The best way to learn more about Trojans and malicious programs is to search for them on a system and look at the ways that they hide themselves.
6.1. Finding Malicious Programs
In this exercise, you will look at some common ways to find malicious code on a computer system.
Estimated Time: 30 minutes.
C:>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING TCP 0.0.0.0:12345 0.0.0.0:0 LISTENING
6.2. Using a Scrap Document to Hide Malicious Code
In this exercise, you will use Notepad as a basic wrapper. Notepad will allow you to embed objects that can be executed simply by double-clicking on them.
Estimated Time: 15 minutes.
You have just completed a scan of your servers, and you found port 31337 open. Which of the following programs uses that port by default?
Which of the following programs can be used for port redirection?
Which of the following best describes a covert communication?
Which of the following best describes Netcat?
One of your user's Windows computers has been running slowly and performs erratically. After looking it over, you found the following file "watching.dll" that look suspicious. Which of the following programs uses that file?
Jane has noticed that her system is running strangely, yet when she ran netstat, everything looked fine. What should she do next?
You overheard a co-worker who is upset about not getting a promotion threaten to load FakeGina on to the boss's computer. What does FakeGina do?
Which covert communication program has the capability to bypass router ACLs that block incoming SYN traffic on port 80?
What does the following command accomplish: nc -n -v -l -p 25
What is datapipe used for?
Dale watches his firewall setting closely and leaves off all unused ports. He has been told by several employees that some individuals are using services that are blocked. What technique might these employees use to accomplish this prohibited activity?
Which of the following is the correct type for a ping request?
What does the following command accomplish when issued from a victim's computer: fpipe -l 69 -r 53 -u 10.2.2.2?
What does the following command accomplish:
nc -u -v -w 1 10.2.2.2 135-139
Gil believes one of his workers is performing illegal activities on his work computer; he wants to install software key loggers on all employees' systems. What should be his number one concern?
Which of the following Trojans uses port 6666?
Which of the following best describes a wrapper?
Loki uses which of the following by default?
You have become concerned that one of your work stations might be infected with a malicious program. Which of the following netstat switches would be the best to use?
You have just completed a scan of your servers, and you found port 12345 open. Which of the following programs uses that port by default?
Answers to Exam Questions
1. B. BOK uses port 31337 by default. All other answers are incorrect, as Donald Dick uses port 23476, SubSeven uses port 6711, and NetBus uses port 12345.
2. D. FPipe is a source port forwarder/redirector. It can create a TCP or UDP stream with a source port of your choice. Answer A is incorrect, as Loki is a covert channel program. Answer B is incorrect because Recub is a Trojan. Answer C is incorrect, as Girlfriend is also a Trojan.
3. C. Covert communications can be described as sending and receiving unauthorized information or data between machines without alerting any firewalls and IDSes on a network. Answer A is incorrect because it describes a Trojan. Answer B is incorrect because it describes a backdoor. Answer D is incorrect because it more accurately describes a virus or worm.
4. B. Netcat is a network utility for reading from and writing to network connections on either TCP or UDP. Because of its versatility, Netcat is also called the TCP/IP Swiss army knife. Answers A, C, and D are incorrect because Netcat is not a more powerful version of Snort and can be used on both Windows and Linux.
5. B. Watching.dll is one of the files that is loaded when SubSeven is installed. Answers A, C, and D are incorrect because none of the other Trojans install that file. NetBus installs KeyHook.dll. Donald Dick installs pmss.exe, and Loki is a Linux-based program. It does not run on Windows.
6. B. Jane should use a third-party tool that is known good. One way to ensure this is to download the file only from the developer's website and to verify that the fingerprint or MD5sum of the tool has remained unchanged. Answer A is incorrect, as the default install file for NetBus is patch.exe. Loading this on her computer will only compound her problems. Answer C is incorrect because if the computer does have a Trojan, it might be hard to determine when the point of infection occurred. Therefore, the recent backup might also be infected or corrupt. Answer D is incorrect because although the Trojan might have installed something in the startup folder, there are many other places that the hacker could hide elements of the tool, including the registry, system folders, and .ini files.
7. D. FakeGina captures login usernames and passwords that are entered at system startup. Answers A, B, and C are incorrect because FakeGina does not send out passwords by email, is not a hardware keystroke capture program (it is software based), and it only captures username and login information at startup.
8. B. ACKCMD uses TCP ACK packets to bypass ACLs that block incoming SYN packets. Answer A is incorrect, as Loki uses ICMP. Answer C is incorrect because Stealth Tools is used to alter the signature of a known Trojan or virus. Answer D is incorrect, as Firekiller 2000 is used to disable Norton antivirus or software firewall products.
9. D. Nc -n -v -l -p 25 opens a listener on TCP port 25 on the local computer. Answers A, B, and C are incorrect, as it does not allow the hacker to use a victim's mail server to send spam, it does not forward email, and it will not block traffic on port 25. (Actually, it listens on the port for incoming connections.)
10. A. Datapipe is a Linux redirector. It can be used for port redirection. This form of tool is useful when certain ports are blocked at the firewall. Answer B is incorrect because it is not a remote control Trojan. Answer C is incorrect, as it does not report open processed, and answer D is incorrect because it is not a Windows redirecting program; it is used for Linux and UNIX systems.
11. D. Tunneling software acts as a socks server, allowing you to use your Internet applications safely despite restrictive firewalls. Answer A is incorrect because systems infected with spyware would not behave in this manner. Spyware infected systems typically run slower and tend to go to URLs not requested or suffer from a barrage of pop-up ads. Answer B is incorrect because seeing that Dale watches his firewall closely, it is unlikely that they successfully attacked his firewall. Answer C is incorrect, as backdoor programs are used to bypass authentication.
12. D. An ICMP Ping request is a type 8. Answer A is incorrect, as a type 0 is a Ping reply. Answer B is incorrect, as a type 3 is a destination unreachable, and answer C is incorrect because a type 5 is a redirect.
13. D. Fpipe is used for port redirection: a technique that is useful behind a firewall. This command redirects traffic from UDP port 69 to port 53. The syntax is -l listen, -r redirect -u UDP, and the IP address is the IP address to bind to this command. Answers A, B, and C, are incorrect, as they do not properly define the syntax of the command.
14. C. The command nc -u -v -w 1 10.2.2.2 135-139 performs a UDP port scan, in verbose mode, and waits one second between scanning ports 135 to 139 on IP address 10.2.2.2. Answers A, B, and D are incorrect because they do not properly define the syntax that is given.
15. B. Gil should primarily be concerned that he has proper policy and procedures in place that address keystroke logging. He must also make sure that employees understand that they have no expected level of privacy when using company computers and might be monitored. Answers A and C are incorrect, as most of these programs are hard to detect. Answer D is incorrect because these programs can allocate a buffer big enough to store millions of keystrokes, so storage should not be a problem.
16. D. Beast uses port 6666 and is considered unique, as it uses injection technology. Answer A is incorrect because SubSeven uses port 6711. Answer B is incorrect because NetBus uses port 12345; and Answer C is incorrect, as Amitis uses port 27551.
17. D. Wrappers are used to package covert programs with overt programs. They act as a type of file joiner program or installation packager program. Answer A is incorrect, as wrappers do not tunnel programs; an example of a tunneling program would be Loki. Answer B is incorrect because wrappers are not used to cause a Trojan to execute when previewed in email; the user must be tricked into running the program. Answer C is incorrect, as wrappers are not used as backdoors. A back-door program allows unauthorized users to access and control a computer or a network without normal authentication.
18. A. Loki is a Trojan that opens and can be used as a backdoor to a victim's computer by using ICMP. Answer B is incorrect because Loki does not use UDP port 69 by default. Answer C is incorrect because Loki does not use TCP port 80 by default. Answer D is incorrect because Loki does not use IGRP.
19. A. Netstat -an would be the proper syntax -a displays all connections and listening ports. -n displays addresses and port numbers in numerical form. Answer B is incorrect, as -r displays the routing table. Answer C is incorrect because -p shows connections for a specific protocol, yet none was specified in the answer. Answer D is incorrect, as -s displays per-protocol statistics. By default, statistics are shown for TCP, UDP, and IP.
20. D. NetBus uses port 12345 by default. Answers A, B, and C are incorrect because Donald Dick uses 23476, BOK uses port 31337, and SubSeven uses port 6711.
Suggested Reading and Resources
www.giac.org/certified_professionals/practicals/gcih/0512.phpNetcat is your friend
www.bo2k.comBack Orifice official site
www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.htmlTrusted Computer System Evaluation Criteria (TCSEC)
www3.ca.com/Solutions/Collateral.asp?CID=37734&ID=Backdoor programs defined
searchsecurity.techtarget.com/tip/1,289483,sid14_gci1076172,00.htmlThe Nasty Truth About Spyware
Sniffers, Session Hijacking, and Denial of Service