootkits are just one component of what is called a blended threat. Blended threats typically consist of three snippets of code: a dropper, loader, and rootkit. The dropper is the executable program or file that installs the rootkit. Activating the dropper program usually entails human intervention, such as clicking on a malicious e-mail link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.
Covert Channel Trojans
Covert Channel Tunneling Tool (CCTT) Trojan presents various exploitation techniques, creating arbitrary data transfer channels in the data streams authorized by a network access control system. It enables attackers to get an external server shell from within the internal network and vice-versa. It sets a TCP/UDP/HTTP CONNECT|POST channel allowing TCP data streams (SSH, SMTP, POP, etc.) between an external server and a box from within the internal network.
Crypters
Crypter is a software that encrypts the original binary code of the .exe file. Attackers use crypters to hide viruses, spyware, keyloggers, Remote Access Trojans (RATs), among others, to make them undetectable by anti-viruses. Follwng are few crypters that one can use to hide malicious programs from being detected by security mechanisms. BitCrypter Source: https://www.crypter.com BitCrypter can be used to encrypt and compress 32-bit executables and .NET apps without affecting their direct functionality. A Trojan or malicious software piece can be encrypted onto a legitimate software to bypass firewalls and anti-virus software. The BitCrypter supports a wide range of OSs from Windows XP to the latest Windows 10.
Evading Anti-Virus Techniques
Following is the list of various techniques can be used to make malware such as Trojans, viruses, and worms, which are undetectable by anti-virus applications. 1. Break the Trojan file into multiple pieces and zip them as a single file. 2. Always write your Trojan and embed it into an application (an anti-virus program fails to recognize new Trojans, as its database does not contain the proper signatures). 3. Change the Trojan's syntax: o Convert an EXE to VB script o Change .EXE extension to .DOC.EXE, .PPT.EXE or .PDF.EXE (Windows hides "known extensions," by default, so it shows up only as .DOC, .PPT and .PDF) 4. Change the content of the Trojan using a hex editor. 5. Change the checksum, and encrypt the file. 6. Never use Trojans downloaded from the Web (anti-virus detects these easily). 7. Use binder and splitter tools that are capable of changing the first few bytes of the Trojan programs. 8. Perform code obfuscation or morphing. Morphing is done to confuse the anti-virus program from differentiating between a malicious and harmless program.
Mirai
Mirai is a self-propagating botnet that infects poorly protected internet devices (IoT devices). Mirai uses telnet port (23 or 2323) to find those devices that are still using their factory default username and password. Most of the IoT devices use default usernames and passwords and Mirai botnet has the ability to infect such multiple insecure devices and co-ordinate them to mount a DDoS attack against a chosen victim. Features: o Login attempts with 60 different factory default username and password pairs o Built for multiple CPU architectures (x86, ARM, Sparc, PowerPC, Motorola) o Connects to CnC to allows the attacker to specify an attack vector o Increases bandwidth usage for infected bots o Identify and remove competing malware o Blocks remote administration ports.
PoisionIvy
PoisonIvy gives the attacker practically complete control over the infected computer. PoisonIvy Remote Administration Tool is created and controlled by a PoisonIvy management program or kit. The PoisonIvy kit consists of a graphical user interface, and the backdoors are small and are typically under 10kB in size. Once the backdoor is executed, it copies itself to either the Windows folder or the Windows\system32 folder. The filename and locations of the backdoor are defined by the creator of the backdoor when using the PoisonIvy kit to create the server program. Some variants of PoisonIvy are capable of copying themselves into an Alternate Data Stream. A registry entry of the backdoor will be added to ensure that the backdoor is started every time the computer is booted up. The server then connects to a client using an address defined when the server-part was created. The communication between the server and client programs is encrypted and compressed. PoisonIvy can be configured to inject itself into a browser process before making an outgoing connection to help in bypassing firewalls. Features: o File modification, deletion, and transfer to and from the infected system o The Windows registry can be viewed and edited o Currently, running processes can be viewed and suspended or killed o Current network connections can be viewed and shut down o Services can be viewed and controlled (for example stopped or started) o Installed devices can be viewed, and some devices can be disabled o The list of installed applications can be viewed, and entries can be deleted or programs can be uninstalled o Access Windows Command shell on the infected computer o Steal information by taking screenshots of the desktop and recording audio or webcam footage o Access saved passwords and password hashes.
EquationDrug
Rootkit EquationDrug is a dangerous computer rootkit that attacks the Windows platform. It performs targeted attacks against various organizations and arrives on the infected system by being downloaded and executed by the Trickler dubbed "DoubleFantasy", covered by TSL20110614-01 (Trojan.Win32.Micstus.A). It allows a remote attacker to execute shell commands on the infected system.
Necurs
The Necurs botnet is a distributor of many pieces of malware, most notably Dridex and Locky. It delivers some of the worst banking Trojans and ransomware threats in batches of millions of emails at a time, and it keeps reinventing itself. Necurs gets distributed by Spam e-mails and downloadable content from questionable/illegal sites. Necurs is indirectly responsible for a significant portion of cybercrime. On 20 March 2017, Necurs botnet engaged in a pump&dump spam scheme that tried to boost Incapita company's stock market price artificially. Features: o Destruction of the system o Turning PC into a spying tool o Electronic money theft o Botnet and mining o Serving as a gateway for other viruses
RIG Exploit Kit
The RIG Exploit kit is one of the most popular exploit kits in recent times with its wide range of malware distribution. RIG EK was first discovered in 2014 and is working efficiently in distributing many exploits. RIG EK was used successfully by attackers in distributing Cryptobit, CryptoLuck, CryptoShield, CryptoDefense, Sage, Spora, Revenge, PyCL, Matrix, Philadelphia, and princess Ransomwares. RIG EK was also involved in distributing LatentBot, Pony and Ramnit Trojans. RIG was also involved in delivering the famous banking Trojan ZeuS. The latest version of the RIG exploit kit is taking advantage of outdated versions of applications such as Flash, Java, Silverlight, Internet Explorer, or Microsoft Edge to distribute the Cerber ransomware. Features: o RIG EK landing page is performed via a standard 302 Redirect o Domain auto-rotator to avoid blacklisting and detection o FUD (entirely undetectable) exploits o Combines different web technologies, such as DoSWF, JavaScript, Flash and VBScript to obfuscate the attack.
Proxy Server Trojans
Trojan Proxy is usually a standalone application that allows remote attackers to use the victim's computer as a proxy to connect to the Internet. Proxy server Trojan, when infected, starts a hidden proxy server on the victim's computer. Attackers use it for anonymous Telnet, ICQ, or IRC to purchase goods using stolen credit cards, as well as other such illegal activities. The attackers have full control over the users' systems and can launch attacks on other systems from an affected user's network. If the authorities detect illegal activity, the footprints lead to innocent users and not to the attackers, potentially leading to legal trouble for the victims, who are ostensibly responsible for their network or any attacks launched from it. Thousands of machines on the Internet are infected with proxy servers using this technique.
njRAT
njRAT is a RAT with powerful data-stealing capabilities. In addition to logging keystrokes, it is capable of accessing a victim's camera, stealing credentials stored in browsers, uploading and downloading files, performing the process and file manipulations, and viewing the victim's desktop. This RAT can be used to control Botnets (networks of computers), allowing the attacker to update, uninstall, disconnect, restart, close the RAT, and rename its campaign ID. The attacker can further create and configure the malware to spread through USB drives with the help of the Command and Control server software. Features: o Remotely access victim's computer o Collect victim's information like IP address, hostname, OS, etc. o Manipulate files and system files o Open active remote session providing attacker access to victim machine's command line o Log keystrokes and steal credentials from browsers.
