Enviar pesquisa
Carregar
File000145
•
0 gostou
•
954 visualizações
Desmond Devendran
Seguir
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 93
Baixar agora
Baixar para ler offline
Recomendados
File000154
File000154
Desmond Devendran
File000155
File000155
Desmond Devendran
File000146
File000146
Desmond Devendran
presentation on hacking
presentation on hacking
Ayush Upadhyay
H A C K I N Gjk,K
H A C K I N Gjk,K
Hudzaifah Hud Azman
3e - Computer Crime
3e - Computer Crime
MISY
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes
Raffa Learning Community
Cybercrime and IT ACT
Cybercrime and IT ACT
Akshay Bhardwaj
Recomendados
File000154
File000154
Desmond Devendran
File000155
File000155
Desmond Devendran
File000146
File000146
Desmond Devendran
presentation on hacking
presentation on hacking
Ayush Upadhyay
H A C K I N Gjk,K
H A C K I N Gjk,K
Hudzaifah Hud Azman
3e - Computer Crime
3e - Computer Crime
MISY
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes
Raffa Learning Community
Cybercrime and IT ACT
Cybercrime and IT ACT
Akshay Bhardwaj
Computer crime
Computer crime
Surya Prasad
computer crime
computer crime
00jitesh00
Malware
Malware
galaxy201
Cybercrime 111205224958-phpapp02
Cybercrime 111205224958-phpapp02
Shumail Tariq
Powerpoint
Powerpoint
Marcelomazzocato
Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi
Shawon Raffi
Attack on Sony
Attack on Sony
Nick Bilogorskiy
Cybercrime
Cybercrime
Keller Williams Lynchburg
Ethical hacking (legal)
Ethical hacking (legal)
Thangaraj Murugananthan
Cybercrime
Cybercrime
Adikavi Nannaya University
File000161
File000161
Desmond Devendran
Cyber Security | Patricia Watson
Cyber Security | Patricia Watson
Patricia M Watson
Cybercrime
Cybercrime
ecommerce
Social Engineering 2.0
Social Engineering 2.0
Murray Security Services
Cyberterrorism
Cyberterrorism
Gohar Sokhakyan
CYBER CRIME PPT
CYBER CRIME PPT
Gaurav Lakha
Cybercrime
Cybercrime
Komal003
Cyber crime- a case study
Cyber crime- a case study
Shubh Thakkar
Mis chapter 9
Mis chapter 9
Filmon Habtemichael Tesfai
File000158
File000158
Desmond Devendran
CRM, Technology and Fitness
CRM, Technology and Fitness
The Concept Store
Malwares
Malwares
Abolfazl Naderi
Mais conteúdo relacionado
Mais procurados
Computer crime
Computer crime
Surya Prasad
computer crime
computer crime
00jitesh00
Malware
Malware
galaxy201
Cybercrime 111205224958-phpapp02
Cybercrime 111205224958-phpapp02
Shumail Tariq
Powerpoint
Powerpoint
Marcelomazzocato
Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi
Shawon Raffi
Attack on Sony
Attack on Sony
Nick Bilogorskiy
Cybercrime
Cybercrime
Keller Williams Lynchburg
Ethical hacking (legal)
Ethical hacking (legal)
Thangaraj Murugananthan
Cybercrime
Cybercrime
Adikavi Nannaya University
File000161
File000161
Desmond Devendran
Cyber Security | Patricia Watson
Cyber Security | Patricia Watson
Patricia M Watson
Cybercrime
Cybercrime
ecommerce
Social Engineering 2.0
Social Engineering 2.0
Murray Security Services
Cyberterrorism
Cyberterrorism
Gohar Sokhakyan
CYBER CRIME PPT
CYBER CRIME PPT
Gaurav Lakha
Cybercrime
Cybercrime
Komal003
Cyber crime- a case study
Cyber crime- a case study
Shubh Thakkar
Mis chapter 9
Mis chapter 9
Filmon Habtemichael Tesfai
File000158
File000158
Desmond Devendran
Mais procurados
(20)
Computer crime
Computer crime
computer crime
computer crime
Malware
Malware
Cybercrime 111205224958-phpapp02
Cybercrime 111205224958-phpapp02
Powerpoint
Powerpoint
Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi
Attack on Sony
Attack on Sony
Cybercrime
Cybercrime
Ethical hacking (legal)
Ethical hacking (legal)
Cybercrime
Cybercrime
File000161
File000161
Cyber Security | Patricia Watson
Cyber Security | Patricia Watson
Cybercrime
Cybercrime
Social Engineering 2.0
Social Engineering 2.0
Cyberterrorism
Cyberterrorism
CYBER CRIME PPT
CYBER CRIME PPT
Cybercrime
Cybercrime
Cyber crime- a case study
Cyber crime- a case study
Mis chapter 9
Mis chapter 9
File000158
File000158
Destaque
CRM, Technology and Fitness
CRM, Technology and Fitness
The Concept Store
Malwares
Malwares
Abolfazl Naderi
ISSM APP IT1 FACIANE.PDF
ISSM APP IT1 FACIANE.PDF
Ashley Faciane
Computer Viruses
Computer Viruses
mkgspsu
How would you find what you can't see?
How would you find what you can't see?
pinkflawd
Introduction to trojans and backdoors
Introduction to trojans and backdoors
jibinmanjooran
Trojans and backdoors
Trojans and backdoors
Gaurav Dalvi
Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?
amiable_indian
Malware
Malware
Tuhin_Das
Destaque
(9)
CRM, Technology and Fitness
CRM, Technology and Fitness
Malwares
Malwares
ISSM APP IT1 FACIANE.PDF
ISSM APP IT1 FACIANE.PDF
Computer Viruses
Computer Viruses
How would you find what you can't see?
How would you find what you can't see?
Introduction to trojans and backdoors
Introduction to trojans and backdoors
Trojans and backdoors
Trojans and backdoors
Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?
Malware
Malware
Semelhante a File000145
External threats to information system: Malicious software and computer crimes
External threats to information system: Malicious software and computer crimes
Souman Guha
Malware
Malware
Anoushka Srivastava
Malware
Malware
zelkan19
Malware
Malware
zelkan19
Bot software spreads, causes new worries
Bot software spreads, causes new worries
UltraUploader
4598 cybercrime
4598 cybercrime
ravikanthh
Threat report h1_2013
Threat report h1_2013
Комсс Файквэе
Wannacry Virus
Wannacry Virus
East West University
Information-Security-Lecture-5.pptx
Information-Security-Lecture-5.pptx
anbersattar
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec Technology and Consulting
cyber attacks in May , breaches in May
cyber attacks in May , breaches in May
Sathish Kumar K
Malicious malware breaches - eScan
Malicious malware breaches - eScan
MicroWorld Software Services Pvt Ltd
Seminar on Internet security
Seminar on Internet security
Rahul Sah
Cybercrime 1
Cybercrime 1
nayakslideshare
Botnet
Botnet
lokenra
What is a virus and anti virus
What is a virus and anti virus
Leonor Costa
Computer Viruses and Classification lecture slides ppt
Computer Viruses and Classification lecture slides ppt
Osama Yousaf
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec Technology and Consulting
Cyber Malware Programs And The Internet
Cyber Malware Programs And The Internet
Heidi Maestas
Ransomware (1).pdf
Ransomware (1).pdf
HiYeti1
Semelhante a File000145
(20)
External threats to information system: Malicious software and computer crimes
External threats to information system: Malicious software and computer crimes
Malware
Malware
Malware
Malware
Malware
Malware
Bot software spreads, causes new worries
Bot software spreads, causes new worries
4598 cybercrime
4598 cybercrime
Threat report h1_2013
Threat report h1_2013
Wannacry Virus
Wannacry Virus
Information-Security-Lecture-5.pptx
Information-Security-Lecture-5.pptx
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
cyber attacks in May , breaches in May
cyber attacks in May , breaches in May
Malicious malware breaches - eScan
Malicious malware breaches - eScan
Seminar on Internet security
Seminar on Internet security
Cybercrime 1
Cybercrime 1
Botnet
Botnet
What is a virus and anti virus
What is a virus and anti virus
Computer Viruses and Classification lecture slides ppt
Computer Viruses and Classification lecture slides ppt
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Cyber Malware Programs And The Internet
Cyber Malware Programs And The Internet
Ransomware (1).pdf
Ransomware (1).pdf
Mais de Desmond Devendran
Siam key-facts
Siam key-facts
Desmond Devendran
Siam foundation-process-guides
Siam foundation-process-guides
Desmond Devendran
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Desmond Devendran
Enterprise service-management-essentials
Enterprise service-management-essentials
Desmond Devendran
Service Integration and Management
Service Integration and Management
Desmond Devendran
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
Desmond Devendran
CHFI 1
CHFI 1
Desmond Devendran
File000176
File000176
Desmond Devendran
File000175
File000175
Desmond Devendran
File000174
File000174
Desmond Devendran
File000173
File000173
Desmond Devendran
File000172
File000172
Desmond Devendran
File000171
File000171
Desmond Devendran
File000170
File000170
Desmond Devendran
File000169
File000169
Desmond Devendran
File000168
File000168
Desmond Devendran
File000167
File000167
Desmond Devendran
File000166
File000166
Desmond Devendran
File000165
File000165
Desmond Devendran
File000164
File000164
Desmond Devendran
Mais de Desmond Devendran
(20)
Siam key-facts
Siam key-facts
Siam foundation-process-guides
Siam foundation-process-guides
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Enterprise service-management-essentials
Enterprise service-management-essentials
Service Integration and Management
Service Integration and Management
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
CHFI 1
CHFI 1
File000176
File000176
File000175
File000175
File000174
File000174
File000173
File000173
File000172
File000172
File000171
File000171
File000170
File000170
File000169
File000169
File000168
File000168
File000167
File000167
File000166
File000166
File000165
File000165
File000164
File000164
Último
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
Último
(20)
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
File000145
1.
Module XXXII –
Investigating Virus, Trojan, Spyware and Rootkit Attacks
2.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Police ‘Find’ Author of Notorious Gpcode Virus Source: http://www.infoworld.com/ September 30, 2008 The infamous Gpcode "ransomware" virus that hit computers in July was the work of a single person who is known to the authorities, a source close to the hunt for the attacker has told Techworld. The individual is believed to be a Russian national, and has been in contact with at least one anti-malware company, Kaspersky Lab, in an attempt to sell a tool that could be used to decrypt victims' files. Initially sceptical, the company was able to verify that the individual was the author of the latest Gpcode attack -- and probably earlier attacks in 2006 and 2007 -- using a variety of forensic evidence, not least that he was able to provide a tool containing the RC4 key able to decrypt the work of the malware on a single PC. The 128-bit RC4 keys, used to encrypt the user's data, are unique for every attack. The part that had stymied researchers was that this key had, in turn, been encrypted using an effectively unbreakable 1,024-bit RSA public key, generated in tandem with the virus author's private key. But the tool did at least prove that the individual had access to the private "master" key and must therefore be genuine. Kaspersky Lab set about locating the man by resolving the proxied IP addresses used to communicate with the world to their real addresses. The proxied addresses turned out to be zombie PCs in countries such as the United States, which pointed to the fact that Gpcode's author had almost certainly used compromised PCs from a single botnet to get Gpcode on to victim's machines. Tracking down the owners of these PCs proved extremely difficult, with service provider Yahoo, for one, allegedly refusing to cooperate with the investigation on privacy grounds. Foreign police were informed, however, as were the Russian authorities. Armed with enough circumstantial evidence, "they were interested," the Kaspersky source confirmed.
3.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Researchers - Banks Need Better Security Source: http://www.mxlogic.com/
4.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Worms Attack Facebook, MySpace 05 December, 2008 12:49:00 Panda Security has detected Boface.G, a new worm that uses the Facebook and MySpace social networks to spread. “Worms are programmes that make copies of themselves in different places on a computer,” says Jeremy Matthews, head of Panda Security’s sub-Saharan operations. “The objective of this type of malware is usually to saturate computers and networks, preventing them from being used.” The Boface.G worm posts a link on the infected users’ profile or contacts panel to a fake YouTube video. Alternatively, it sends the infected users’ contacts a private message with the link. When they try to watch the video (which seems to come from one of their friends) they are taken to a web page where they are encouraged to download a Flash Player update to watch it. However, if they do so, they will let a copy of the worm into their computers and will infect of all their contacts. “Social networks attract millions of users and have become one of cyber-crooks’ favourite ways to spread their malicious creations,” says Matthews. “Users of these social networks should try to confirm the origin of these messages before following links or downloading items to their computers”. According to PandaLabs, one of the two social networks under attack has already taken measures to protect users from this malware. For protection against attacks like these, Facebook and MySpace users are encouraged to have an updated antivirus. Source: http://mybroadband.co.za/
5.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Webroot® Threat Advisory: Hackers Using Continental Flight 1404 Headlines to Scam Online News-Seekers Source: http://news.prnewswire.com /
6.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Rootkit Unearthed in Network Security Software Source: http://www.theregister.co.uk/
7.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: PandaLabs’ 2009 Predictions - Malware Will Increase in 2009 Banker Trojans, Fake Antivirus Software, SQL Injection Attacks, Customized Packers & Obfuscators among the Most Popular Expected Cybercriminal Tactics Glendale, CA (PRWEB) December 21, 2008 -- PandaLabs, Panda Security's malware analysis and detection laboratory, today announced that a significant increase in the volume of malware (viruses, worms, Trojans, etc.) is expected in 2009. Panda Security's laboratory detected more malware strains in the eight months between January and August of 2008 than in the previous 17 years combined. Summing up, malware in 2009 is expected to grow and become more sophisticated and more difficult to detect. There will also be an increase in Web-based attacks and attacks through social networks, which allow for more silent infections The financial crisis will also bring an increase in malware and false job offers. In addition to an overall growth in malware, PandaLabs made the following predictions: 1. Banker Trojans and fake antivirus solutions will be the most prevalent forms of malware in 2009. Banker Trojans are designed to steal login passwords for banking services, account numbers, etc., whereas fake antivirus solutions try to pass themselves off as real antivirus products to convince users they have been infected by malicious codes. 2. Social Networks will be a focal attack point by cybercriminals. We will continue to see worms in social networks spread malware from one user to another. Malicious codes designed to steal confidential data from unsuspecting users will also become more prevalent. 3. SQL injection attacks will continue to rise. SQL injection attacks involve vulnerabilities on the servers that host specific sites. Cyber- criminals exploit these vulnerabilities by infecting users that visit these Web pages without realizing they've been attacked. 4. Customized packers and obfuscators will grow in popularity. These tools are used by cybercriminals to compress malware and make detection more difficult. Criminals capitalizing on this form of attack will often successfully avoid the standard tools available in forums, websites, etc., and instead turn to their own obfuscators in an attempt to evade 'signature-based' detection by security solutions. 5. Expect a resurgence of classic malicious codes. The use of increasingly sophisticated detection technologies will drive cyber-crooks to turn to old codes, adapted to new needs. 6. Attacks on new operating systems and computing platforms will be on the rise. PandaLabs forecasts a significant proliferation of malware targeting new platforms such as Mac OS Leopard X, Linux or iPhone in the coming year. However, these new codes will never be as numerous as those for Windows systems. 7. Increased targeted attacks around issues stemming from the financial crisis will continue into 2009. Over the last few months of 2008, PandaLabs has reported a clear correlation between the financial crisis and an increase in malware strategies and techniques. Source: http://www.prweb.com/
8.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Viruses and Worms • How to know a Virus Infected System • Characteristics of a Virus • Symptoms of Virus-Like Attack • Indications of Virus Attack • Stages of Virus Life • Virus Detection Methods • How to Prevent a Virus • Trojans and Spywares • Indications of a Trojan Attack • Remote Access Trojans (RAT) • Anti virus Tools • Anti Trojan Tools This module will familiarize you with:
9.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Viruses and Worms Virus Detection Methods Indications of Virus Attack Anti Trojan Tools Antivirus Tools Remote Access Trojans (RAT)Trojans and Spyware Characteristics of a Virus
10.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Statistics of the Malicious and Potentially Unwanted Programs
11.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Top 20 for January 2008
12.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Computer viruses are malicious software programs that infect computers and corrupt or delete the data on them Viruses spread through email attachments, instant messages, downloads from the Internet, contaminated media etc. • File infectors: Attach themselves to program files • System or boot-record infectors: Infect executable code found in certain system areas on a disk • Macro viruses: Infect Microsoft Word application Viruses are generally categorized as:
13.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Worms A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs It is considered as a sub class of a virus It takes advantage of file or information transport features on the system allowing it to travel independently It spreads through the infected network automatically but a virus does not
14.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Characteristics of a Virus Resides in the memory and replicates itself while the program where it attached is running It does not reside in the memory after the execution of program • Encrypts itself into cryptic symbols • Alters the disk directory data to compensate the additional virus bytes • Uses stealth algorithms to redirect disk data Hides itself from detection by three ways:
15.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working of a Virus Trigger events and direct attack are the common modes which cause a virus to “go off” on a target system Most viruses operate in two phases: • Virus developers decide when to infect host system’s programs • Some infect each time they are run and executed completely •Ex: Direct Viruses • Some virus codes infect only when users trigger them which include a day, time, or a particular event •Ex: TSR viruses which get loaded into memory and infect at later stages Infection Phase: • Some viruses have trigger events to activate and corrupt systems • Some viruses have bugs which replicate and perform activities such as file deletion, increasing session time • They corrupt the targets only after spreading completely as intended by their developers Attack Phase:
16.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working of a Virus: Infection Phase File HeaderFile Header IP IP Start of Program End of Program Virus Jump . EXE File . EXE File Before Infection After Infection Start of Program End of Program Attaching .EXE File to Infect the Programs
17.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working of a Virus: Attack Phase Page: 3Page: 2Page: 1 Page: 3Page: 2Page: 1 Unfragmented File Before Attack File: A File: B Page: 1 File: B Page: 3 File: B Page: 1 File: A Page: 2 File: A Page:2 File: B Page: 3 File: A File Fragmentation Due to Virus Attack Slowdown of PC due to Fragmented Files
18.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Symptoms of a Virus-Like Attack If the system acts in an unprecedented manner, you can suspect a virus attack • Example: Processes take more resources and are time consuming However, not all glitches can be attributed to virus attacks, examples include:: • Certain hardware problems • If computer beeps with no display • If one out of two anti-virus programs report virus on the system • If the label of the hard drive change • Your computer freezes frequently or encounters errors • Your computer slows down when programs are started • You are unable to load the operating system • Files and folders are suddenly missing or their content changes • Your hard drive is accessed too often (the light on your main unit flashes rapidly) • Microsoft Internet Explorer "freezes" • Your friends mention that they have received messages from you but you never sent such messages
19.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Indications of a Virus Attack • Programs take longer to load than normal • Computer's hard drive constantly runs out of free space • Files have strange names which are not recognizable • Programs act erratically • Resources are used up easily Indications of a virus attack:
20.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Modes of Virus Infection Viruses infect the system in the ways such as: • Loads itself into memory and checks for executables on the disk • Appends the malicious code to a legitimate program without the knowledge of the user • Since the user is unaware of the replacement, he/she launches the infected program • As a result of the infected program being executes, other programs get infected as well • The above cycle continues until the user realizes the anomaly within the system
21.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Stages of Virus Life Computer virus involves various stages right from its design to elimination Replication Design Launch Detection Incorporation Elimination Users are advised to install anti-virus software updates thus creating awareness among user groups Anti-virus software developers assimilate defenses against the virus A virus is identified as threat infecting target systems It gets activated with user performing certain actions like triggering or running a infected program Developing virus code using programming languages or construction kits Virus first replicates for a long period of time within the target system and then spends itself
22.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Classification Viruses are classified based on the below criteria: What they Infect How they Infect
23.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Classification (cont’d) • Infects disk boot sectors and records System Sector or Boot Virus: • Infects executables in OS file system File Virus: • Infects documents, spreadsheets and databases such as Word, Excel and Access Macro Virus: • Overwrites or appends host code by adding Trojan code in it Source Code Virus: • Spreads itself via email by using command and protocols of computer network Network Virus:
24.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited How Does a Virus Infect? • Can hide from anti-virus programs Stealth Virus: • Can change their characteristics with each infection Polymorphic Virus: • Maintains same file size while infecting Cavity Virus: • They hide themselves under anti-virus while infecting Tunneling Virus: • Disguise themselves as genuine applications of user Camouflage Virus:
25.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Storage Patterns of a Virus Shell Virus: • Virus code forms a shell around target host program’s code, making itself the original program and host code as its sub-routine Add-on Virus: • Appends its code at the beginning of host code without making any changes to the latter one Intrusive Virus: • Overwrites the host code partly, or completely with viral code Direct or Transient Virus: • Transfers all the controls to host code where it resides • Selects the target program to be modified and corrupts it Terminate and Stay Resident Virus (TSR): • Remains permanently in the memory during the entire work session even after the target host program is executed and terminated • Can be removed only by rebooting the system
26.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Detection Use an anti virus software to detect the virus Scan the system for any unwanted programs running on it Anti-virus software uses two methods of virus detection: • Virus signature definitions • Heuristic algorithm Virus signature definitions examines the content of the computer's memory and compares them with the database of known virus signatures Heuristic algorithm finds the viruses based on their behavior Heuristic algorithms help in creating a virus signature for new and unknown viruses
27.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Detection Methods • Once a virus has been detected, it is possible to write scanning programs that look for signature string characteristic of the virus Scanning • Integrity checking products work by reading your entire disk and recording integrity data that acts as a signature for the files and system sectors Integrity Checking • The interceptor monitors operating system requests that write to disk Interception
28.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virus Incident Response Detect the Attack: Not all anomalous behavior can be attributed to Viruses Trace processes using utilities such as handle.exe, listdlls.exe, fport.exe, netstat.exe, pslist.exe, and map commonalities between affected systems Detect the virus payload by looking for altered, replaced or deleted files Check for new files, changed file attributes or shared library files Acquire the infection vector, isolate it; Update anti-virus and rescan all systems
29.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Viruses When a file is infected with virus make a copy of the file and perform the actions on that file For a serious kind of virus attack, have an expert to dissert the virus to check for modifications Check for the date and time of last changed of infected files When a first computer infected is found check for the non-standard programs which are not part of the company’s normal applications Question the compute r user for the source of the infected file
30.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Trojans and Spyware • Trojan horse is a malicious, security-breaking program that is disguised as any useful program • They are executable programs that installs when a file is opened • They get activated without the intervention of the user • As like viruses, Trojans do not distribute itself from one system to another • Trojans let others control a user’s system Trojans: • Spyware is the software installed on the computer without the knowledge of the user • Spyware pretends to be programs that offer useful applications, but they actually acquire the information of the computer and sends it to remote attacker • Spyware is also know as adware Spyware:
31.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working of Trojans Attacker gets access to the Trojaned system as the system goes online By way of the access provided by the Trojan, the attacker can stage different types of attacks Internet Trojaned SystemAttacker
32.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited How Spyware Affects a System Most of the spyware infects the system through warez and porn sites Peer to peer software is also used in installing spyware Some websites trick the user to download software claiming to be a legitimate one, that when installed performs illicit actions The other source of attacks are porn dialers and premium rate dialers
33.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited What Spyware Does to the System Once spyware enters a system it gathers information about the computer without user’s knowledge It gathers information such as personal data, passwords, bank account information and send it to an illegitimate user through the Internet Keyloggers are used to track the information about the data that is typed by the user on the computer The PC and the web browser can also be hacked making the user navigate to unwanted websites
34.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited What Do Trojan Creators Look For? Credit card information Account data (email addresses, passwords, user names, and so on) Confidential documents Financial data (bank account numbers, social security numbers, insurance information, and so on) Calendar information concerning victim’s whereabouts Using the victim’s computer for illegal purposes, such as to hack, scan, flood, or infiltrate other machines on the network or Internet Hacker
35.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Different Ways a Trojan Can Get into a System Instant Messenger applications IRC (Internet Relay Chat) Attachments Physical access Browser and email software bugs NetBIOS (FileSharing) Fake programs Untrusted sites and freeware software Downloading files, games, and screensavers from Internet sites Legitimate "shrink-wrapped" software packaged by a disgruntled employee
36.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identification of a Trojan Attack CD-ROM drawer opens and closes by itself Computer screen flips upside down or inverts Wallpaper or background settings change by themselves Documents or messages print from the printer by themselves Computer browser goes to a strange or unknown web page by itself Windows color settings change by themselves Screensaver settings change by themselves
37.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identification of a Trojan Attack (cont’d) Right and left mouse buttons reverse their functions Mouse pointer disappears Mouse pointer moves and functions by itself Windows Start button disappears Strange chat boxes appear on the victim’s computer The ISP complains to the victim that his/her computer is IP scanning
38.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identification of a Trojan Attack (cont’d) People chatting with the victim know too much personal information about him or his computer Computer shuts down and powers off by itself Taskbar disappears The account passwords are changed, or unauthorized persons can access legitimate accounts Strange purchase statements appear in credit card bills The computer monitor turns itself on and off Modem dials and connects to the Internet by itself Ctrl+Alt+Del stops working While rebooting the computer, a message flashes that there are other users still connected
39.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Remote Access Trojans (RAT) Remote Access Trojans (RATs) are malicious software programs used to control the users computer through his/her Internet connection It lets the intruders view and change the computer files and functions It monitors and records the activities, and use the computer to attack other computers without the user’s knowledge It gets into the computer as hidden in illicit software and other files and programs that is downloaded from the Internet It takes advantage of the vulnerabilities in the software or the Internet and affects the computer without any action being performed
40.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Remote Access Trojans (RAT) (cont’d) • Expose to the scams • Find the files • Record the typing • Capture video and audio • Run or end a program, process or connection • Create pop –ups • Attack other computers This ability can be used by the intruders to: • Have a safe online community • Use a firewall • Update the computer regularly • Use anti virus and anti spyware software To protect from RAT attacks: RAT provides a remote control to the computer through an Internet connection
41.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ports Used by Trojans Trojan Protocol Ports Back Orifice UDP 31337 or 31338 Deep Throat UDP 2140 and 3150 NetBus TCP 12345 and 12346 Whack-a-mole TCP 12361 and 12362 NetBus 2 Pro TCP 20034 GirlFriend TCP 21544 Masters Paradise TCP 3129, 40421, 40422, 40423 and 40426
42.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti virus Tools
43.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited AVG Antivirus www.grisoft.com Security protection against viruses, worms, Trojans and potentially unwanted programs • Quality proven by all major antivirus certifications (VB100%, ICSA, West Coast Labs Checkmark) • Improved virus detection based on better heuristics and NTFS data streams scanning • Smaller installation and update files • Improved user interface Features:
44.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited AVG Antivirus: Screenshot
45.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Norton Antivirus www.symantec.com • Protects from viruses, and updates virus definitions automatically • Detects and repairs viruses in email, instant messenger attachments and compressed folders • Monitors network traffic for malicious activity Features: • Full system scan • Custom scan • Schedule scan • Scan from the command line Scan options provided by Norton antivirus are:
46.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited McAfee www.mcafee.com Features: • SpamKiller: • Stops spam from infecting the inbox • SecurityCenter: • Lists computer security vulnerabilities • Offers free real-time security alerts • VirusScan: • ActiveShield: Scans the files in real time • Quarantine: Encrypts the infected files in the quarantine folder • Hostile Activity Detection: Examines computer for malicious activity
47.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Kaspersky Anti-Virus Provides traditional anti-virus protection based on the latest protection technologies Allows users to work, communicate, surf the Internet, and play online games on computer safely and easily Protects from viruses, Trojans and worms, spyware, adware, and all types of keyloggers Protection from viruses when using ICQ and other IM clients Detects all types of rootkits Provides three types of protection technologies against new and unknown threats: •Hourly automated database updates •Preliminary behavior analysis •On-going behavior analysis
48.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BitDefender BitDefender 2008 is an outstanding product with a user– friendly interface It scans all existing files on computer, all incoming and outgoing emails, IM transfers, and all other network traffic It has also improved their existing B–HAVE feature that runs pieces of software on a virtual computer to detect code that could be an unknown virus • “Privacy Protection” for outgoing personal information • “Web Scanning” while you are using the Internet • “Rootkit Detection and Removal,” which detects then removes hidden virus programs Features:
49.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti Virus Tools (cont’d) SocketShield is a zero-day exploit blocker It can block exploits from entering the computer, regardless of how long it takes for the vendors of vulnerable applications to issue patches CA Anti-Virus provides comprehensive protection against viruses, worms, and Trojan horse programs It detects viruses, worms, and Trojans
50.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti Virus Tools (cont’d) F-Secure Anti-Virus 2007 is an anti-virus tool software developed by F-Secure Corporation It offers an easy to use protection for your computer against viruses, worms, and rootkits F-Prot Antivirus is an antivirus software package, which protects your data from virus infection and removes any virus that may have infected your computer system It features real-time protection and email scanning, as well as heuristic detection of suspected viruses
51.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti Virus Tools (cont’d) Panda Antivirus Platinum transparently eliminates viruses at the desktop and TCP/IP (Winsock) level It detects and disinfects viruses before they can touch your hard drive avast! Virus Cleaner removes selected virus & worm infections from your computer It deactivates the virus present in memory
52.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti Virus Tools (cont’d) Norman Virus Control uses the same core components as the corporate version, except network and network management functionality The unique Norman SandBox II technology protects against new and unknown computer viruses, worms, and trojans ClamWin detects and removes a wide range of viruses and spyware and offers email scanning It performs automatic Internet updates, scheduled scans, and email alerts on virus detection
53.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti Trojan Tools
54.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited TrojanHunter TrojanHunter is an advanced Trojan scanner and toolbox, that searches for and removes Trojans from your system It uses several proven methods to find a wide variety of Trojans such as file scanning, port scanning, memory scanning, and registry scanning TrojanHunter also allows you to add custom Trojan definitions and detection rules
55.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Comodo BOClean Comodo BOClean protects your computer against Trojans, malware, and other threats It constantly scans your system in the background and intercepts any recognized Trojan activity The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected Trojan application Features: •Destroys malware and removes registry entries •Does not require a reboot to remove all traces •Disconnects the threat without disconnecting you •Generates optional report and safe copy of evidence •Automatically sweeps and detects INSTANTLY in the background •Configurable "Stealth mode" completely hides BOClean from users •Updates automatically from a network file share
56.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Trojan Remover: XoftspySE Xoftspy detects and removes all the spyware trying to install on your PC It scans for more than 42,000 different Spyware and Adware parasites It finds and removes threats including: Spyware, worms, hijackers, Adware, Malware, keyloggers, hacker tools, PC parasites, Trojan Horses, spy programs, and trackware It get alerts about potentially harmful websites
57.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Trojan Remover: Spyware Doctor Spyware Doctor is an adware and spyware removal utility that detects and cleans thousands of potential spyware, adware, Trojans, keyloggers, spyware, cookies, trackware, spybots, and other malware from your PC This tool allows you to remove, ignore, or quarantine identified Spyware It also has an OnGuard system to immunize and protect your system against privacy threats as you work By performing a fast detection at Windows start-up, you will be alerted with a list of the identified potential threats
58.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SPYWAREfighter SPYWAREfighter is a powerful and reliable software that allows you to protect your PC against Spyware, Malware, and other unwanted software Uses a security technology that protect Windows users from spyware and other potentially unwanted software Reduces negative effects caused by spyware, including slow PC performance, annoying pop-ups, unwanted changes to Internet settings, and unauthorized use of your private information Continuous protection improves Internet browsing safety by scanning for more than 220.000 known threads
59.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evading Anti-Virus Techniques Never use Trojans from the wild (anti-virus can detect these easily) Write your own Trojan and embed it into an application • Convert an EXE to VB script • Convert an EXE to a DOC file • Convert an EXE to a PPT file Change Trojan’s syntax Change the checksum Change the content of the Trojan using hex editor Break the Trojan file into multiple pieces
60.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Code for Trojan Client/Server Trojanclient.java Trojanserver.java
61.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evading Anti-Trojan/Anti-Virus Using Stealth Tools It is a program that helps to send Trojans or suspicious files that are undetectable to anti-virus software Its features include adding bytes, bind, changing strings, creating VBS, scramble/pack files, split/join files
62.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Backdoor Countermeasures Most commercial anti-virus products can automatically scan and detect backdoor programs before they can cause damage An inexpensive tool called Cleaner (http://www.moosoft.com/cleaner.html) can identify and eradicate 1,000 types of backdoor programs and Trojans Educate users not to install applications downloaded from the Internet and email attachments
63.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Tripwire Tripwire will automatically calculate cryptographic hashes of all key system files or any file that is to be monitored for modifications It is a System Integrity Verifier (SIV) Tripwire software works by creating a baseline “snapshot” of the system It will periodically scan those files, recalculate the information, and see if any of the information has changed and, if there is a change, an alarm is raised
64.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System File Verification Windows 2000 introduced Windows File Protection (WFP), which protects system files that were installed by the Windows 2000 setup program from being overwritten The hashes in this file could be compared with the SHA- 1 hashes of the current system files to verify their integrity against the factory originals The sigverif.exe utility can perform this verification process
65.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5sum.exe It is an MD5 checksum utility It takes an MD5 digital snapshot of system files If you suspect a file is Trojaned, then compare the MD5 signature with the snapshot checksum Command: md5sum *.* > md5sum.txt
66.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Microsoft Windows Defender Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software It features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected
67.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Introduction of Rootkit Rootkit is a group of programs that install a Trojan logon replacement with a backdoor, along with a packet sniffer, on UNIX systems as well as Windows systems The sniffer can be used to capture network traffic, including user credentials Rootkit hides its presence on the target host It act by modifying the host operating system so that the malware is hidden from the user It will remain undetected and can prevent a malicious process from being reported in the process table
68.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Attacks Approach Modifying of data structures, which display the processes currently running on the system System call interception • Modifying the system call table • Modifying the system call handler code Interrupt Hooking • Modifying the interrupt descriptor table • Modifying the interrupt handler (in particular for the system calls) Modifying the kernel memory image (/dev/kmem) Intercepting calls handled by the VFS Virtual memory subversion
69.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Rootkits • It is associated with malware that activates each time the system boots Persistent Rootkits • These are malware that has no persistent code and therefore does not survive a reboot Memory-Based Rootkits • It might intercept all calls to the Windows FindFirstFile/ FindNextFile APIs User-mode Rootkits • It intercept the native API in kernel-mode, and can also directly manipulate kernel- mode data structures Kernel-mode Rootkits Rootkits are differentiated into:
70.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Rootkit Detection Detour Functions • This approach is directed towards detecting hidden processes Diff-based approach • This approach uses kernel data structures in-order to view the processes running in the system Comparing symbol address • It detects system call interception events Binary Analysis • This approach observes the locations in the kernel address space Execution Path Analysis • Change in the execution path of the normal system call is observed Virtual Machines • VMware virtual machine is used to detect rootkits Depending on the type of attack different rootkit detection approaches are implemented as follows:
71.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Windows Rootkit
72.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Fu Rootkit Fu rootkit hides or stealth files and registry keys It is often used in conjunction with other malware FU rootkit manipulates Kernel Object directly to hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible
73.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Vanquish Vanquish is a DLL injection based rootkit It hides files, folders, registry entries and logs passwords It is installed without user interaction through security exploits, and can severely compromise system security
74.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited AFX Rootkit AFX Rootkit is created by Aphex in 2004 AFX Rootkit uses the driver "mc21.tmp" located in the Temp folder AFX RootKit installs the hidden service to the Windows subfolder AFX Rootkit hides: Processes Handles Modules Files & Folders Registry Values Services TCP/UDP Sockets Systray Icons
75.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Linux Rootkits
76.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Knark Knark is a kernel-based rootkit The hidden directory /proc/knark is created after the knark is loaded • Files: • List of hidden files on the system • Nethides: • List of strings hidden in /proc/net/[tcp|udp] • Pids: • List of hidden pids, ps-like output • Redirects: • List of exec-redirection entries Files created in the directory:
77.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adore Adore digs up the inode for the root file system, and replaces that inode's readdir() function pointer Adore hooks itself into the lookup function for /proc It replaces the show() function for /proc/net/tcp
78.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ramen Ramen is a rootkit that exploit the problems in rpc.statd and wu-ftpd programs in the Linux system It replaces the web server's default page and installs a rootkit It sends e-mail to two web-based accounts and starts scanning the network for its next victim The author or some one else use the rootkit to access the infected system
79.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Beastkit Beastkit rootkit was found on a Red Hat 7.2 System The rootkit setup script includes the line "#Beastkit 7.0 - X-Org edition“ It uses the open port 56493 Search these files for the presence of the Beastkit rootkit: • usr/local/bin/bin • usr/man/.man10 • usr/sbin/arobia • usr/lib/elm/arobia • usr/local/bin/.../bktd
80.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Rootkit Detection Tools
81.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited UnHackMe UnHackMe detects the AFX Rootkit and kills it
82.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited UnHackMe Procedure Click the Check button If a Trojan is found you will see the Results page Click on the Stop button and restart your computer
83.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited F-Secure BlackLight F-Secure BlackLight detects hidden files, folders and processes It also remove hidden malware by renaming them Figure: F-Secure BlackLight Examining the process list
84.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited RootkitRevealer RootkitRevealer detects rootkits including AFX, Vanquish and HackerDefender It compares the results of a system scan at the Windows API with raw contents of a file system volume or Registry hive Usage: • rootkitrevealer [-a [-c] [-m] [-r] outputfile]
85.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Microsoft Windows Malicious Software Removal Tool The Microsoft Windows Malicious Software Removal Tool checks computers for infections by specific, prevalent malicious software After detection and removal process is complete, the tool displays a report describing the outcome
86.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Rkhunter Rkhunter detect rootkits, sniffers, and backdoors It runs a series of test to check default files used by rootkits It also searches for default directories, wrong permissions, hidden files, and suspicious strings in kernel modules Command used for running Rkhunter: • # rkhunter –c Series of tests conducted are as follows: • MD5 tests to check for any changes • Checks the binaries and system tools for any rootkits • Checks for Trojan specific characteristics • Checks for any suspicious file properties of most commonly used programs • Scans for any promiscuous interfaces
87.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: Rkhunter Figure: Rkhunter conducting a series of tests Figure: Rkhunter checking for rootkits
88.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited chkrootkit chkrootkit is a common Unix-based program intended to check system for known rootkits Commands used by chrootkit are: • # chkrootkit –l: list out all the tests conducted on system • # chkrootkit -x : runs chrootkit in expert mode
89.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited chkrootkit (cont’d) Function Description Chkrootkit Shell script that checks system binaries for rootkit modification ifpromisc.c Checks if the interface is in promiscuous mode chklastlog.c Checks for lastlog deletions chkwtmp.c Checks for wtmp deletions check_wtmpx.c Checks for wtmpx deletions chkproc.c Checks for signs of LKM trojans chkdirs.c Checks for signs of LKM trojans strings.c Quick and dirty strings replacement chkutmp.c Checks for utmp deletions chkrootkit uses the below functions to check for signs of a rootkit:
90.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IceSword IceSword is a tool which loads a kernel driver IsPubDrv.sys It lists processes, services, open/listen ports, kernel drivers, System Service Descriptor Table entries, BHOs, messages hooks, registry keys
91.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Computer viruses are the software programs meant to infect computers from one to another and interrupt computer operations A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs Most viruses operate in two phases: Infection Phase, Attack Phase Virus Detection Methods are: Scanning, Integrity Checking, Interception Trojan horse is a malicious, security-breaking program that is disguised as any useful program Spyware is software installed on the computer without the knowledge of the user
92.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
93.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Baixar agora