The primary
objective of this module is to provide the knowledge about various types of
malware.
It covers different types of Trojans, backdoors, virus, and worms, the way they work and propagate or spread on the Internet, their symptoms, and their consequences. The module also discusses different ways to protect networks or system resources from malware infection. Finally, it provides a brief discussion on the penetration testing process to enhance security against malware.
At the end
of this module, you will be able to:
= Describe
the concepts of malware and malware propagation techniques
= Describe
the concepts of Trojans, their types, and how they infect systems
= Explain
the concepts of viruses, their types, and how they infect files
= Explain
the concept of computer worms
= Perform
malware analysis
= Explain
different techniques to detect malware
= Apply
malware countermeasures
= Perform
malware penetration testing
To understand various types of malware and their impact on network and system resources, we will begin with the basic concepts of malware. This section describes malware and highlights the common techniques attackers use to distribute malware on the Web Introduction to Malware fa4 Malware is a malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft or fraud
| Trojan
Horse | | virus
| Backdoor |
| Worms
|B eeotxi |
BD serare
Adware | |
io Crypter |
Introduction to Malware
Malware is malicious software that damages or disables computer systems and gives limited or full control of the systems to its creator for theft or fraud. Malware includes viruses, worms, trojans, rootkits, backdoors, botnets, ransomware, spyware, adware, scareware, crapware, roughware, crypters, keyloggers, etc. These may delete files, slow down computers, steal personal information, send spam, and commit fraud. Malware can perform various malicious activities that range from simple email advertising to complex identity theft and password . stealing. Malware programmers develop and use it to:
= Attack
browsers and track websites visited
= Affect
system performance, making it very slow
= Cause
hardware failure, rendering computers inoperable
= Steal
personal information, including contacts
= Erase
valuable information, resulting in the substantial data losses
= Attack
additional computer systems directly from a compromised system
= Spam
inboxes with advertising emails
Different Ways a Malware can Get into a
System.
01 instant
Messenger applications ; 07 Downloading files from Internet
02 Portable
hardware media / removable devices 08 Email attachments
03 Browser
and email software bugs 09 Network propagation
(04 Insecure
patch management 40 _ File sharing services (NetBIOS, FTP, SMB)
05 Rogue /
decoy applications 1 Installation by other malware
06 Breen ees
ead eens ee sophestions/ 42 Bluetooth and wireless networks
Different Ways a Malware Can Get into a System
= Instant
Messenger Applications
Infection can occur via instant messenger applications such as Facebook Messenger, WhatsApp messenger, Linkedin messenger, Google Hangout, |CQ or Yahoo Messenger. Users are at high risk while receiving files via instant messengers. No matter from whom or from where there is always some risk of infection by a Trojan. The user can never be 100% sure of who is at the other end of the connection at any particular moment. For e.g., if you receive a file through the instant messenger from a known person such as, Bob, you will try to open and view the file. This could be a trick where an attacker who hacked Bob's messenger ID and password wants to spread Trojans over Bobs friend’s contacts list to trap more victims.
= Portable Hardware Media /Removable Devices
o Portable hardware media like flash drives, CDs/ DVDs, and external hard drives can also inject malware into a system. The simple way of injecting malware into the target system is by physical access. For e.g., if Bob can access Alice’s system in her absence then he can install a Trojan by copying the Trojan software from his flash drive onto the hard drive.o Another way of portable media malware infection is caused by Autorun function. Autorun also referred as Autoplay or Autostart, is a Windows feature that, if enabled, runs an executable program when a user inserts a CD/DVD in the DVD-ROM tray or connects a USB device. Attackers can exploit this feature to run malware along with genuine programs. They place an Autorun.inf file with the malware in a CD/DVD or USB and trick people to insert or plug it into their systems. Because many people are n ot aware of the risks involved, their machines are always vulnerable to autorun malware. The following is the content of an Autorun. inf file:
[autorun]
open=setup.exe
icon=setup.exe
To mitigate
such infection, turn off Autostart functionality. Follow the instructions
given below
to turn off the Autoplay in Windows 10:
1. Click
Start. Type Gpedit.msc in the Start Search box, and then press ENTER.
2. If you
are prompted for an administrator password or confirmation, type the
password, or
click Allow.
3. Under
Computer Configuration, expand Administrative Templates, expand
Windows
Components, and then click Autoplay Policies.
4. In the
Details pane, double-click Turn off Autoplay.
Click
Enabled, and then select All drives in the Turn off Autoplay box to disable
Autorun on
all drives.
6. Restart
the computer.
Browser and
Email Software Bugs
Outdated web browsers often contain vulnerabilities that can pose an immense risk to the user’s computer. A visit to a malicious site from such browsers can automatically infect the machine without downloading or executing any program. The same scenario occurs while checking e-mail with Outlook Express or some other software with well- known problems. Again, it may infect the user's system without even downloading an attachment. To reduce the risk of these variations, always use the latest version of the browser and e-mail software. Insecure Patch management Unpatched software poses a high-security risk. Users and IT administrators do not update their application software as often as they should, and many attackers take advantage of this well-known fact. Due to insecure patch management, the attackers can exploit the vulnerability by injecting malware into the software that can damage the data stored on the company’s systems. This process can lead to extensive security breaches such as stealing confidential files and company credentials. Some of the applications that are
found
vulnerable and patched recently are MS Word (CVE-2017-0281), MS Excel (CVE-
2017-0006),
Internet Explorer (CVE-2017-0018), SQL Server (CVE-2016-7254), Oracle Java
JDK
(CVE-2017-3512), Adobe Acrobat Reader (CVE-2017-3118), and Adobe flash player
(CVE-2017-2990).
Patch management has to be effective to mitigate the threat, and it is
vital to fix
patches and update softwares on a regular basis.
Rogue/Decoy Applications
Attackers can easily lure a victim into downloading free applications/programs. If a free program claims to be loaded with features such as an address book, access to check several POP3 accounts, and other functions, many will be tempted to try it. POP3 (Post Office Protocol version 3) is an email transfer protocol.
If a victim downloads free programs and labels it as TRUSTED, the protection software such as antivirus will fail to indicate that the use of new software. In this situation, an attacker gets e-mail, POP3 account passwords, cached passwords, and keystrokes through email without the notice of anyone.
Attackers thrive on creativity. Consider an example in which an attacker creates a fake Audio galaxy, a Web site for downloading MP3s. He or she could generate such a site by using 15 GB of space for the MP3s and installing any other systems needed to create the illusion of a Web site. This can fool users into thinking that they are merely downloading from other network users. However, the software could act as a backdoor and infect thousands of naive users.
Some Websites even link to anti-Trojan software, fooling users into trusting them and downloading infected freeware. Included in the setup is a readme.txt file. This can deceive almost any user, so any freeware site requires proper attention before downloading any software from it.
Webmasters of well-known security portals, who have vast archives containing various hacking programs, should act responsibly regarding the files they provide and scan them often with anti-virus and anti-Trojan software to guarantee that their site is free of Trojans and viruses. Suppose an attacker submits, a program infected with a Trojan (e.g., a UDP flooder) to an archive’s Webmaster. If the Webmaster is not alert, the attacker may use the opportunity to infect the files on the site with a Trojan. Users who deal with any software or Web application should scan their system on a daily basis. If they detect any new file, it is essential to examine it. If any suspicion arises regarding the file, it is also important to forward it to software detection labs for further analysis. It is easy to infect machines using freeware, thus extra precautions are necessary.
= Untrusted Sites and Freeware Web Applications/Software
A website could be suspicious if located at a free website provider or one offering programs for illegal activities. ° It is highly risky to download programs or tools located on “underground” sites such as NeuroticKat Software because they can serve as a conduit for a Trojan attack on target computers. Users must assess the high risk of visiting such sites before browsing them.
Many malicious Web sites have a professional look, huge archives, feedback forums, and links to other popular sites. Users should scan the files using antivirus before downloading them. Just because a Web site looks professional does not mean that it is safe.
Trojans enter a system when users download internet-driven applications such as music players, files, movies, games, greeting cards, and screensavers from malicious websites, thinking that they are legitimate. Microsoft Word and Excel macros are also used effectively to transfer malware and to download malicious MS Word/ Excel file can infect the systems. Malware can also be embedded in audio/video file formats and also can be embedded in video subtitle files.
An attachment to e-mails is the most common medium to transmit malware. The attachment can be in any form and attacker uses innovative ideas to trick the victim to click and download the attachment. The attachments can be a document, song, video file, brochure, invoice, lottery offer letter, job offer letter, loan approval letter, admission form, contract approval, etc.
Example 1: A user's friend is carrying out some research, and the user would like to know more about the friend's research topic. The user sends an e-mail to the friend to inquire about the topic and waits for a reply. An attacker targeting the user also knows the friend's e-mail address. The attackers will merely code a program to populate falsely the e-mail "From:" field and attach Trojan in the email. The user will check the email and think that the friend has answered the query in an attachment, download the attachment, and run it without thinking it might be a Trojan, resulting in an infection.
Some email clients, such as Outlook Express, have bugs that automatically execute attached files. To avoid such attacks, use secure email services and investigate the header of the emails with attachments, confirm the sender's email address and if found legitimate, then download the attachment.
Network security is the first line of defense in preventing information systems from any hacking incidents. However, due to various reasons such as the replacement of the network firewalls, mistakes of the operators' factors may sometimes intentionally or unintentionally allow unfiltered Internet traffic into private networks. Malware operators continuously attempt connections to the addresses within the Internet address range owned by targets to see if the opportunity for unfettered access may exist. Some malware propagates through technological networks. For e.g., the Blaster starts from a local machine's IP address or a completely random address and attempts to infect sequential IP addresses. Although the network propagation attacks that took advantage of vulnerabilities in common network protocols (e.g., SQLSIammer) have not been prevalent recently, the potential for such attacks still exists.
If NetBIOS (Port 139), FTP (Port 21), SMB (Port 145), etc. on a system is open for file sharing or remote execution, it can be used by others to access the systems. This can allow the attackers to install malware, and modify system files.
Attackers can also use a DoS attack to shut down the system and force a reboot so that the Trojan can restart itself immediately. To prevent from such attacks, ensure that the file sharing property is disabled. To disable the file sharing option, click Start and type Control Panel. In the result, click on the Control Panel option then navigate to Network and Internet -> Network and Sharing Center -> Change Advanced Sharing Settings. Select a network profile and under File and Printer Sharing section, select Turn off file and printer sharing. This will prevent file sharing abuse.
■ Installation by other Malware
A piece of malware that can command and control will often be able to re-connect to the malware operator's site using common browsing protocols. This functionality allows malware on the internal network to receive both software and commands from the outside. In this situation, malware installed on one system drives other malware to get installed on the network and cause damage to the network.
■ Bluetooth and wireless networks
Attackers use open Bluetooth and Wi-Fi networks to attract users to connect to it. These open networks have software and hardware devices installed at the router level that could capture the network traffic, data packets and also find the account details including username and password.
Common Techniques Attackers Use to Distribute Malware on the Web Source: Security Threat Report (http://www.sophos.com)
Below are listed some of the standard techniques used to distribute malware on the web:
■ Blackhat Search Engine Optimization (SEO): Blackhat SEO (also referred to as unethical SEO) uses aggressive SEO tactics such as keyword stuffing, doorway pages, page swapping, and adding unrelated keywords to get higher search engine ranking for their malware pages.
Social Engineered Click-jacking: Attackers inject malware into legitimate-looking websites to trick users by clicking them. When clicked, the malware embedded in the link executes without the knowledge or consent of the user.
■ Spearphishing Sites: This technique is used for mimicking legitimate institutions, such as banks, in an attempt to steal passwords, credit card and bank account data, and other sensitive information.
■ Malvertising: Involves embedding malware-laden advertisements in legitimate online advertising channels to spread malware onto the systems of unsuspecting users.
■ Compromised Legitimate Web sites: Often, attackers use compromised websites to infect systems with malware. When an unsuspecting user visits the compromised website, the malware is unknowingly installed on the user's system and after that carries out malicious activities.
■ Drive-by Downloads: The unintentional downloading of software via the Internet. Here, an attacker exploits flaws in browser software to install malware just merely by visiting a website.
■ Spam Emails: Attacker attaches a malicious file to an email and sends the email to multiple target address. The attacker tricks the victim to click the attachment, and when clicked, the malware gets executed, and the machine gets compromised. This technique is the most common way used by the attackers these days. Apart from the email attachments, an attacker may also use email body to embed the malware.
Components of Malware
Malware authors and attackers create malware using the components that can help them achieve their goals. They can use malware to steal information, delete data, change system settings, provide access or merely multiply and occupy the space. Malware is capable of propagating and functioning secretly.
Some of the essential components of most malware programs are:
■ Crypter: Refers to a software program that can conceal the existence of malware. Attackers use this software to elude antivirus detection. It protects malware from undergoing reverse engineering or analysis, thus hard to get detected by the security mechanism.
■ Downloader: Type of Trojan that downloads other malware (or) malicious code and files from the Internet on to the PC or device. Usually, attackers install downloader when they first gain access to a system.
■ Dropper: Attackers need to install the malware program or code on the system to make it run, and this program can do the installation task covertly. The dropper can contain unidentifiable malware code undetected by the antivirus scanners and is capable of downloading additional files needed to execute the malware on a target system.
■ Exploit: Part of the malware that contains code or sequence of commands that can take advantage of a bug or vulnerability in a digital system or device. It is thecode the attackers use to breach the system's security through software vulnerabilities to spy the information or to install malware. Based on the type of vulnerabilities they abuse, the exploits have different categories including local exploits and remote exploits.
■ Injector: This program injects the exploits or malicious code available in the malware into other vulnerable running processes and changes the way of execution to hide or prevent its removal.
■ Obfuscator: A program to conceal the malicious code of malware via various techniques, thus making it hard for security mechanisms to detect or remove it.
■ Packer: This software compresses the malware file to convert the code and data of malware into an unreadable format. The packers use compression techniques to pack the malware.
■ Payload: Part of the malware that performs desired activity when activated. The payload may be used for deleting, modifying files, affecting the system performance, opening ports, changing settings, etc. as part of compromising the security.
■ Malicious Code: This is a piece of code that defines the basic functionality of the malware and comprises commands that result in security breaches. It can take forms like:
o Java Applets o ActiveX Controls o Browser Plug-ins o Pushed content
Trojans Concept
In this section we will discuss the basic concepts of Trojans to understand various Trojans and backdoors and their impact on network and system resources. This section describes Trojans and highlights their purpose, the symptoms of their attacks, and the common ports that they use. It also discusses the various methods adopted by the attacker to install Trojans on target systems to infect them and then carry out malicious activities.
This section also describes various types of Trojan. Every day, attackers discover or create new Trojans designed to discover vulnerabilities of target systems. Trojans are categorized by the way they enter and the types of actions they perform on these systems.
What is a Trojan?
In Ancient Greek myth, the Greeks won the Trojan War with the aid of a giant wooden horse, which the Greeks built for their soldiers to hide. The Greeks left it in front of the gates of Troy. The Trojans thought that it was a gift from the Greeks, which they had left before apparently withdrawing from the war and broughtthe horse into their city. At night, the Greek soldiers broke out of the wooden horse and opened the gates for their soldiers, who eventually destroyed the city of Troy.
Thus, taking its cue from this myth, a computer trojan is a program in which the malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining the file allocation table on your hard disk. Attackers use computer Trojan horses to trick the victim into performing a predefined action. Trojans get activated upon users' specific predefined actions like installing a malicious software unintentionally, clicking on the malicious link, etc. and upon activation, it can grant attackers unrestricted access to all data stored on compromised information systems and causing potentially immense damage. For e.g., users could download a file that appears to be a movie, but, when executed, unleashes a dangerous program that erases the hard drive or sends credit card numbers and passwords to the attacker.
A Trojan is wrapped within or attached to a legitimate program, meaning that the program may have functionality that is not apparent to the user. Also, attackers use victims as unwitting intermediaries to attack others. They can use a victim's computer to commit illegal denial-of- service attacks.
Trojan horses work on the same level of privileges as victims. For e.g., if a victim has the privileges to delete files, transmit information, modify existing files, and install other programs (such as programs that provide unauthorized network access and execute privilege elevation attacks),
once the Trojan infects that system, it will possess the same privileges. Furthermore, it can attempt to exploit vulnerabilities to increase the level of access, even beyond the user running it. If successful, the Trojan can use those increased privileges to install other malicious code on the victim's machine.
A compromise of any network system can affect other such systems. Those that transmit authentication credentials, such as passwords over shared networks in clear text or a trivially encrypted form are particularly vulnerable. If an intruder compromises a system on such a network, he or she may be able to record usernames and passwords or other sensitive information.
Additionally, a Trojan, depending on the actions it performs, may falsely implicate the remote system as the source of an attack by spoofing, thereby causing the remote system to incur liability. Trojans enter the system by means such as email attachments, downloads, and instant messages.
Symptoms of Trojan Attack
The following computer malfunctions are symptoms of a Trojan attack:
■ The DVD-ROM drawer opens and closes automatically.
■ The computer screen blinks, flips upside-down, or is inverted, so that everything is displayed backward.
■ The default background or wallpaper settings change automatically. This can be performed by using pictures either on the user's computer or in the attacker's program.
■ Printers automatically start printing the document. ■ Web pages suddenly open without input from the user.
■ Color settings of the operating system (OS) change automatically. ■ Screensavers convert to a personal scrolling message.
■ Sound volume suddenly fluctuates all the way up or down.
■ Anti-virus programs are automatically disabled, and the data is corrupted, altered, or deleted from the system.
■ The date and time of the computer change.
■ The mouse cursor moves by itself.
■ The right-click takes the function of the left-click, and vice versa.
■ The pointer arrow of the mouse disappears completely.
■ The mouse pointer and automatic clicks on icons are uncontrollable.
■ The Windows Start button disappears.
■ Pop-ups with bizarre messages that suddenly appear.
■ Clipboard images and text appear to be manipulated.
■ The keyboard and mouse freeze.
■ Contacts receive emails from a user's email address that the user did not send.
■ Strange warnings or question boxes appear. Many times, these are personal messages directed to the user, asking questions that require the victim to answer by clicking a Yes, No, or OK button.
■ The system turns off and restarts in unusual ways.
■ The taskbar disappears automatically.
■ The Task Manager is disabled. The attacker, or Trojan, may disable the Task Manager function so that the victim cannot view the task list or be able to end the task on a given program or process.
FIGURE 7.1: Diagram showing how attacker extracts information from the victim system
Communication Paths: Overt and Covert Channels
"Overt" refers something that is explicit, obvious, or evident, whereas "covert" refers to something that is secret, concealed, or hidden.
An overt Channel ls a legal channel for the transfer of data or information in a company network and works securely to transfer data and information. On the other hand, a covert channel is an illegal, hidden path used to transfer data from a network.
Covert channels are methods attackers can use to hide data in an undetectable protocol. They rely on a technique called tunneling, which enables one protocol to transmit over the other. Any process or a bit of data can be a covert channel. This makes it an attractive mode of transmission for a Trojan because an attacker can use the covert channel to install a backdoor on the target machine.
How Hackers Use Trojans
Following are some reasons why attackers create malicious programs such as Trojans:
■ Delete or replace OS's critical files
■ Generate fake traffic to create DoS attacks
■ Record screenshots, audio, and video of victim's PC
■ Use victim's PC for spamming and blasting email messages
■ Download spyware, adware, and malicious files
■ Disable firewalls and antivirus
■ Create backdoors to gain remote access
■ Infect victim's PC as a proxy server for relaying attacks
■ Use victim's PC as a botnet to perform DDoS attacks
■ Steal sensitive information, such as:
o Credit card information, which is useful in domain registration, as well as for shopping using keyloggers
o Account data such as email passwords, dial-up passwords, and web services passwords
o Important company projects, including presentations and work-related papers
■ Encrypt the victim machine and lock out the victim from accessing the machine
■ Attackers can use the target system:
o To store archives of illegal materials, such as child pornography. The target continues using their system without realizing that attackers are using their system for illegal activities
o As an FTP Server for pirated software
■ Script kiddies may just want to have fun with the target system; an attacker could plant a Trojan in the system just to make the system act strangely (e.g., the CD\DVD tray opens and closes frequently, the mouse functions improperly, etc.)
■ Attacker might use a compromised system for other illegal purposes that makes the target responsible for all illegal activities if discovered by the authorities
Common Ports used by Trojans
Ports represent entry and exit points of data traffic. There are two types of ports: hardware ports and software ports. Those within the OS are software ports and are usually entry and exit points for application traffic (e.g., port 25 is associated with SMTP for e-mail routing between mail servers). Many ports exist that are application-specific or process-specific. Various Trojans uses some of these ports to infect target systems.
Users need a basic understanding of the state of an "active connection" and ports commonly used by Trojans to determine whether a system has been compromised.
There are different states, but the "listening" state is the important one in this context. The system generates this state when it listens for a port number while waiting to connect to another system. Whenever a system reboots, Trojans move to the listening state; some use more than one port: one for "listening," the other(s) for data transfer. The below table shows the list of common ports used by different Trojans
How to Infect Systems Using a Trojan
An attacker can control the hardware as well as software on the system remotely by installing Trojans. Once Trojan installed on the system, the data become vulnerable to threats as well as the chances arethat the attacker can perform attacks on the third-party system. Attackers deliver Trojans in many ways to infect target systems:
■ Trojans are included in bundled shareware or downloadable software. When users download such files, the target systems automatically install the Trojans.
■ Different pop-up ads try to trick users. They are programmed by the attacker in such a way that it does not matter whether users click YES or NO; a download will begin, and the Trojan will install itself on the system automatically.
■ Attackers send the Trojans as email attachments. When users open these malicious attachments, the Trojans are installed automatically.
■ Users are sometimes tempted to click on different kinds of files such as greeting cards, porn videos, and images, which might contain Trojans. Clicking on them installs the Trojans.
Below is the step-by-step process that attackers follow to infect a target machine using a Trojan:
■ Step 1: Create a new Trojan packet using a Trojan Horse Construction Kit.
New Trojan horses of your choice can be constructed using various Trojan horse construction Kits such as DarkHorse Trojan Virus Maker. New Trojans have a higher chance of succeeding in compromising the target system, as the security mechanisms might fail to detect them.
■ Step 2: Creates dropper, which is a part of a Trojanized packet that installs the malicious code on the target system.
■ Step 3: Create a wrapper, using various wrapper tools such as petite.exe, Graffiti.exe, lExpress Wizard, and Elite Wrap, to help bind the Trojan executable to legitimate files to install it on the target system.
■ Step 4: Propagate the Trojan, implementing various methods such as sending it via email and instant messengers, tricking users to download and execute it. An active Trojan can perform malicious activities such as irritating users with constant pop-ups, changing desktops, changing or deleting files, stealing data, creating backdoors, etc.
■ Step 5: Execute the Dropper, software used by attackers to disguise their malware (viruses, Trojans, worms, etc.). It is an executable file containing other compressed files. Dropper appears to users to be a legitimate application or well-known and trusted file. However, when run, the Dropper extracts the malware components hidden in it and executes them, usually without saving them to the disk, to avoid detection. Droppers include images, games, or benign messages in their package, which serve as a decoy to focus attention away from malicious activities.
■ Step 6: Execute the damage routine. Most of the malware contains a damage routine that delivers payloads. Some payloads just display images or messages, whereas other payloads can even delete files, reformat hard drives, or cause other damage.
Trojan Horse Construction Kit
Trojan horse construction kits help attackers construct Trojan horses and customize them according to their needs. These tools can be dangerous and can backfire if not executed properly. New Trojans created by attackers go unnoticed when scanned through a virus or Trojan scanning tools, as they do not match any known signatures. This added benefit allows attackers to succeed in launching attacks.
■ DarkHorse Trojan Virus Maker
DarkHorse Trojan Virus Maker is used to creates user-specified Trojans by selecting from various options available. The Trojans created to act as per the options selected while creating them. For e.g., if you choose the option Disable Process, the Trojan disables all processes on the target system. The screenshot in the slide shows a snapshot of Dark Horse Trojan Virus Maker that displays its various available options.
Some of the additional Trojan Horse construction kits include:
■ Trojan Horse Construction Kit
■ Senna Spy Trojan Generator
■ Batch Trojan Generator
■ Umbra Loader - Botnet Trojan Maker
Wrappers
Wrappers bind the Trojan executable with a genuine-looking .EXE application such as games or office applications. When the user runs the wrapped .EXE application, it first installs the Trojan in the background and then runs the wrapping application in the foreground. The attacker can compress any (DOS/WIN) binary with tools such as petite.exe. This tool decompresses an EXE file (once compressed) on runtime. This makes it possible for the Trojan to get in virtually undetected, as most anti-virus software is not able to detect signatures in the file.
The attacker can place several executables inside one executable as well. These wrappers may also support functions such as running one file in the background while another one on the desktop.
Technically speaking, wrappers are a type of "glueware" used to bind other software components together. A wrapper encapsulates several components into a single data source to make it usable in a more convenient fashion than the original unwrapped source.
The lure of free software can trick users into installing Trojan horses. For instance, a Trojan horse might arrive in an email described as a computer chess game. When the user receives the email, the description of the game may lead them to install it. Although it may, in fact, be a game, once the user installs the game file, the Trojan gets installed in the background and will be performing other actions that are not readily apparent to the user, such as deleting files or mailing sensitive information to the attacker. In another instance, an attacker sends a birthday greeting that will install a Trojan as the user watches, for e.g., a birthday cake dancing across the screen.
Wrapper Covert Programs
Given below are few Wrapper Covert programs that an attacker can use to carry out his/her malicious activities:
■ I Express Wizard
lExpress Wizard is a wrapper program that guides the user to create a self-extracting package that can automatically install the embedded setup files, Trojans, etc. lExpress can remove the setup files after the executions which erase the trace of Trojans and then run a program or only extract hidden files. These embedded Trojans cannot be detected by anti-virus software.
Some of the additional wrapper tools include:
■ Elite Wrap
■ Advanced File Joiner
■ Soprano 3
■ Exe2vbs
■ Kriptomatik
Crypters
Crypter is a software that encrypts the original binary code of the .exe file. Attackers use crypters to hide viruses, spyware, keyloggers, Remote Access Trojans (RATs), among others, to make them undetectable by anti-viruses. Follwng are few crypters that one can use to hide malicious programs from being detected by security mechanisms.
■ BitCrypter
Source: https://www.crypter.com
BitCrypter can be used to encrypt and compress 32-bit executables and .NETapps without affectingtheirdirect functionality. A Trojan or malicious software piece can be encrypted onto a legitimate software to bypass firewalls and anti-virus software. The BitCrypter supports a wide range of OSs from Windows XP to the latest Windows 10.
Some of the additional crypter tools include:
■ SwayzCryptor (https://www.nulledblog.com)
■ Hidden Sight Crypter (http://www.best-fud-crypters.com)
■ Cypherx (http://cypherx.org)
■ Java Crypter (http://megacrypter.us)
■ Beta Crypt (https://www.fudexploits.com)
■ Spartan Crypter (https://spartanproducts.pw)
How Attackers Deploy a Trojan
A Trojan is the means by which an attacker can gain access to the victim's system. To gain control over the victim's machine, an attacker creates a Trojan server, and then sends an email that lures the victim to click on a link provided within the mail. As soon as the victim clicks the malicious link sent by the attacker, it connects directly to the Trojan server. The Trojan server then sends a Trojan to the victim system that undergoes automatic installation on the victim's machine and infect it. As a result, the victim's device establishes a connection to the attack server unknowingly. Once the victim connects to an attacker's server, the attacker can take complete control over the victim's system and perform any selective action. If the victim carries out an online transaction or purchase, then the attacker can easily steal sensitive information such as credit card details and account information. In addition, an attacker can also use the victim's machine to launch attacks on other systems.
The Trojan may infect the computers when a user opens an email attachment that installs a Trojan on their computers that might serve as a backdoor for criminals for later access of the system.
Exploit Kit
An exploit kit or crimeware toolkit is used to exploit security loopholes found in software applications such as Adobe Reader, Adobe Flash Player, etc. by distributing malware such as spyware, viruses, Trojans, worms, bots, backdoors, buffer overflow scripts, or other payloads to the target system. Exploit kits come with pre-written exploit codes. Thus it is easy to use for an attacker who is not an IT or security expert. They also provide a user-friendly interface to track the infection statistics and a remote mechanism to control the compromised system. Using Exploits kits, an attacker can target browsers, programs that are accessible using browser, zero- day vulnerabilities, and exploits updated with new patches. Exploit kits are used against users running insecure or outdated software applications on their systems.
The diagram above shows the general procedure for an exploit kit, though the process of exploiting a machine might vary for different exploit kits:
■ The victim visits a legitimate website that is hosted on the compromised web server. ■ The victim is redirected through various intermediary servers.
■ The victim unknowingly lands on an exploit kit server hosting the exploit pack landing
page.
■ The exploit kit gathers information on the victim, based on which it determines the exploit and delivers it to the victim's system.
■ If the exploit succeeds, a malware program is downloaded and executed to the victim's system.
Exploit Kits
■ RIG Exploit Kit
The RIG Exploit kit is one of the most popular exploit kits in recent times with its wide range of malware distribution. RIG EK was first discovered in 2014 and is working efficiently in distributing many exploits. RIG EK was used successfully by attackers in distributing Cryptobit, CryptoLuck, CryptoShield, CryptoDefense, Sage, Spora, Revenge, PyCL, Matrix, Philadelphia, and princess Ransomwares. RIG EK was also involved in distributing LatentBot, Pony and Ramnit Trojans. RIG was also involved in delivering the famous banking Trojan ZeuS. The latest version of the RIG exploit kit is taking advantage of outdated versions of applications such as Flash, Java, Silverlight, Internet Explorer, or Microsoft Edge to distribute the Cerber ransomware.
Features:
■ RIG EK landing page is performed via a standard 302 Redirect ■ Domain auto-rotator to avoid blacklisting and detection
■ FUD (entirely undetectable) exploits
■ Combines different web technologies, such as DoSWF, JavaScript, Flash and VBScript to obfuscate the attack
RIG Exploit kit support for different browsers, as well as listing the following CVEs:
CVE-2013-2551:Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability
Some of the additional exploit kits include:
Magnitude
Angler
Neutrino
Terror
Sundown
Pheonix
Evading Anti-Virus Techniques
Following is the list of various techniques can be used to make malware such as Trojans, viruses, and worms, which are undetectable by anti-virus applications.
1. Break the Trojan file into multiple pieces and zip them as a single file.
2. Always write your Trojan and embed it into an application (an anti-virus program fails to recognize new Trojans, as its database does not contain the proper signatures).
3. Change the Trojan's syntax: ■ Convert an EXE to VB script
■ Change .EXE extension to .DOC.EXE, .PPT.EXE or .PDF.EXE (Windows hides "known extensions," by default, so it shows up only as .DOC, .PPT and .PDF)
4. Change the content of the Trojan using a hex editor.
5. Change the checksum, and encrypt the file.
6. Never use Trojans downloaded from the Web (anti-virus detects these easily).
7. Use binder and splitter tools that are capable of changing the first few bytes of the Trojan programs.
8. Perform code obfuscation or morphing. Morphing is done to confuse the anti-virus program from differentiating between a malicious and harmless program.
Types of Trojans
Trojan are classified into many categories depending on the exploit functionality. Following is the list of some of the Trojans types:
1. Remote Access Trojans
2. Backdoor Trojans
3. Botnet Trojans
4. Rootkit Trojans
5. E-Banking Trojans
6. Proxy Server Trojans
7. Covert Channel Trojans
8. Defacement Trojans
9. Service Protocol Trojans
10. Mobile Trojans
11. loT Trojans
12. Security Software Disabler Trojans
13. Destructive Trojans
14. DDoS Attack Trojans
15. Command Shell Trojans
Remote Access Trojans
Remote access Trojans (RATs) provide attackers with full control over the victim's system, enabling them to remotely access files, private conversations, accounting data, and others. The RAT acts as a server and listens on a port that is not supposed to be available to Internet attackers. Therefore, if the user is behind a firewall on the network, there is less chance that a remote attacker would be able to connect to the Trojan. The attackers in the same network located behind the firewall can easily access Trojans.
For e.g., Jason is an attacker who intends to exploit Rebecca's computer to steal her data. Jason infects Rebecca's computer with server.exe and plants a Reverse Connecting Trojan. The Trojan connects to Port 80 to the attacker sitting in Russia, establishing a reverse connection. Now, Jason has complete control over Rebecca's machine.
Attackers use RATs to infect the target machine to gain administrative access. RATs help an attacker to remotely access complete GUI, control victim's computer without his or her awareness and are capable of performing screening and camera capture, code execution, keylogging, file access, password sniffing, registry management, and so on. It infects victims via phishing attacks and drive-by downloads and propagates through infected USB keys or networked drives. It can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log keystrokes, and spy on webcams.
■ njRAT
njRAT is a RAT with powerful data-stealing capabilities. In addition to logging keystrokes, it is capable of accessing a victim's camera, stealing credentials stored in browsers, uploading and downloading files, performing the process and file manipulations, and viewing the victim's desktop.
This RAT can be used to control Botnets (networks of computers), allowing the attacker to update, uninstall, disconnect, restart, close the RAT, and rename its campaign ID. The attacker can further create and configure the malware to spread through USB drives with the help of the Command and Control server software.
Features:
o Remotely access victim's computer
o Collect victim's information like IP address, hostname, OS, etc. o Manipulate files and system files
o Open active remote session providing attacker access to victim machine's command line
o Log keystrokes and steal credentials from browsers Some of the additional remote access Trojans include:
MoSucker ProRat
Backdoor Trojans
A backdoor is a program which can bypass the standard system authentication or conventional system mechanism like IDS, firewalls, etc. without being detected. In these types of breaches, hackers leverage backdoor programs to access the victim's computer or a network. The difference between this type of malware and other types of malware is that the installation of the backdoor is performed without the user's knowledge. This allows the attack to perform any activity on the infected computer which can include transferring, modifying, corrupting files, installing malicious software, rebooting the machine, etc. without user detection. Backdoors are used by the attacker to have uninterrupted access to the target machine. Most of the backdoors are used for targeted attacks. Backdoor Trojans are often used to group victim computers to form a botnet or zombie network that can be used to perform criminal activities.
Backdoor Trojans are often initially used in the second (point of entry) or third (command-and- control [C&C]) stage of the targeted attack process. The main difference between a RAT and a traditional backdoor is that the RAT has a user interface, the client component, which can be used by the attacker to issue commands to the server component residing in the compromised machine whereas a backdoor does not.
For e.g., a hacker who is performing a malicious activity identifies vulnerabilities in a target network. Hacker implants networkmonitor.exe backdoor in the target network, and the backdoor will be installed in a victim machine on the target network without being detected by network security mechanisms. Once installed, networkmonitor.exe will provide uninterrupted access to the victim's machine and target network to the attacker.
Botnet Trojans
Today, most large information security attacks involve botnets. Attackers (also known as "bot herders") use Botnet Trojans to infect a large number of computers throughout a large geographical area to create a network of bots (or a "bot herd") that can control via a Command and Control (C&C) center. They trick regular computer users to download Trojan infected files to their systems through phishing, SEO hacking, URL redirection, among others. Once the user downloads and executes this Botnet Trojan in the system, it connects back to the attacker using IRC channels and waits for further instruction. Some of the botnet Trojans also have worm features and automatically spread to other systems in the network. They help an attacker to launch various attacks and perform nefarious activities such as denial-of-service attacks, spamming, click fraud, theft of application serial numbers, login IDs, and credit card numbers.
■ Necurs
The Necurs botnet is a distributor of many pieces of malware, most notably Dridex and Locky. It delivers some of the worst banking Trojans and ransomware threats in batches of millions of emails at a time, and it keeps reinventing itself. Necurs gets distributed by Spam e-mails and downloadable content from questionable/illegal sites. Necurs is indirectly responsible for a significant portion of cybercrime. On 20 March 2017, Necurs botnet engaged in a pump&dump spam scheme that tried to boost Incapita company's stock market price artificially.
Features:
o Destruction of the system o Turning PC into a spying tool o Electronic money theft
o Botnet and mining
o Serving as a gateway for other viruses ■ Mirai
Mirai is a self-propagating botnet that infects poorly protected internet devices (loT devices). Mirai uses telnet port (23 or 2323) to find those devices that are still using their factory default username and password. Most of the loT devices use default usernames and passwords and Mirai botnet has the ability to infect such multiple insecure devices and co-ordinate them to mount a DDoS attack against a chosen victim.
Features:
o Login attempts with 60 different factory default username and password pairs o Built for multiple CPU architectures (x86, ARM, Sparc, PowerPC, Motorola) o Connects to CnC to allows the attacker to specify an attack vector
o Increases bandwidth usage for infected bots o Identify and remove competing malware o Blocks remote administration ports Prevention:
o Using Anti-Trojan softwares and updating usernames and passwords can prevent Mirai DDoS botnet Trojan attack.
Some of the botnet Trojans include:
■ Dreambot
■ Cridex
■ Ponmocup
■ Avalanche
Rootkit Trojans
As the name indicates, rootkit consists of two terms "Root" and "Kits" where "Root" is a UNIX/Linux term that is the equivalent of Administrator in Windows. The word "kit' denotes programs that allow someone to obtain root/admin-level access to the computer by executing the programs in the kit. Rootkits are, potent backdoors, which specifically attack the root or OS. Compared to backdoors, rootkits cannot be detected by observing services, system task list or registries. Rootkits provide full control of the victim OS to the attacker. Rootkits can not propagate by themselves, and that fact has precipitated a great confusion. In reality, rootkits are just one component of what is called a blended threat. Blended threats typically consist of three snippets of code: a dropper, loader, and rootkit. The dropper is the executable program or file that installs the rootkit. Activating the dropper program usually entails human intervention, such as clicking on a malicious e-mail link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.
■ EquationDrug Rootkit
EquationDrug is a dangerous computer rootkit that attacks the Windows platform. It performs targeted attacks against various organizations and arrives on the infected system by being downloaded and executed by the Trickier dubbed "DoubleFantasy", covered by TSL20110614-01 (Trojan.Win32.Micstus.A). It allows a remote attacker to execute shell commands on the infected system.
Some of the additional rootkit Trojans include:
■ Wingbird
■ Finfisher
■ GrayFish
■ ZeroAccess rootkit
E-banking Trojans
E-banking Trojans are very dangerous and have become a significant threat to online banking. They intercept victim's account information before the system can encrypt it, and send it to the attacker's command-and-control center. Installation of these Trojans takes place on the targets computer when he or she clicks a malicious email attachment or a malicious advertisement. Attackers program these Trojans to steal minimum and maximum monetary amounts, so that they do not withdraw all the money in the account, which serves to avoid suspicion. These Trojans also create screenshots of the bank account statement, so that the victim thinks that there is no variation in bank balance and is not aware of this fraud unless checks the balance from another system or an ATM. These Trojans may also steal victims' data such as credit card numbers and billing details, and transmit them to remote hackers via email, FTP, IRC, or other methods.
Working of E-banking Trojans
A banking Trojan is a malicious program that allows attackers to obtain personal information about users of online banking and payment systems.
The banking Trojan analysis includes:
■ Tan Gabber: A Transaction Authentication Number (TAN) is a single-use password for authenticating the online banking transaction. Banking Trojans intercept valid TAN entered by a user and replace it with a random number. The Bank will reject this invalid random number. An attacker after that misuses the intercepted TAN with the targets login details.
■ HTML Injection: Trojan creates fake form fields on e-banking pages. The attacker collects the targets account details, credit card number, date of birth, etc. The attacker can use this information to impersonate and compromise the targets account.
■ Form Grabber: Form Grabber is a type of malware that captures a targets sensitive data such as IDs, passwords, and so on from a web browser form or page. It is an advanced method to collect the targets Internet banking information. It analyses POST requests and responses to victim's browser. It compromises the scramble pad authentication and intercepts scramble pad input as the user enters Customer Number and Personal Access Code.
■ Covert Credential Grabber: This type of malware stays dormant until the user performs an online financial transaction. It works covertly to replicate itself on the computer and edit registry entries each time the computer is started. The Trojan also searches the cookie files that had been stored on the computer while browsing financial websites. Once the user attempts to make an online transaction, the Trojan covertly steals the login.
credentials and transmits it to the hacker. Following are some of the methods in which Banking Trojans attempt to steal user's information:
o Key logging
o Form data capture
o Inserting fraudulent form fields
o Screen captures and video recording o Mimicking financial websites
o Redirecting to banking websites o Man-in-the-middle attack.
E-banking Trojan: ZeuS
ZeuS also called as ZBot is a banking Trojan horse program (or "crimeware") which was first detected in 2007 and is still one of the most successful and prolific banking trojans in the world. A ZBot trojan is created using a malicious toolkit available on hacker forums and underground marketplaces, which gives the attacker control over the functionality of the executable used to infect victims. ZeuS steals data such as online credentials, banking details, etc. from infected computers via web browsers and protected storage. The Zbot trojan is typically distributed through spam email campaigns and drive-by downloads. Once it is executed, the trojan identifies Internet Explorer, FTP, or POP3 credentials contained within Protected Storage (PStore), which are then compromised and used to authenticate and log in to an account as a legitimate user. It can be updated through a command and control (C2) server for additional functions such as downloading and executing additional files, shutting down or rebooting the victim device, or deleting system files. ZBot trojan also uses a "fast flux" technique to evade detection where Fast flux is a subset of botnets that increases the difficulty of blocking a given IP address range to defend against botnets since defending against the changing IP addresses used by the botnet is challenging, and many times leads to false positives.
Features:
■ Steals data submitted in HTTP forms
■ Steals account credentials stored in the Windows Protected Storage
■ Steals client-side X.509 public-key infrastructure (PKI) certificates
■ Steals FTP and POP account credentials
■ Steals/deletes HTTP and Flash cookies
■ Modifies the HTML pages of target websites for information stealing purposes
■ Redirects victims from target web pages to attacker-controlled ones
■ Takes screenshots and scrapes HTML from target sites
■ Searches for and uploads files from the infected computer
■ Modifies the local host's file (%systemroot%\system32\drivers\etc\hosts)
■ Downloads and executes arbitrary programs
■ Deletes crucial registry keys, rendering the computer unable to boot into Windows
Some of the additional e-banking Trojans include: Gozi/ Ursnif
Emotet
Ramnit
Gootkit
Tin ba
Bebloh
Proxy Server Trojans
Trojan Proxy is usually a standalone application that allows remote attackers to use the victim's computer as a proxy to connect to the Internet. Proxy server Trojan, when infected, starts a hidden proxy server on the victim's computer. Attackers use it for anonymous Telnet, ICQ, or IRC to purchase goods using stolen credit cards, as well as other such illegal activities. The attackers have full control over the users' systems and can launch attacks on other systems from an affected user's network. If the authorities detect illegal activity, the footprints lead to innocent users and not to the attackers, potentially leading to legal trouble for the victims, who are ostensibly responsible for their network or any attacks launched from it. Thousands of machines on the Internet are infected with proxy servers using this technique.
Some of the proxy server Trojans include:
■ Linux.Proxy.10
■ Proxy
■ Pinkslipbot (Qbot)
Covert Channel Trojans
Covert Channel Tunneling Tool (CCTT) Trojan presents various exploitation techniques, creating arbitrary data transfer channels in the data streams authorized by a network access control system. It enables attackers to get an external server shell from within the internal network and vice-versa. It sets a TCP/UDP/HTTP CONNECT|POST channel allowing TCP data streams (SSH, SMTP, POP, etc.) between an external server and a box from within the internal network.
■ Bac ho sens Trojan
Bachosens is a covert channel trojan discovered in February 2017 and deployed against select targets using covert communication channels to evade detection. It is used to steal information and download additional malware onto compromised machines.
The trojan creates a registry entry to run everytime Windows starts, opens a backdoor to connect to its C2 server, and can then execute the following functions:
o Log keystrokes
o Download and execute files o Copy files
o List files o Delete files
Defacement Trojans
Defacement Trojans, once spread over the system, can destroy or change the entire content present in a database. However, they are more dangerous when attackers target websites, as they physically change their underlying HTML format, resulting in the modification of their content. There is even significant potential loss resulting from the defacement of e-business targets by Trojans.
Resource editors allow one to view, edit, extract and replace strings, bitmaps, logos, and icons from any Windows program. It allows viewing and editing almost any aspect of a compiled Windows program, from the menus to the dialog boxes to the iconsand beyond. They apply User- styled Custom Applications (UCAs) to deface Windows applications.
■ Restorator
Source: http://www.bome.com
Restorator is a utility for editing Windows resources in applications and their components (e.g., files with .exe, .dll, .res, .rc, and .dcr extensions). It allows to change, add, or remove resources such as text, images, icons, sounds, videos, version, dialogs, and menus in almost all programs. Using this tool, one can perform translation/localization, customization, design improvement, and development.
Features:
o Translate existing applications (localization) o Customize the look and feel of programs o Replace logos and icons (branding)
o Enhance control over resource files in the software development process o Hack into the inner workings of applications on the computer
Service Protocol Trojans
These Trojans can take advantage of vulnerable service protocols like VNC, HTTP/HTTPS, ICMP, etc. to attack the victim machine.
■ VNC Trojans
A VNC Trojan starts a VNC Server daemon in the infected system (victim) where attacker connects to the victim using any VNC viewer. Since VNC program is considered a utility,
this Trojan will be difficult to detect using anti-viruses. Top financial malware such as Dridex, Neverquest, and Gozi employed hvnc (hidden virtual network computing) module, which allows attackers to gain user-grade access to an infected PC
■ HTTP/HTTPS Trojans
HTTP/HTTPS Trojans can bypass any firewall, and work in reverse, as opposed to a straight HTTP tunnel. They use web-based interfacesand port 80. The execution of these Trojans takes place on the internal host and spawns a child program at a predetermined time. The child program appears to be a user to the firewall, so the firewall allows the program access to the Internet. However, this child program executes a local shell, connects to the web server that the attacker owns on the Internet through an apparently legitimate HTTP request, and sends it a ready signal. The apparently legitimate answer from the attacker's web server is in reality a series of commands that the child can execute on the machine's local shell. The attacker converts all traffic into a Base64-like structure and gives it as a value for a cgi-string, to avoid detection. The following is an example of a connection:
Slave: GET/cgi-bin/order?
M5mAejTgZdgYOdglOOBqFfVYTgjFLdgxEdblHe7krj HTTP/1.0 Master replies with: gSmAlfbknz
The GET of the internal host (SLAVE) is the command prompt of the shell; the answer is an encoded "is" command from the attacker on the external server (MASTER). The SLAVE tries to connect daily at a specified time to the MASTER. If necessary, the child spawn takes place if the shell hangs, the attacker can check and fix it the next day. In case the administrator sees connections to the attacker's server and connects it to his/her server, the administrator just sees a broken web server because there is a token (password) in the encoded cgi GET request. WWW proxies (e.g., squid, a full-featured web proxy cachel) support is available. The program masks its name in the process listing. The programs are reasonably small, the master and slave programs consisting of only 260 lines per file. Usage is easy: edit rwwwshell.pl for the correct values, execute "rwwwshell.pl slave" on the SLAVE, and run "rwwwshell.pl" on the MASTER just before it is the time at which the slave tries to connect.
o SHTTPD
SHTTPD is a small HTTP Server that can be embedded inside any program. It can be wrapped with a genuine program (game chess.exe), when executed it will turn a computer into an invisible web server. For instance, an attacker connects to the victim using Web Browser http://10.0.0.5:443 and infect the victim's computer with chess.exe with Shttpd running in the background and listening on port 443 (SSL),
o HTTP RAT
HTTP RAT utilizes web interfaces and port 80 to gain access. It can be understood simply as a HTTP Tunnel, except it works in the reverse direction. These Trojans are comparatively more dangerous as these work almost ubiquitously where internet can be accessed.
■ ICMP Trojans
Internet Control Message Protocol (ICMP) is an integral part of IP, and every IP module must implement it. It is a connectionless protocol to provide error messages to unicast addresses. The ICMP protocol encapsulates the packets in IP datagrams.
An Attacker can hide the data using covert channels are methods in a protocol that is undetectable. The concept of ICMP tunneling allows one protocol to be carried over another protocol. ICMP tunneling uses ICMP echo-request and reply to carry a payload and stealthily access or control the victim's machine. Attackers can use the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets for arbitrary information tunneling. Network layer devices and proxy-based firewalls do not filter or inspect the contents of ICMP_ECHO traffic, making the use of this channel attractive to hackers.
Attackers simply pass, drop, or return the ICMP packets. The Trojan packets themselves are masquerading as common ICMP_ECHO traffic. The packets can encapsulate (tunnel) any required information.
Mobile Trojans
Mobile Trojans are malicious software that targets mobile phones. Mobile Trojan attacks are increasing rapidly due to the global increase of mobile usage. The attacker tricks the victim to install the malicious application. When the victim downloads the malicious app, the trojan performs various attacks like banking credential stealing, social networking credential stealing, data encryption, device locking, etc.
■ Hummer
Hummer is a Trojan that runs on Android OSs. The Trojan infected an average 1.19 million devices between January and June 2016, which is nearly double the number of every other known mobile malware. When a device is infected, Hummer will root the phone to gain administrator privileges, and it will add pop-up ads. It then pushes mobile games and installs porn apps in the background. When a user attempts to uninstall them, they will be reinstalled.
Some of the additional mobile Trojans include:
■ Ghost push
■ AndroRAT
■ Hideicon
■ Danpay
■ Rootnik
■ Idownloader
■ Flexion
IoT Trojans
Internet of things (IoT) is the internetworking of physical devices, buildings, and other items embedded with electronics. IoT Trojans are the malicious programs that attack the IoT networks. These Trojans leverage a botnet to attack other machines outside of the IoT network.
■ BrickerBot
BrickerBot is a new malware bricking IoT devices around the world by corrupting their storage capability and reconfiguring kernel parameters. Two different versions of BrickerBot were detected: BrickerBot.l and BrickerBot.2. In the first stages of the attacks attempting a dictionary brute-force attack on devices with Telnet ports left open on the Internet takes place. If the target device is configured with the default credentials, BrickerBot logs in and performs a series of Linux commands.
Some of the additional loTTrojans include:
■ Mirai
■ Hajime
■ LuaBot
■ Trojan.linux.pnscan
Security Software Disabler Trojans
Security software disabler Trojans stop the working of security programs such as firewall, IDS, etc. either by disabling them or killing the processes. These are entry Trojans which allow an attacker to perform the next level of attack on the targeted system.
Some of the security software disabler Trojans include:
■ Cert Lock ■ GhostHook
Destructive Trojans
The sole purpose of writing destructive Trojans is to delete files on a target system. Antivirus software may not detect destructive Trojans. Once a destructive Trojan infects a computer system, it randomly deletes files, folders, and registry entries, and local and network drives often resulting in OS failures.
Destructive Trojans are written as simple crude batch files with commands like "DEL," "DELTREE" or "FORMAT." This destructive Trojan code is usually compiled as .ini, .exe, .dll or .com files. Thus, it is difficult to determine if a destructive Trojan causes a computer system infection. The attacker can activate these Trojans, or it can be set to initiate at a fixed time and date.
Shamoon is the destructive Trojan which attacked the majority of the organization in Saudi Arabia in 2016. Shamoon used a Disttrack payload that is configured to wipe the systems as well as virtual desktop interface snapshots. This Trojan propagated internally by logging in using legitimate domain account credentials, copying itself to the system and creating a scheduled task that executes the copied payload.
