DOCSLIB.ORG

View the Index

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
View the Index INDEX Numbers and Symbols Aircrack-ng 3Com TFTP 2.0.1 cracking WEP keys with, 347–350 downloading and installing, 42–43 cracking WPA/WPA2 keys with, public exploit for transport mode 353–356 vulnerability, 427–429 Aireplay-ng 3CTftpSvc process, attaching, 424–425 to force client reconnection, 354 3CTftpSvc.exe, 295 rebroadcasting ARP packets 7-Zip programs, 10 with, 348 airmon-ng check kill & (ampersand), for running commands command, 342 in browser, 328 Airmon-ng script, 341–342 airodump-ng \\ (double backslashes), for escape, 186 command, 342–343, 347 > symbol, for redirecting input, 61 all users, permissions for, 62 & >> operator, 61, 81 ampersand ( ), for running commands #include command (C), 84 in browser, 328 | (pipe), 65 Android, 456 / (slash), as delimiter character in emulators, 449 sed, 65 setting up, 22–27 starting, 26–27 A relationship with security updates, 457 absolute path, 56 scripting languages vs. C code, 468 Address Resolution Protocol (ARP) SDK manager, 23 basics, 161–163 software address space layout randomization building, 449–450 (ASLR), 364, 440 deploying, 450–451 adduser command, 58–59, 309 installing, 24 administrative privileges Virtual Device Manager, 24–25 gaining to control domain, 296 Android Master Key vulnerability, 459, for Windows 7 applications, 285 462–463 Administrator password, for anonymous user, on Windows XP Windows, 33 target, 157 Adobe Acrobat Reader, 225–226 antivirus application avoidance, installing, 46 257–275 Advanced Execution Standard hiding in plain sight, 274 (AES), 269 Microsoft Security Essentials, Advanced Packaging Tool (apt), 66 261–262 antivirus application avoidance B (continued) backdoored code, 458–461 payload hiding, 263–274 testing from, 193–194 Railgun, 283 background command (Meterpreter), 311 trojans, 258–259 background job, killing in with Veil-Evasion, 270–274 Metasploit, 222 VirusTotal, 262–263 BackTrack Linux, 55 antivirus applications bar codes, QR (quick response) how they work, 260–261 codes, 447 signatures for, 438 Bash command processor, 56 antivirus definitions, 260 Bash scripts, 75–81 Apache server else statement in, 78 default “It Works” page, 169–170 for loop in, 78–79 installing, 44 if statement in, 77–78 APK file, 461–464 pinging hosts on network with, 76 APKTool, installing, 462 running, 77 appending text to file, 61 streamlining results, 79–81 apt (Advanced Packaging Tool), 66 then statement in, 78 argument string, Perl for creating, 376 .bash_history file, 295–296 ARP (Address Resolution Protocol) BeEF (Browser Exploitation basics, 161–163 Framework), 331–335 ARP cache poisoning, 160–166 bind payload, 307 with Arpspoof, 164–165 bind shell payload, 102–103 as bottleneck, 166 bind shells, 71, 98, 180 impersonating default gateway bitwise XOR operation, 344 with, 165–166 Bkhive, 205 ARP request Blackboard, Java for, 241 generating, 349 BookApp custom web application relay attack, generating IVs with, attacking, 313–337 348–349 installing, 53–54 Arpspoof, ARP cache poisoning with, booting 164–165 Kali Linux, 11 ASLR (address space layout virtual machine delay in, 207 randomization), 364, 440 bootkey, 189, 205 assembly instructions, converting to breakpoints in program, 368 shellcode, 398–399 running program to next, 370 Atftpd TFTP server, 187 setting, 393 attack string, finding in memory, bridged network, for VMware 408–411 connection, 13, 14, 16, 31, 48 Aurora exploit, 220–222 Browser Exploitation Framework authentication, fake, 347–348 (BeEF), 331–335 authorization, for penetration test, 3 browser_autopwn module, 235–237 automatic security updates browsers opting out, in Windows 7, 50 & for running commands in, 328 turning off, 34 attack for opening link in AutoRunScript parameter, for Metasploit, mobile, 455 224–225 autopwning, 237 auxiliary/server/capture/smb exploitation, 219–225 module, 302 brute forcing, 198 awk command (sed), 66 LM-hashed passwords, 208 MD5 hashes, 212 478 Index NTLM-hashed passwords, 210–211 clients use in Hyperion, 269 Aireplay-ng to force WPS pin, 356–357 reconnection, 354 buffer overflow contact information for, 3 in Linux, 364–378 exploiting vulnerability in, 88 preventing exploits, 439–440 goals for pentest, 3 in third-party software, exploiting, client-side attacks 190–191 exploitation with, 218–239 War-FTP crash due to, 384 mobile hacking, 454–457 in Windows, 379–400 clipboard (Windows), stealing data bugs, finding with code review, 422 from, 334 Bully, cracking WPS with, 357 closing Burp Proxy, web application testing handler, 228 with, 314–319 shell, 100 Burp Repeater, 314 code review, finding bugs with, 422 Burp Spider, 314 command line arguments, in C, 84 command shell C opening listener, 70–71 pushing back to listener, 71–72 C programs, 84–85 commands. See also specific commands for Android devices, 468 executing, 327–329 causing crash, 366–367 learning about, 57–58 memory use, 363–364 Common Vulnerabilities and vulnerability to stack-based buffer Exposures (CVE) overflow, 365–366 system, 142 CA (certificate authority), 171 Common Vulnerability Scoring System Cadaver, 150–151, 182 (CVSS), 140 Cain and Abel for Windows, 304 compromised service, exploitation of, Cain password tool, 303 193–194 calling conventions, 390 computer name, for Windows, 33 canaries, 440 Conficker worm, 90 capturing traffic, 155–175. See also configuration file Wireshark cracking passwords, 212–213 ARP cache poisoning, 160–166 downloading, 188–189 DNS cache poisoning, 167–169 connect function (Python), 83 networking for, 156 connect_ex function (Python), 83 on wireless network, 342–343 connect_udp function, 435 cat command, 61 contact information, for client, 3 cat /etc/shadow command, 194 continue command (GDB), 370 CCMP (Counter Mode with Cipher copying file, 60 Block Chaining Message Counter Mode with Cipher Block Authentication Code Chaining Message Protocol), 351 Authentication Code cd command, 56 Protocol (CCMP), 351 CERTCN option, 234 cp command, 60 certificate, for Java applet, 234 CPUs, registers in Intel-based, certificate authority (CA), 171 362–363 ceWL custom wordlist generator, crashes, 151 200–201 attempting with fuzzing, 424–426 check function, in Metasploit causing, 382–384 exploits, 147–148 in GDB, 372–373 chmod command, 62 in War-FTP, 397–398, 403 making script executable, 76 Index 479 CRC-32 (Cyclic Redundancy default port, for Simple Mail Transfer Check 32), 346 Protocol (SMTP), 124 CreateThread API, 271 delegation token, 300–301 Credential Harvester Attack Method, deleting 251–252 files, 60 credentials, 174 final character from each line, sed brute force to find, 198 command for, 81 for FTP server, 160 demilitarized zone, 304 gathering, 292–294 denial-of-service (DoS) condition, 163 in Nessus, 137 DEP (data execution prevention), stealing stored, 294 364, 441 cron jobs deploying Android application, 450–451 automating tasks with, 72–73 Destination Host Unreachable message, 39 creating, 311 /dev/urandom file (Linux), 267 crontab files, 72 DHCP (dynamic host configuration cross-site request forgery (CSRF), 335 protocol), 68 cross-site scripting (XSS), 329–335 dictionary attack, against WPA/ checking for reflective WPA2, 356 vulnerability, 330 dictionary words, in passwords, 198 leveraging with BeEF, 331–335 directories Crunch tool, 201 changing, 56–57 CSRF (cross-site request forgery), 335 creating, 60 Ctypes library (Python), 271 displaying current, 56 custom cross compiling, 266–269 disass command (GDB), 370–371 cut command, 65, 80 DNS. See Domain Name System (DNS) CVE (Common Vulnerabilities and DNS cache poisoning, 167–169 Exposures) system, 142 Dnsspoof, 169 CVE-2008-2992, 225–228 documentation, 57. See also man pages CVSS (Common Vulnerability Scoring domain System), 140 adding administrator account, 309 Cyclic Redundancy Check 32 getting administrative access to, 296 (CRC-32), 346 setup for simulating, 39–40 cyclical pattern, generating to users, password hashes for, 302 determine offset, 385–388 Domain Name System (DNS) reconnaissance, 116–118 D zone transfers, 117–118 domain names, resolution, 167 data execution prevention (DEP), domain registrars, 115 364, 441 DoS (denial-of-service) condition, 163 data manipulation, in Kali Linux, double backslashes (\\), for escape, 186 64–66 downloading database 3Com TFTP 2.0.1, 42–43 dumping with SQLMap, 322 Kali Linux, 10 exploiting access to, 188 payload by users, 105 finding name of first, 321 sensitive files, 188–189 for SPF, 448–449 SLMail 5.5, 41–42 debugger, installing, 46 Smartphone Pentest Framework debugging information, for GDB, 366 (SPF), 27–28 default gateway, 68 with TFTP, 187–188 ARP cache poisoning for War-FTP, 46 impersonating, 165–166 Windows SAM, 189 finding, 38 WinSCP, 46 default payload, for Metasploit, 97 480 Index dpkg command, 18 execute (x) permissions, 62 dual-homed systems, 304 execution dynamic analysis, 261 hijacking as goal, 373 dynamic host configuration protocol hijacking in Linux, 375–376 (DHCP), 68 hijacking in Windows, 390–395 executive summary of report, 5 E exploit code, repositories of, 88 exploit command (Metasploit), 97 EAX register, 362, 403 Exploit Database, 88, 427 EBP register, 362, 363, 369, 390 exploit target, for Metasploit, 95 EBX register, 362 exploit/multi/browser/java_signed_applet echo command, 61, 76 module, 233–234 ECX register, 363 exploitation, 179–196 EDI register, 362, 390 of buffer overflow in third-party editing files, 62–64 software, 190–191 EDX register, 363 with client-side attacks, 218–239 EIP register, 362, 363 of compromised service, 193–194 controlling, 373–375 with Java, 230–235 locating, 384–388
Load more

Recommended publications
  • Cygwin User's Guide
    Cygwin User’s Guide Cygwin User’s Guide ii Copyright © Cygwin authors Permission is granted to make and distribute verbatim copies of this documentation provided the copyright notice and this per- mission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this documentation under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this documentation into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the Free Software Foundation. Cygwin User’s Guide iii Contents 1 Cygwin Overview 1 1.1 What is it? . .1 1.2 Quick Start Guide for those more experienced with Windows . .1 1.3 Quick Start Guide for those more experienced with UNIX . .1 1.4 Are the Cygwin tools free software? . .2 1.5 A brief history of the Cygwin project . .2 1.6 Highlights of Cygwin Functionality . .3 1.6.1 Introduction . .3 1.6.2 Permissions and Security . .3 1.6.3 File Access . .3 1.6.4 Text Mode vs. Binary Mode . .4 1.6.5 ANSI C Library . .4 1.6.6 Process Creation . .5 1.6.6.1 Problems with process creation . .5 1.6.7 Signals . .6 1.6.8 Sockets . .6 1.6.9 Select . .7 1.7 What’s new and what changed in Cygwin . .7 1.7.1 What’s new and what changed in 3.2 .
    [Show full text]
  • Cygwin User's Guide
    Cygwin User’s Guide i Cygwin User’s Guide Cygwin User’s Guide ii Copyright © 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Red Hat, Inc. Permission is granted to make and distribute verbatim copies of this documentation provided the copyright notice and this per- mission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this documentation under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this documentation into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the Free Software Foundation. Cygwin User’s Guide iii Contents 1 Cygwin Overview 1 1.1 What is it? . .1 1.2 Quick Start Guide for those more experienced with Windows . .1 1.3 Quick Start Guide for those more experienced with UNIX . .1 1.4 Are the Cygwin tools free software? . .2 1.5 A brief history of the Cygwin project . .2 1.6 Highlights of Cygwin Functionality . .3 1.6.1 Introduction . .3 1.6.2 Permissions and Security . .3 1.6.3 File Access . .3 1.6.4 Text Mode vs. Binary Mode . .4 1.6.5 ANSI C Library . .5 1.6.6 Process Creation . .5 1.6.6.1 Problems with process creation . .5 1.6.7 Signals . .6 1.6.8 Sockets . .6 1.6.9 Select .
    [Show full text]
  • An Encrypted Payload Protocol and Target-Side Scripting Engine
    An Encrypted Payload Protocol and Target-Side Scripting Engine Dino A. Dai Zovi [email protected] Abstract into the remote process and then triggering the vulnera- Modern exploit payloads in commercial and open-source bility (the injection vector) in order to cause the remote penetration testing frameworks have grown much more process to execute the injected code (the payload). Tra- advanced than the traditional shellcode they replaced. ditionally, these payloads have been written in processor- These payloads permit interactive access without launch- specific assembly language, assembled, and extracted by ing a shell, network proxying, and many other rich fea- hand into reusable machine code components. These tures. Available payload frameworks have several lim- payloads were typically small and executed an operating itations, however. They make little use of encryption to system shell, causing them to be commonly referred to secure delivery and communications, especially in earlier as shellcode. Common shellcode variants included func- stage payloads. In addition, their richer features require tionality such as restoring dropped privileges, breaking a constant network connection to the penetration tester, out of chroot environments, and attaching the shell to making them unsuitable against mobile clients, such as an inbound or outbound network connection. This style laptops, PDAs, and smart phones. of payload construction was both labor and skill inten- This work introduces a first-stage exploit payload that sive. is able to securely establish an encrypted channel using With the growth of commercial penetration testing ElGamal key agreement and the RC4 stream cipher. The services and especially commercial penetration test- key agreement implementation requires only modular ing products, exploit payloads have gotten considerably exponentiation and RC4 also lends itself to an implemen- more capable and complex.
    [Show full text]
  • The Fileless Attack SURVIVAL GUIDE
    The Fileless Attack SURVIVAL GUIDE Protect Your Company from Attacks Antivirus Can’t Block THE FILELESS ATTACK SURVIVAL GUIDE 1 Table of Contents 3 Executive Summary 5 Introduction 8 Types of fileless attack techniques 10 How attackers use them to… 11 ......Gain initial access 13 ......Escalate privileges 15 ......Execute payloads 17 ......Gain persistence 19 ......Achieve lateral movement 21 Practical tips for preventing and mitigating fileless attacks 22 Fileless Attack Checklist THE FILELESS ATTACK SURVIVAL GUIDE 2 Executive Summary Attacks are constantly evolving. One of the most damaging trends we’ve seen of late is the increasingly widespread adoption of fileless attack techniques. These techniques are designed to silently infect target systems without ever downloading malicious programs or leaving behind any obvious trace, primarily by using a victim company’s trusted software and system tools against it. To clarify what actually constitutes a fileless attack and explain how it can work, here are three things every business leader should know: 1 Fileless attacks exploit a fundamental gap in traditional endpoint security Traditionally, attacks involving malware have revolved around attackers gaining access to a victim’s computer (typically by either exploiting a software vulnerability or tricking the victim into downloading something he or she shouldn’t), and then installing an executable file (the “payload”) that does the damage. The problem with this approach from an attacker’s perspective is that antivirus solutions are built to scan and block any suspicious files that land on the computer. By not installing malicious files, however, attackers can simply bypass these solutions. All they need to do is hijack otherwise legitimate system tools and processes to do their dirty work for them.
    [Show full text]
  • Code Injection in Windows Systems: Where Do We Stand Now?
    Code Injection in Windows Systems: Where do We Stand Now? Nick Sempere Advisor: Ming Chow Abstract Since the mass production and distribution of personal computers began, their operating systems have made huge strides in terms of computational abilities and sophistication. With all of the added fortitude, however, these operating system cannot seem to shake their one true achilles heel: security. Despite no small amount of effort, developers seem to be in a constant cycle, identifying and patching vulnerabilities only to encounter more with the next release. This cycle is particularly evident in Windows operating systems, which represents a huge portion of the computers currently in use by the public. With the state of security in Windows systems in such an apparent state of anarchy, it should be no wonder that mainstream users find themselves in a world of uncertainty. What should they be worried about? What should they no longer have to worry about? Where does the greatest risk lie? This paper seeks to answer those questions as it explores the current state of security in Windows operating systems with a focus on one breed of vulnerabilities in particular: code injection. 1 To The Community Simply put, there are a myriad of ways to maliciously inject code nowadays. That is scary because injection acts as one of the most popular vehicles through which malwares establish a foothold in a system or network. While practically every major operating system shares this common threat, Windows systems and their vulnerabilities struck me as most worthy of further research, as they still represent the majority of system that are in use today.
    [Show full text]
  • Practical-Malware-Analysis Index.Pdf
    INDEX Symbols and Numbers administrator privileges, for malware launchers, 254 ! (bang symbol), 305 Adobe Reader -- operation, 112 CVE-2010-0188 critical % operation, 112 vulnerability, 424 % symbol, 423 overflow in, 705 | (pipe symbol), in Snort, 304 ADS (Alternate Data Streams) ++ operation, 112 010 Editor, 468 feature, 139 32-bit applications, WOW64 and, 448 Advanced Encryption Standard 32-bit rotate-right-additive hash, 418 (AES), 618 64-bit malware, 441–449 decrypting, 625–626 clues to functionality, 448 advapi32.dll, 17 labs, 450–451 imports from, 20, 480, 481 solutions, 723–732 obtaining handle to, 237 advertisements, pop-up, 560–561 A AES (Advanced Encryption Standard), 618 A, at end of Windows function decrypting, 625–626 name, 17 Agobot, 376 absolute addresses, 443 air-gapped networks, 29 vs. relative addresses, in OllyDbg, _alloca_probe function, 522 184–185 alphabetic encoding, shellcode abstraction levels, in x86 disassembly, decoder with, 697 66–67 Alternate Data Streams (ADS) accept function, 143, 144, 454 feature, 139 access token, 246 ALU (arithmetic logic unit), 68 accuracy, vs. expediency, 304 AMD64 architecture, 441 active window, logging, 239 “Analysis of the Intel Pentium’s ADD encoding algorithm, 276 Ability to Support a Secure add instruction, 74, 349 Virtual Machine Monitor” AddCodeXref function (IDC), 342 (Robin and Irvine), 373 address space, loading executable AND logical operator, in x86 into another process’s, 595 architecture, 75 address space layout randomization anti-debugging, 351–366 (ASLR), 184 checks,
    [Show full text]
  • Memory Analysis
    MEMORY ANALYSIS Advanced malware detection in the enterprise Contents Abstract 3 Introduction 4 Concepts 5 • Code Injection 6 • Standard DLL Injection 7 • Reflective Loading DLL Injection 7 • Process Hollowing 7 • API Hooking 8 • IAT/EAT Hooking 9 • Inline Hooking 9 Using Volatility to Perform Memory Analysis 10 • APIhooks Plugin 11 • Malfind Plugin 13 Problems with Memory Analysis 15 Using Memory Analysis at Scale 16 • Time-Efficient Analysis 20 Conclusion 21 2 Abstract Traditional malware detection and forensic investigation techniques typically focus on detecting malicious native executables on disk, and performing disk forensics to uncover evidence of historical actions on a system. In response, many threat actors have shifted frameworks, such as Volatility, can be used their offensive techniques to avoid writing to disk, to detect evidence of these techniques on staying resident only in memory. In particular, compromised systems. Finally, we will look Metasploit’s Meterpreter payload has adopted this at how we have adopted similar ideas at philosophy for more than a decade. Consequently, Countercept, developing capabilities for the ability to effectively analyze live memory performing targeted live memory analysis at for evidence of compromise and to gather scale. This enables us to detect unknown malware, additional forensic evidence has become making use of these techniques on isolated increasingly important. systems within large enterprise networks. In this paper, we will look at some of the memory resident techniques used by common malware families and how open-source memory analysis 3 Introduction The first question to ask is why memory analysis is important. To answer the question, first consider how Another reason is that many malware much forensically interesting data is never families have moved to using such written to disk.
    [Show full text]
  • Tricks of the Hackers: API Hooking and DLL Injection
    24.09.2009 API Hooking Tricks of the Hackers: 2 API Hooking and DLL Injection Intercepting API calls is a mechanism for testing Dr. Wolfgang Koch monitoring Friedrich Schiller University Jena and reverse engineering Department of Mathematics and as well as for altering the behavior of the Computer Science operating system Jena, Germany or of 3rd party products, [email protected] without having their source code available. API Hooking Literature Books 3 4 Intercepting API calls is a mechanism for “The Windows-API Book” : Jeffrey Richter, altering the behavior of programs or of the Christophe Nasarre operating system WINDOWS via C/C++ 5th edition widely used by hackers and other “bad guys” Redmond, Wash : Microsoft Press, 2008 ISBN-13: 978-0-7356-2424-5 820 p. + Companion content Web page 1 24.09.2009 Literature Books Literature 5 6 Ivo Ivanov: API hooking revealed, 2002 The WDM Bible : http://www.codeproject.com/KB/system/hooksys.aspx Walter Oney Robert Kuster: Three Ways to Inject Your Code Programming the Microsoft Windows Driver Model into Another Process, 2003 2nd edition http://www.codeproject.com/KB/threads/winspy.aspx Redmond, Wash : Microsoft Press, 2003 Seung-Woo Kim - Intel® Software Network: Intercepting ISBN: 0-7356-1803-8 System API Calls, 2004 http://software.intel.com/en-us/articles/ intercepting-system-api-calls/ 846 p. + CD-ROM Literature Literature Executable File Format 7 8 Anton Bassov: Microsoft MSDN man pages and “ white papers ”: Process-wide API spying - an ultimate hack, 2004 http://msdn.microsoft.com/library http://www.codeproject.com/KB/system/api_spying_hack.aspx An In-Depth Look into the Win32 Portable Executable Kernel-mode API spying - an ultimate hack, 2005 File Format, Matt Pietrek, MSDN Magazine, Feb.
    [Show full text]
  • SOURCE-FREE, COMPONENT-DRIVEN SOFTWARE SECURITY HARDENING by Wenhao Wang APPROVED by SUPERVISORY COMMITTEE: Dr. Kevin W. Hamlen
    SOURCE-FREE, COMPONENT-DRIVEN SOFTWARE SECURITY HARDENING by Wenhao Wang APPROVED BY SUPERVISORY COMMITTEE: Dr. Kevin W. Hamlen, Chair Dr. Bhavani M. Thuraisingham Dr. Latifur Khan Dr. Shuang Hao Copyright © 2019 Wenhao Wang All rights reserved Dedicated to my parents, for their unconditional support and love. And my advisor, Dr. Kevin W. Hamlen, who is my role model. SOURCE-FREE, COMPONENT-DRIVEN SOFTWARE SECURITY HARDENING by WENHAO WANG, BS, MS DISSERTATION Presented to the Faculty of The University of Texas at Dallas in Partial Fulfillment of the Requirements for the Degree of DOCTOR OF PHILOSOPHY IN COMPUTER SCIENCE THE UNIVERSITY OF TEXAS AT DALLAS May 2019 ACKNOWLEDGMENTS I would like to express my sincere gratitude to my advisor, Dr. Kevin Hamlen, who served as a role model for me. He inspired my thirst to address practical and impactive research problems through scientific approaches. Dr. Hamlen not only shared inventive ideas, but also provided solutions for tricky engineering problems. His patience and encouragement shepherded me through my darkest hour. Without Dr. Hamlen’s supervision, this dissertation could not have been accomplished. Next thanks go to Xiaoyang Xu, Benjamin Ferrell, and Masoud Ghaffarinia, my friends and research partners. They supported me in both work and life. With them, research discussion during lunches and overnight team work before deadlines were highlights of my doctoral degree pursuit. Special thanks should also be given to Dr. Vishwath Mohan, who helped me survive the learning curve of binary code retrofitting. I wish to thank Dr. Bhavani Thuraisingham, Dr. Latifur Khan, and Dr. Hao Shuang for their contributions to this dissertation and services as supervising committee members.
    [Show full text]
  • A Survey of Stealth Malware Attacks, Mitigation Measures, and Steps Toward Autonomous Open World Solutions Ethan M
    PRE-PRINT OF MANUSCRIPT ACCEPTED TO IEEE COMMUNICATION SURVEYS & TUTORIALS 1 A Survey of Stealth Malware Attacks, Mitigation Measures, and Steps Toward Autonomous Open World Solutions Ethan M. Rudd, Andras Rozsa, Manuel Günther, and Terrance E. Boult Abstract—As our professional, social, and financial existences components pose particularly difficult challenges. The ease or become increasingly digitized and as our government, healthcare, difficulty of repairative measures is irrelevant if the malware and military infrastructures rely more on computer technologies, can evade detection in the first place. they present larger and more lucrative targets for malware. Stealth malware in particular poses an increased threat because it While some authors refer to all stealth malwares as rootkits, is specifically designed to evade detection mechanisms, spreading the term rootkit properly refers to the modules that redi- dormant, in the wild for extended periods of time, gathering rect code execution and subvert expected operating system sensitive information or positioning itself for a high-impact zero- functionalities for the purpose of maintaining stealth. With day attack. Policing the growing attack surface requires the respect to this usage of the term, rootkits deviate from other development of efficient anti-malware solutions with improved generalization to detect novel types of malware and resolve these stealth features such as elaborate code mutation engines that occurrences with as little burden on human experts as possible. aim to change the appearance of malicious code so as to In this paper, we survey malicious stealth technologies as evade signature detection without changing the underlying well as existing solutions for detecting and categorizing these functionality.
    [Show full text]
  • Illuminating In-Memory Injection Attacks Via Provenance-Based Whole-System Dynamic Information Flow Tracking
    FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole-System Dynamic Information Flow Tracking Meisam Navaki Arefiy, Geoffrey Alexandery, Hooman Rokhamy, Aokun Chen◦, Michalis FaloutsosL, Xuetao Wei∗, Daniela Seabra Oliveira◦ and Jedidiah R. Crandally University of New Mexicoy University of Cincinnati∗ University of California at RiversideL University of Florida◦ [email protected], alexandg,hrokham,[email protected], chenaokun1990@ufl.edu, [email protected], [email protected], [email protected]fl.edu Abstract—In-memory injection attacks are extremely challeng- these tools rely on easily observable VM events, such as ing to reverse engineer because they operate stealthily without system or library calls [3], file system activity, or specific leaving artifacts in the system or in any easily observable events library function calls. Memory snapshot forensics tools, such from outside of a virtual machine. Because these attacks perform their actions in memory only, current malware analysis solutions as Volatility [4] with the malfind plugin [5], assume that the cannot expose their behavior. This paper introduces FAROS1, Portable Executable format of a binary file will be intact and a reverse engineering tool for Windows malware analysis based that important memory artifacts will not be destroyed. These on dynamic information flow tracking (DIFT), which can flag solutions look at a snapshot of memory at one single point in stealthy in-memory-only malware injection attacks by leveraging time. In-memory injection attacks are typically transient, i.e., the synergy of: (i) whole-system taint analysis; (ii) per security policy-based handling of the challenge of indirect flows via the once the malicious payload is injected and executed, there application of tags of different types, and (iii) the use of tags is nothing stopping the attacker from cleaning up memory with fine-grained provenance information.
    [Show full text]
  • Chapter 9 CHARACTERISTICS of MALICIOUS DLLS in WINDOWS
    Chapter 9 CHARACTERISTICS OF MALICIOUS DLLS IN WINDOWS MEMORY Dae Glendowne, Cody Miller, Wesley McGrew and David Dampier Abstract Dynamic link library (DLL) injection is a method of forcing a running process to load a DLL into its address space. Malware authors use DLL injection to hide their code while it executes on a system. Due to the large number and variety of DLLs in modern Windows systems, distinguishing a malicious DLL from a legitimate DLL in an arbitrary process is non-trivial and often requires the use of previously-established indicators of compromise. Additionally, the DLLs loaded in a process naturally fluctuate over time, adding to the difficulty of identifying ma- licious DLLs. Machine learning has been shown to be a viable approach for classifying malicious software, but it has not as yet been applied to malware in memory images. In order to identify the behavior of ma- licious DLLs that were injected into processes, 33,160 Windows 7 x86 memory images were generated from a set of malware samples obtained from VirusShare. DLL artifacts were extracted from the memory images and analyzed to identify behavioral patterns of malicious and legitimate DLLs. These patterns highlight features of DLLs that can be applied as heuristics to help identify malicious injected DLLs in Windows 7 mem- ory. They also establish that machine learning is a viable approach for classifying injected DLLs in Windows memory. Keywords: Malware, DLL injection, memory analysis 1. Introduction Malware manifests itself in a variety of forms in Windows systems de- pending on the malware authors’ needs and capabilities.
    [Show full text]