Jason Dion Section 3
Masquerading:
where your dropper is going to replace a genuine executable with a malicious one
Whenever you are browsing the internet you need to set your security settings on internet options to-
a non-trusted method, meaning you have a very low level of trust for sites on the internet. This will limit the amount of cookies, popups etc that could allow spyware to be installed on your system.
Backdoors are used to-
bypass normal security and authentication functions
Process Hollowing.
when a dropper starts a process in a suspended state and then rewrites the memory locations containing the process code with the malware code. Essentially its taking over someplace in memory and putting our malicious code in there
Downloader
A peice of code that connects to the internet to retrieve additional tools after the initial infection by a dropper
How does an APT use modern malware to operate? Step 4
Actions on objectives: the attacker now has enough permissions where they can start to do what they want to do, usually copying, stealing and encrypting files
Shellcode (def for exam)
Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code
How does an APT use modern malware to operate? Step 5
Concealment: maintaining tool access, they start to hide themselves and start covering their tracks by deleting log files etc etc. If they remain undetected they can come back later
Attack Vector
Method used by an attacker to gain access to a victims machine in order to infect it with malware
Easter Egg
Non-malicious code that when invoked, displays an insider joke, hidden message, or secret feature
Active Interception
Occurs when a computer is placed between the sender and receiver and is able to capture or modify the traffic between them
(7) 7th step of removing malware
Provide end user security awareness training we want to make sure this doesnt happen again
Dropper:
Specialized type of malware designed to install or run other types of malware embedded in a payload on an infected host. Uses a downloader to DL even more code
Detection of an adversary is more difficult when they are executing malware code within-
Standard tools and processes (living off the land) A LOT harder to detect.
The final symptom of malware infection is the inability to use _____________ Restore
System. because the malware does not want you to be able to restore to a known good backup.
Threat Vector
The method a threat uses to gain access to a target computer.
During the initial stages of Privilege Escalation, how does the hacker receive user level credentials?
Using malware or a phishing attack or an impersonation, whatever the method may be you get into the system as a user by tricking an end user into doing something for me, granting me user level credentials. The end goal of a Privilege Escalation attack is to gain admin or root level credentials however....
Living off the land example
Using your own powershell against you (windows) Bash Scripting (linux) Using the tools that are native to your OS in a malicious way
DLL Sideloading
Where the dropper is going to exploit a vulnerability in a legitimate programs manifest, to load a malicious DLL at runtime, and essentially you sideload by making it load this malicious thing
DLL injection
Where the dropper starts forcing a process to load as part of the DLL. SO, its going to load the DLL AND the malicious code
What is a real world example of Active Interception?
You bring your laptop to a local coffee shop and connect to what you beleive is the coffee shop Wifi, however it is actually a hackers network who is sitting in the shadows. All of your internet traffic is being directed through the hackers network who is then sending you out to the internet. It still seems you are connected, but the hacker can see usernames and passwords and modify files that are coming to us and infecting these with malware.
blue screens are sometimes caused by malware that
causes the pc to lock up or stop responding to you frequently. common symptom of malware
Another symptom of malware infection could be new files and folders that have been-
created or files and folders that are missing/corrupted. As a piece of malware goes about your system it may delete folders from corruption or create files to hide in.
Living off the land
Exploit techniques that use standard system tools and packages to perform intrusions: essentially uses standard system tools and packages to perform intrusions
Watering Hole
"Malware is placed on a website that you know your potential victims will access." Places that people go to often online. Examples can be suppliers where you go to check your invoices. Malware can be embedded into websites to make them watering hole with Malware.
(6) 6th step of removing malware
Enable system restore and create a new restore point From a known good backup
Malware infections usually start-
-within software, messaging, and media
netmask 255.255.255.0
/24 254 host ip addresses
How does an APT use modern malware to operate? Step 1
1) Dropper or downloader: the 1st step is the malware has to get on your pc in a fileless manner by running lightweight shellcode on your system. By doing this this becomes a dropper or a stage 1 dropper and its then going to go out and DL the rest of the code.
How do you know if you have been infected by spyware?
1) if you see a lot of popup ads based on your previous traffic from spyware, cookies, or database retention settings on their end of the server.
3 main tips to keep spam out of your organization
1) remove email addresses from website 2) Use whitelists and blacklists 3)train and educate end users -users are one of our biggest vulnerabilities
3 main points regarding the prevention of malware
1) update your anti-malware software automatically, and scan your pc 2) always update and patch your OS and applications regularly 3) train and educate end-users on safe internet surfing practices
How is a privilege escalation successfully used?
Exploiting bugs in software, the OS, or the application that lets me get closer to the kernel and be able to operate as an admin or root user.
Botnet
A collection of compromised computers under the control of a master node
zombie
A computer that is controlled by a hacker who uses it to launch attacks on other computer systems.
what is a DDoS?
A distributed denial of service (DDoS) attack occurs when multiple systems attack a single system at the same time.
IN addition to having a good antivirus software what else should you have?
A good host-based firewall that will help outside people from connecting to your machine. ALSO try to use encyrpted websites, this prevents a man in the middle from seeing your data
Rootkits are-
A type of malware that installs itself and tries to bypass OS functions that acts a go-between, between the OS and the kernel. this makes them very difficult to detect.
What is a dropper?
A very small file that can run very easily from memory. the whole point is to trick the user into clicking something to run the code that infects their machine. The malware now being on your PC will now have to install the 2nd stage DLer
Once a shellcode is created as a process on the target system, code injection is a possible next step, explain this term:
Exploit technique that runs malicious code with the identification number of a legitimate process.
A lot of malware is designed to attack anti-
Anti virus software to persist even longer
Worms, Trojans, and Ransomware are best detected with-
Anti-Malware Solutions. Must be up to date for definitions and for its scanning engine.
Viruses are most often detected using a good-
Antivirus software. 3rd oarty solutions, or windows defender. must continually update/ download service packs to not allow viruses to take advantage of a known exploit.
How are botnets and DDoS related?
Botnets can launch attacks on systems by using zombies under their control to attack a single server all at the same time causing the server to crash and be able to serve its real customers.
Strange noises occur Unusual error messages Display looks strange Jumbled Printouts (symbols instead of letters)
Could be a malware or virus infection
How are zombies in a Botnet used to make money?
Crypto mining on the behalf of the C2 or command and control node owning the botnet. This uses some of each of the zombies processing power.
Botnets can be used in other Processor Intensive functions and activities such as-
Crypto mining, breaking encryption. Most of the time your machine will slow down a bit but its almost barely noticeable.
Logic Bomb
Descendant of an easter egg, it is when malicious code has been inserted inside a program and will execute only when certain conditions have been met. A disgruntled employee may have left this if he/she is ever terminated.
Exploit technique:
Describes the specific method by which malware code infects a target host
(3) 3rd step in removing malware
Disable System Restore only if youre using a windows machine. You do not want to accidently create a snapshot of your machine while it was affected, this could cause you to re-infect your machine at a future time. Delete any of the snapshots you think may be infected.
Another way that malware may try to hide in your system is by using double-
Double files extensions, such as textfile.txt.exe
(1) First step in removing Malware
Identify symptoms of a malware infection. What is pc doing that makes you think its infected? Have new files been created? Is the pc acting slow? gibberish showing on the screen? Notate these. This will help you determine what kind of virus is affecting you
How does an APT use modern malware to operate? Step 2
Maintain Access: the dropper then begins to download the 2nd stage downloader such as a RAT, which will give the adversary C2 over the victim machine
What is the first unofficial step of removing malware?
Making sure you have a good backup. Worst case scenario you have to delete everything and start all over.
Privilege Escalation
Occurs when you are able to exploit a design flaw or bug in a system to gain access to resources that a normal user isnt able to access.
(2) 2nd step in removing malware
Quarantine the infected systems. you want to prevent this system from communicating with other systems so that the malware is unable to spread. Unplug network cable or disable network card
What is typo squatting?
Redirecting a user to a fictitious website based on a misspelling of the URL.
(4) 4th step of removing malware
Remediate the infected system Updating our antivirus/ antimalware software rebooting into safe mode or from external hard drive and scanning with antivirus software. Booting into safe mode reduces the amount of files in use and thus increases the amount of files that may be scanned
(5) 5th step of removing malware
Schedule automatic updates and scans Ensures that we have removed the malware and can prevent it from returning. Most common way of getting malware onto system is by not having an updated anti-malware solution. need to scan weekly at a minimum
Logic bombs and easter eggs should not be used according to-
Secure coding standards
IF you are inside windows while already being infected by a rootkit, then it has the ability to tell windows-
That you are not infected when you really are.
How does an APT use modern malware to operate? Step 3
Strengthen their access: use the remote access tool from last step, start looking around; identifying and infecting other systems, as they are doing this they are trying to find systems of higher values like servers or domain controllers. but even if not they want to compromise other workstations too laterally to gain more privileges.
Another tactic to remove malware from a machine is physically remove the hard drive and connect it to a clean workstation as a 2ndary drive and then scan it using the clean workstation.
The files in the hard drive wont be in use so you can more easily detect and remove that malware
How do you combat having your email server used to send spam?
Verify your email servers arent configured as open mail relays or SMTP open relays
In the old days an exploit technique used was where the malware would rewrite or modify-
the code on a executable or a macro file on a target disk so that whenever the file was run, the virus was loaded and it could execute its payload and go out and do bad things
If your pc is acting strange it may be infected. The best strategy is to boot from-
an external hard drive or into safe mode and scan your pc with a good antivirus software while in these modes.
Droppers are likely to implement ____________ techniques to prevent detection and analysis
anti-forensics; things such as encrypting or compressing or obfusgating their payloads.
what is phishinsight?
creates phishing campaigns to test your employees knowledge about not clicking random email links
Spyware is software thats installed on your machine that snoops on you, it collects-
data and sends it back to its owners. To stop spyware you need a good anti-spyware product, either 3rd party or windows defender.
by being fileless this means that the malware is executed-
directly or as a script or a small peice of shellcode that creates a process in the system memory without having to use the local file system. Some files may be stored in a temporary folder and later delete themselves.
Another sign that your pc may be infected with malware is if your desktop icons begin to-
disappear or new ones are added.
most modern malware uses-
fileless techniques to avoid detection by signature-based security software.
IF a boot sector virus is suspected, reboot the pc from-
from an external device and scan it. if you boot from the internal hard drive its gonna read from the boot sector and load up the virus whether youre in safe mode or normal mode. When you boot from an external hard drive, CD, etc, you can scan the interal hard drive including the boot sector
in the old days worm malware would-
go out and try to infect only the memory, and go through a process of going through remote procedure calls over the network trying to infect as many other hosts as it could.
how can a zombie be a pivot point for hackers?
hackers can attack a server or get a new victim it looks like you are the one who is attacking them instead of the master node. Hackers can also use zombies to host files such as CP. Zombies can be used for phishing campaigns and spam as well.
your pc might be infected if-
it begins to act strange
Scanners can detect a file containing a rootkit before-
it is installed, but once it is installed it becomes very difficult to detect. To scan your system for a rootkit, you must boot from an external drive
Another dead give-away that you have spyware on your machine is if you go to your homepage but-
it is no longer your homepage. For instance instead of taking you to google, your homepage is dailymail.uk
Spam: where it becomes an issue, is when the spammer is starting to use your-
mail servers to send their spam.
Shellcode: for PenTest CompTIA exam
originally referred to Malware code that would give the attacker a shell or a command prompt on the target system
Remote Access Trojan
placed by an attacker to maintain persistent access. Operates much like a backdoor. One way a RAT could infect your computer is if you click a spearphishing link and download malware onto your pc
The removal or a rootkit is difficult and the best plan is to-
reimage the machine from a known good baseline.
if you pc restarts or crashes a lot or your hard drives, files, or applications are NOT accessible anymore could mean-
symptom of malware infection, because when a virus takes over a file it can change permissions on a file
What does a Double files extension do to infect your pc further?
textfile.txt.exe may appear as textfile.txt with a hidden .exe on the end. This can embed malware even further.