DOCSLIB.ORG

Botnet Reverse Engineering and Call Sequence Recovery and Submitted in Partial Fulfillment of the Requirements for the Degree Of

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Botnet Reverse Engineering and Call Sequence Recovery and Submitted in Partial Fulfillment of the Requirements for the Degree Of BOTNET REVERSE ENGINEERING AND CALL SEQUENCE RECOVERY PROSENJIT SINHA A THESIS IN THE DEPARTMENT OF COMPUTER SCIENCE PRESENTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF COMPUTER SCIENCE CONCORDIA UNIVERSITY MONTRÉAL,QUÉBEC,CANADA FEBRUARY 2011 c PROSENJIT SINHA, 2011 CONCORDIA UNIVERSITY School of Graduate Studies This is to certify that the thesis prepared By: Prosenjit Sinha Entitled: Botnet Reverse Engineering and Call Sequence Recovery and submitted in partial fulfillment of the requirements for the degree of Master of Computer Science complies with the regulations of the University and meets the accepted standards with respect to originality and quality. Signed by the final examining committee: ______________________________________Dr. Adam Krzyzak Chair ______________________________________Dr. Terry Fancott Examiner ______________________________________Dr. Benjamin Fung Examiner ______________________________________Dr. Mourad Debbabi Supervisor Approved by ________________________________________________ Chair of Department or Graduate Program Director ________________________________________________ Dean of Faculty Date ________________________________________________February 17, 2011 Abstract Botnet Reverse Engineering and Call Sequence Recovery Prosenjit Sinha The focus on computer security has increased due to the ubiquitous use of Internet. Criminals mistreat the anonymous and insidious traits of Internet to commit monetary on- line fraud, theft and extortion. Botnets are the prominent vehicle for committing online crimes. They provide platform for a botmaster to control a large group of infected Internet- connected computers. Botmaster exploits this large group of connected computers to send spam, commit click fraud, install adware/spyware, flood specific network from distributed locations, host phishing sites and steal personal credentials. All these activities pose se- rious threat for individuals and organizations. Furthermore, the situation demands more attention since the research and the development of underground criminal industry is faster than security research industry. To cope up against the ever growing botnet threats, security researchers as well as Internet-users need cognizance on the recent trends and techniques of botnets. In this thesis, we analyze in-depth by reverse engineering two prominent bot- nets namely, Mariposa and Zeus. The findings of the analysis may foster the knowledge of security researchers in multiple dimensions to deal with the botnet issue. To enhance the abstraction and visualization techniques of reverse engineering, we develop a tool which is used for detailed outlook of call sequences. iii Acknowledgments I would like to express my sincere gratitude to my supervisor Mourad Debbabi for his guidance and help throughout the research work. He encouraged me patiently to achieve my research successfully and develop creative thinking. I am proud to get the opportunity to work with him. I would also like to acknowledge all my co-researchers at the National Cyber-Forensics and Training Alliance (NCFTA) CANADA, for helping in my research with their technical expertise. Finally, I would like to thank my wife Arundhati Sinha and my parrents for their constant love, support and encouragement, without which this work would not be possible. iv Contents List of Figures x List of Tables xiii List of Acronyms xv 1 Introduction 1 1.1 Motivations .................................. 2 1.2 Objectives ................................... 5 1.3 Contributions ................................. 6 1.4 Thesis Organization .............................. 7 2 Malware and Malware Analysis 8 2.1 Overview of Malware ............................. 8 2.1.1 Viruses ................................ 9 2.1.2 Worms ................................ 10 2.1.3 Trojans ................................ 10 2.1.4 Rootkits ................................ 11 v 2.1.5 Botnets ................................ 11 2.2 Sophistication of Botnet Techniques ..................... 20 2.2.1 Encryption .............................. 21 2.2.2 Polymorphism ............................ 21 2.2.3 Metamorphism ............................ 21 2.2.4 Multithreading ............................ 22 2.2.5 Stealth Techniques .......................... 22 2.2.6 Anti-analysis Techniques ....................... 23 2.3 Reverse Engineering ............................. 25 2.3.1 Reversing Malicious Software .................... 26 2.3.2 Assembly Language ......................... 27 2.3.3 Basic x86 Architecture ........................ 27 2.4 Miscellaneous Analysis ............................ 29 2.4.1 File Fingerprinting .......................... 29 2.4.2 AV Testing .............................. 30 2.4.3 String Analysis ............................ 30 2.4.4 Packer Detection ........................... 30 2.5 Reverse Code Analysis ............................ 31 2.5.1 Static Code Analysis ......................... 31 2.5.2 Live Code Analysis .......................... 32 2.5.3 Disassembler ............................. 32 2.5.4 Decompiler .............................. 33 vi 2.5.5 Debugger ............................... 33 2.6 Behavioral Analysis .............................. 36 2.6.1 Registry Monitoring ......................... 37 2.6.2 Process Monitoring .......................... 38 2.6.3 File System Monitoring ....................... 39 2.6.4 InstallSpy ............................... 40 2.6.5 SysAnalyzer ............................. 40 2.6.6 Network Monitoring ......................... 41 2.6.7 Capture BAT ............................. 41 2.6.8 Sandboxes .............................. 42 2.7 Literature Review ............................... 43 2.8 Summary ................................... 45 3 Reversing Mariposa Botnet 46 3.1 Overview ................................... 47 3.2 Behavioral Analysis .............................. 49 3.2.1 Environment setup .......................... 49 3.2.2 Network Analysis ........................... 51 3.2.3 Sandbox Analysis .......................... 54 3.3 Dynamic Code Analysis ........................... 56 3.3.1 De-obfuscation and Decryption ................... 58 3.3.2 Anti-debugging traps in Mariposa .................. 59 vii 3.3.3 Second Layer Decryption ...................... 62 3.3.4 Code Injection ............................ 65 3.3.5 Injected Thread Activity ....................... 71 3.4 Modules .................................... 75 3.4.1 Spreader Module ........................... 75 3.4.2 Uploader and Downloader Modules ................. 79 3.5 Functional diagram .............................. 80 3.6 Summary ................................... 82 4 Zeus Crimeware Analysis 83 4.1 Overview ................................... 83 4.2 Zeus components ............................... 85 4.2.1 C&C Server .............................. 85 4.2.2 Bot Builder .............................. 86 4.3 Network Analysis ............................... 93 4.4 Reverse Engineering of Zeus ......................... 95 4.4.1 Revealing De-obfuscation ...................... 97 4.4.2 Code Injection and Installation ....................101 4.4.3 After-Injection Activity ........................103 4.5 Key Extraction ................................104 4.5.1 Automated Key Extraction ......................105 4.6 Summary ...................................106 viii 5 Control Flow Visualization 107 5.1 Low-level Program Comprehension .....................110 5.2 Tracks: The Sequence Viewer ........................111 5.2.1 Static Control Flow ..........................111 5.2.2 Dynamic Control Flow ........................112 5.2.3 Navigation History ..........................114 5.2.4 Diagram Features ...........................115 5.2.5 Design and Implementation .....................115 5.3 Case Study ..................................118 5.3.1 Obfuscation and Decryption .....................120 5.3.2 Injection Phase ............................122 5.3.3 Injection Preparation .........................123 5.3.4 Injection ...............................125 5.3.5 After Injection ............................125 5.4 Analysis ....................................126 5.5 Summary ...................................130 6 Conclusion 131 6.1 Summary ...................................131 6.2 Future Work ..................................133 Appendix 135 ix List of Figures 2.1 Simple Autorun File ............................. 20 2.2 Typical IDA Pro Screen ............................ 35 2.3 IDA Pro Graphical View ........................... 36 2.4 IDAStealth Interface ............................. 37 2.5 Regshot Interface ............................... 38 2.6 Process Explorer Interface .......................... 39 3.7 Confined Environment Structure ....................... 50 3.8 Mariposa Bot Initialization Protocol ..................... 52 3.9 Mariposa Bot Liveness Protocol ....................... 53 3.10 Mariposa Bot Action Protocol ........................ 54 3.11 Mariposa File System Activity By GFI Sandbox ............... 55 3.12 Mariposa Registry Activity By GFI Sandbox ................. 55 3.13 Mariposa Network Activity By GFI Sandbox ................ 56 3.14 Mariposa Decryption Phases ......................... 57 3.15 Unwanted Loop ................................ 58 3.16 First Decryption Routine ........................... 59 x 3.17 Stack Segment Register Trap in Mariposa .................. 61 3.18 OutputDebugString Trap in Mariposa .................... 62 3.19 Second Layer Decryption ..........................
Load more

Recommended publications
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G
    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
    [Show full text]
  • Undergraduate Report
    UNDERGRADUATE REPORT Attack Evolution: Identifying Attack Evolution Characteristics to Predict Future Attacks by MaryTheresa Monahan-Pendergast Advisor: UG 2006-6 IINSTITUTE FOR SYSTEMSR RESEARCH ISR develops, applies and teaches advanced methodologies of design and analysis to solve complex, hierarchical, heterogeneous and dynamic problems of engineering technology and systems for industry and government. ISR is a permanent institute of the University of Maryland, within the Glenn L. Martin Institute of Technol- ogy/A. James Clark School of Engineering. It is a National Science Foundation Engineering Research Center. Web site http://www.isr.umd.edu Attack Evolution 1 Attack Evolution: Identifying Attack Evolution Characteristics To Predict Future Attacks MaryTheresa Monahan-Pendergast Dr. Michel Cukier Dr. Linda C. Schmidt Dr. Paige Smith Institute of Systems Research University of Maryland Attack Evolution 2 ABSTRACT Several approaches can be considered to predict the evolution of computer security attacks, such as statistical approaches and “Red Teams.” This research proposes a third and completely novel approach for predicting the evolution of an attack threat. Our goal is to move from the destructive nature and malicious intent associated with an attack to the root of what an attack creation is: having successfully solved a complex problem. By approaching attacks from the perspective of the creator, we will chart the way in which attacks are developed over time and attempt to extract evolutionary patterns. These patterns will eventually
    [Show full text]
  • Synthesizing Near-Optimal Malware Specifications from Suspicious
    Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors Somesh Jha∗, Matthew Fredrikson∗, Mihai Christodoresu†, Reiner Sailer‡, Xifeng Yan§ ∗University of Wisconsin–Madison, †Qualcomm Research Silicon Valley, ‡IBM T.J Watson Research Center, §University of California–Santa Barbara Abstract—Behavior-based detection techniques are a promis- and errors. ing solution to the problem of malware proliferation. However, We make the observation that behavioral specifications they require precise specifications of malicious behavior that do not result in an excessive number of false alarms, while still are best viewed as a form of discriminative specification.A remaining general enough to detect new variants before tradi- discriminative specification describes the unique properties tional signatures can be created and distributed. In this paper, of a given class, in contrast to the properties exhibited by we present an automatic technique for extracting optimally discriminative specifications a second mutually-exclusive class. This paper presents an , which uniquely identify a class automated technique that combines program analysis, graph of programs. Such a discriminative specification can be used by a behavior-based malware detector. Our technique, based mining, and stochastic optimization to synthesize malware on graph mining and stochastic optimization, scales to large behavior specifications. We represent program behaviors as classes of programs. When this work was originally published, graphs that are mined for discriminative patterns. As there the technique yielded favorable results on malware targeted are many ways in which malware can accomplish the same towards workstations (~86% detection rates on new malware). goal, we use these patterns as building blocks for construct- We believe that it can be brought to bear on emerging malware- based threats for new platforms, and discuss several promising ing discriminative specifications that are general across vari- avenues for future work in this direction.
    [Show full text]
  • Cyber Warfare a “Nuclear Option”?
    CYBER WARFARE A “NUCLEAR OPTION”? ANDREW F. KREPINEVICH CYBER WARFARE: A “NUCLEAR OPTION”? BY ANDREW KREPINEVICH 2012 © 2012 Center for Strategic and Budgetary Assessments. All rights reserved. About the Center for Strategic and Budgetary Assessments The Center for Strategic and Budgetary Assessments (CSBA) is an independent, nonpartisan policy research institute established to promote innovative thinking and debate about national security strategy and investment options. CSBA’s goal is to enable policymakers to make informed decisions on matters of strategy, secu- rity policy and resource allocation. CSBA provides timely, impartial, and insight- ful analyses to senior decision makers in the executive and legislative branches, as well as to the media and the broader national security community. CSBA encour- ages thoughtful participation in the development of national security strategy and policy, and in the allocation of scarce human and capital resources. CSBA’s analysis and outreach focus on key questions related to existing and emerging threats to US national security. Meeting these challenges will require transforming the national security establishment, and we are devoted to helping achieve this end. About the Author Dr. Andrew F. Krepinevich, Jr. is the President of the Center for Strategic and Budgetary Assessments, which he joined following a 21-year career in the U.S. Army. He has served in the Department of Defense’s Office of Net Assessment, on the personal staff of three secretaries of defense, the National Defense Panel, the Defense Science Board Task Force on Joint Experimentation, and the Defense Policy Board. He is the author of 7 Deadly Scenarios: A Military Futurist Explores War in the 21st Century and The Army and Vietnam.
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • Lexisnexis® Congressional Copyright 2003 Fdchemedia, Inc. All Rights
    LexisNexis® Congressional Copyright 2003 FDCHeMedia, Inc. All Rights Reserved. Federal Document Clearing House Congressional Testimony September 10, 2003 Wednesday SECTION: CAPITOL HILL HEARING TESTIMONY LENGTH: 4090 words COMMITTEE: HOUSE GOVERNMENT REFORM SUBCOMMITTEE: TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL RELATIONS, AND CENSUS HEADLINE: COMPUTER VIRUS PROTECTION TESTIMONY-BY: RICHARD PETHIA, DIRECTOR AFFILIATION: CERT COORDINATION CENTER BODY: Statement of Richard Pethia Director, CERT Coordination Center Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census Committee on House Government Reform September 10, 2003 Introduction Mr. Chairman and Members of the Subcommittee: My name is Rich Pethia. I am the director of the CERTO Coordination Center (CERT/CC). Thank you for the opportunity to testify on the important issue of cyber security. Today I will discuss viruses and worms and the steps we must take to protect our systems from them. The CERT/CC was formed in 1988 as a direct result of the first Internet worm. It was the first computer security incident to make headline news, serving as a wake-up call for network security. In response, the CERT/CC was established by the Defense Advanced Research Projects Agency at Carnegie Mellon University's Software Engineering Institute, in Pittsburgh. Our mission is to serve as a focal point to help resolve computer security incidents and vulnerabilities, to help others establish incident response capabilities, and to raise awareness of computer security issues and help people understand the steps they need to take to better protect their systems. We activated the center in just two weeks, and we have worked hard to maintain our ability to react quickly.
    [Show full text]
  • Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone
    Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone Thomas Dübendorfer, Arno Wagner, Theus Hossmann, Bernhard Plattner ETH Zurich, Switzerland [email protected] DIMVA 2005, Wien, Austria Agenda 1) Introduction 2) Flow-Level Backbone Traffic 3) Network Worm Blaster.A 4) E-Mail Worm Sobig.F 5) Conclusions and Outlook © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -2- 1) Introduction Authors Prof. Dr. Bernhard Plattner Professor, ETH Zurich (since 1988) Head of the Communication Systems Group at the Computer Engineering and Networks Laboratory TIK Prorector of education at ETH Zurich (since 2005) Thomas Dübendorfer Dipl. Informatik-Ing., ETH Zurich, Switzerland (2001) ISC2 CISSP (Certified Information System Security Professional) (2003) PhD student at TIK, ETH Zurich (since 2001) Network security research in the context of the DDoSVax project at ETH Further authors: Arno Wagner, Theus Hossmann © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -3- 1) Introduction Worm Analysis Why analyse Internet worms? • basis for research and development of: • worm detection methods • effective countermeasures • understand network impact of worms Wasn‘t this already done by anti-virus software vendors? • Anti-virus software works with host-centric signatures Research method used 1. Execute worm code in an Internet-like testbed and observe infections 2. Measure packet-level traffic and determine network-centric worm signatures on flow-level 3. Extensive analysis of flow-level traffic of the actual worm outbreaks captured in a Swiss backbone © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -4- 1) Introduction Related Work Internet backbone worm analyses: • Many theoretical worm spreading models and simulations exist (e.g.
    [Show full text]
  • Computer Security CS 426 Lecture 15
    Computer Security CS 426 Lecture 15 Malwares CS426 Fall 2010/Lecture 15 1 Trapdoor • SttitittSecret entry point into a system – Specific user identifier or password that circumvents normal security procedures. • Commonlyyy used by developers – Could be included in a compiler. CS426 Fall 2010/Lecture 15 2 Logic Bomb • Embedded in legitimate programs • Activated when specified conditions met – E.g., presence/absence of some file; Particular date/time or particular user • When triggered, typically damages system – Modify/delete files/disks CS426 Fall 2010/Lecture 15 3 Examppgle of Logic Bomb • In 1982 , the Trans-Siber ian Pipe line inc iden t occurred. A KGB operative was to steal the plans fhititdtltditfor a sophisticated control system and its software from a Canadian firm, for use on their Siberi an pi peli ne. The CIA was tippe d o ff by documents in the Farewell Dossier and had the company itlibbithinsert a logic bomb in the program for sabotage purposes. This eventually resulted in "the most monu mental non-nu clear ex plosion and fire ever seen from space“. CS426 Fall 2010/Lecture 15 4 Trojan Horse • Program with an overt Example: Attacker: (expected) and covert effect Place the following file cp /bin/sh /tmp/.xxsh – Appears normal/expected chmod u+s,o+x /tmp/.xxsh – Covert effect violates security policy rm ./ls • User tricked into executing ls $* Trojan horse as /homes/victim/ls – Expects (and sees) overt behavior – Covert effect performed with • Victim user’s authorization ls CS426 Fall 2010/Lecture 15 5 Virus • Self-replicating
    [Show full text]
  • MODELING the PROPAGATION of WORMS in NETWORKS: a SURVEY 943 in Section 2, Which Set the Stage for Later Sections
    942 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 16, NO. 2, SECOND QUARTER 2014 Modeling the Propagation of Worms in Networks: ASurvey Yini Wang, Sheng Wen, Yang Xiang, Senior Member, IEEE, and Wanlei Zhou, Senior Member, IEEE, Abstract—There are the two common means for propagating attacks account for 1/4 of the total threats in 2009 and nearly worms: scanning vulnerable computers in the network and 1/5 of the total threats in 2010. In order to prevent worms from spreading through topological neighbors. Modeling the propa- spreading into a large scale, researchers focus on modeling gation of worms can help us understand how worms spread and devise effective defense strategies. However, most previous their propagation and then, on the basis of it, investigate the researches either focus on their proposed work or pay attention optimized countermeasures. Similar to the research of some to exploring detection and defense system. Few of them gives a nature disasters, like earthquake and tsunami, the modeling comprehensive analysis in modeling the propagation of worms can help us understand and characterize the key properties of which is helpful for developing defense mechanism against their spreading. In this field, it is mandatory to guarantee the worms’ spreading. This paper presents a survey and comparison of worms’ propagation models according to two different spread- accuracy of the modeling before the derived countermeasures ing methods of worms. We first identify worms characteristics can be considered credible. In recent years, although a variety through their spreading behavior, and then classify various of models and algorithms have been proposed for modeling target discover techniques employed by them.
    [Show full text]
  • The Blaster Worm: Then and Now
    Worms The Blaster Worm: Then and Now The Blaster worm of 2003 infected at least 100,000 Microsoft Windows systems and cost millions in damage. In spite of cleanup efforts, an antiworm, and a removal tool from Microsoft, the worm persists. Observing the worm’s activity can provide insight into the evolution of Internet worms. MICHAEL n Wednesday, 16 July 2003, Microsoft and continued to BAILEY, EVAN Security Bulletin MS03-026 (www. infect new hosts COOKE, microsoft.com/security/incident/blast.mspx) more than a year later. By using a wide area network- FARNAM O announced a buffer overrun in the Windows monitoring technique that observes worm infection at- JAHANIAN, AND Remote Procedure Call (RPC) interface that could let tempts, we collected observations of the Blaster worm DAVID WATSON attackers execute arbitrary code. The flaw, which the during its onset in August 2003 and again in August 2004. University of Last Stage of Delirium (LSD) security group initially This let us study worm evolution and provides an excel- Michigan uncovered (http://lsd-pl.net/special.html), affected lent illustration of a worm’s four-phase life cycle, lending many Windows operating system versions, including insight into its latency, growth, decay, and persistence. JOSE NAZARIO NT 4.0, 2000, and XP. Arbor When the vulnerability was disclosed, no known How the Blaster worm attacks Networks public exploit existed, and Microsoft made a patch avail- The initial Blaster variant’s decompiled source code re- able through their Web site. The CERT Coordination veals its unique behavior (http://robertgraham.com/ Center and other security organizations issued advisories journal/030815-blaster.c).
    [Show full text]
  • Iptrust Botnet / Malware Dictionary This List Shows the Most Common Botnet and Malware Variants Tracked by Iptrust
    ipTrust Botnet / Malware Dictionary This list shows the most common botnet and malware variants tracked by ipTrust. This is not intended to be an exhaustive list, since new threat intelligence is always being added into our global Reputation Engine. NAME DESCRIPTION Conficker A/B Conficker A/B is a downloader worm that is used to propagate additional malware. The original malware it was after was rogue AV - but the army's current focus is undefined. At this point it has no other purpose but to spread. Propagation methods include a Microsoft server service vulnerability (MS08-067) - weakly protected network shares - and removable devices like USB keys. Once on a machine, it will attach itself to current processes such as explorer.exe and search for other vulnerable machines across the network. Using a list of passwords and actively searching for legitimate usernames - the ... Mariposa Mariposa was first observed in May 2009 as an emerging botnet. Since then it has infected an ever- growing number of systems; currently, in the millions. Mariposa works by installing itself in a hidden location on the compromised system and injecting code into the critical process ͞ĞdžƉůŽƌĞƌ͘ĞdžĞ͘͟/ƚŝƐknown to affect all modern Windows versions, editing the registry to allow it to automatically start upon login. Additionally, there is a guard that prevents deletion while running, and it automatically restarts upon crash/restart of explorer.exe. In essence, Mariposa opens a backdoor on the compromised computer, which grants full shell access to ... Unknown A botnet is designated 'unknown' when it is first being tracked, or before it is given a publicly- known common name.
    [Show full text]
  • Computer Security Fundamentals Third Edition
    Computer Security Fundamentals Third Edition Chuck Easttom 800 East 96th Street, Indianapolis, Indiana 46240 USA Computer Security Fundamentals, Third Edition Executive Editor Brett Bartow Copyright © 2016 by Pearson Education, Inc. All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or Acquisitions Editor transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, Betsy Brown without written permission from the publisher. No patent liability is assumed with respect Development Editor to the use of the information contained herein. Although every precaution has been taken in Christopher Cleveland the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information Managing Editor contained herein. Sandra Schroeder ISBN-13: 978-0-7897-5746-3 ISBN-10: 0-7897-5746-X Senior Project Editor Tonya Simpson Library of Congress control number: 2016940227 Copy Editor Printed in the United States of America Gill Editorial Services First Printing: May 2016 Indexer Brad Herriman Trademarks All terms mentioned in this book that are known to be trademarks or service marks have Proofreader been appropriately capitalized. Pearson IT Certification cannot attest to the accuracy of this Paula Lowell information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Technical Editor Dr. Louay Karadsheh Warning and Disclaimer Publishing Coordinator Every effort has been made to make this book as complete and as accurate as possible, but Vanessa Evans no warranty or fitness is implied.
    [Show full text]