1 00:00:01,390 --> 00:00:04,520 Walk into a module that will focus on malicious programs. 2 00:00:05,740 --> 00:00:10,540 As we have discovered in the previous module assertion that's the last security boundary that Windows 3 00:00:10,540 --> 00:00:11,560 provides. 4 00:00:13,480 --> 00:00:18,180 Everything that runs slower all processes that you run in the context of a session. 5 00:00:18,280 --> 00:00:22,450 You do it your own risk. 6 00:00:22,590 --> 00:00:26,910 In this module I'd like to take a look at the threats related to the fact that a process might have 7 00:00:26,970 --> 00:00:30,320 unrestricted access to other processes in a session. 8 00:00:31,330 --> 00:00:36,460 If the session is run as an administrator a flushed process may have access to the entire operating 9 00:00:36,460 --> 00:00:37,250 system. 10 00:00:42,500 --> 00:00:48,730 The first category of malicious software I'd like to analyze are Trojan horses. 11 00:00:48,830 --> 00:00:54,470 The term Trojan horse is often mis applied the press and media are the biggest culprits here. 12 00:00:56,100 --> 00:01:00,900 It's often mentioned in the news that a Trojan horse was detected or made it possible for intruders 13 00:01:00,900 --> 00:01:03,970 to attack the system or connect to a victim's computer. 14 00:01:06,710 --> 00:01:12,500 Actually to be precise it's the so-called back door that enables an attacker to obtain access to a targeted 15 00:01:12,500 --> 00:01:19,460 computer the role of a Trojan horse is to conceal itself as another program. 16 00:01:19,460 --> 00:01:27,420 It's a user targeted attack and even if you remember to update your defense mechanisms have a top shelf 17 00:01:27,420 --> 00:01:29,990 anti-virus and the most expensive firewall. 18 00:01:30,020 --> 00:01:33,160 This doesn't matter with trojans. 19 00:01:33,360 --> 00:01:38,540 If you launch a Trojan Horse your operating system will allow it to execute. 20 00:01:38,600 --> 00:01:41,270 It's an example of a social engineering attack. 21 00:01:44,090 --> 00:01:49,040 And since there are automated tools for generating trojans on the Internet this attack ranks among the 22 00:01:49,040 --> 00:01:58,570 most dangerous we'll use here a rather old piece of software created in 2003 or 2004 by Taata a Turk 23 00:01:58,600 --> 00:02:03,120 who went on to sell the tool online. 24 00:02:03,140 --> 00:02:07,710 The tool came in two versions besides a demo a free version. 25 00:02:07,710 --> 00:02:11,250 There was also a commercial version of the tool. 26 00:02:11,410 --> 00:02:16,120 Its creator disappeared from the internet after some time. 27 00:02:16,150 --> 00:02:20,260 The time last blog said that he wished the program had never been developed and that he hoped that it 28 00:02:20,260 --> 00:02:22,930 would only be used for non-malicious purposes. 29 00:02:24,750 --> 00:02:30,100 It's a tie now probably works for a government institution or the institution took care of him in some 30 00:02:30,100 --> 00:02:31,010 other way. 31 00:02:33,550 --> 00:02:36,740 The program shown in this presentation is simple and quite old. 32 00:02:37,790 --> 00:02:42,960 Professional tools for creating Trojan horses offer a much wider variety of features. 33 00:02:43,960 --> 00:02:46,660 And they're even more easy to use. 34 00:02:46,660 --> 00:02:49,930 This is why running an untrusted program is connected with risk 35 00:02:53,140 --> 00:02:59,320 various commercial reports indicate that a large portion perhaps even 50 percent of binary files shared 36 00:02:59,320 --> 00:03:05,500 over peer to peer networks and the like and at least 10 percent of files shared on Web sites are modified 37 00:03:05,500 --> 00:03:08,150 and have trojans or backdoor is added to them. 38 00:03:10,450 --> 00:03:13,230 Let's explore how easily Trojans can be created. 39 00:03:19,670 --> 00:03:22,910 We use beast 2.0 7. 40 00:03:23,100 --> 00:03:30,270 This is a tool dedicated to building Trojan horses that you can find on the Internet Trojan horses can 41 00:03:30,270 --> 00:03:37,970 be back doors at the same time once they're run on a remote computer an attacker can obtain full control 42 00:03:37,970 --> 00:03:39,800 over the computer. 43 00:03:39,800 --> 00:03:42,490 That's why beast is perfect for the presentation. 44 00:03:43,820 --> 00:03:46,630 We'll be able to see step by step how an attack proceeds 45 00:03:49,150 --> 00:03:55,820 modern environments use to generate Trojans are today much richer their payload is usually more complicated 46 00:03:55,820 --> 00:04:01,480 than injecting and inserting a CD drive of a remote machine which is the goal we'll be trying to achieve. 47 00:04:03,320 --> 00:04:05,840 First we need to build a server. 48 00:04:05,840 --> 00:04:09,260 Building a server involves setting up some basic options for a server 49 00:04:13,030 --> 00:04:15,470 since we'll be trying to connect to a remote computer. 50 00:04:15,490 --> 00:04:18,800 It's better to make it connect to us rather than the other way around. 51 00:04:21,070 --> 00:04:25,660 The advantage of reverse connection is that it eliminates one problem we mentioned earlier in the modules 52 00:04:25,660 --> 00:04:33,940 and computer networks receive a firewall and or an intrusion detection system by making a trusted protected 53 00:04:33,940 --> 00:04:36,650 computer connect to us rather than vice versa. 54 00:04:39,010 --> 00:04:41,590 This is a reversal of a TCAP session. 55 00:04:42,820 --> 00:04:46,090 We could also try to hide in a different process. 56 00:04:46,220 --> 00:04:49,570 We'll talk about concealing methods later. 57 00:04:49,580 --> 00:04:52,150 Our process will run directly in the host process. 58 00:04:52,160 --> 00:04:58,770 The program will bind to as you can see we can hide under any process. 59 00:04:58,830 --> 00:05:01,680 We can also create a service that will be run automatically 60 00:05:06,160 --> 00:05:14,210 if a victim terminates a program to which we've added a trojan Trojan will still work submit the IP 61 00:05:14,210 --> 00:05:19,730 address of a computer that's to be connected to by an infected computer in the notifications tab. 62 00:05:19,760 --> 00:05:21,700 This is not the address of our computer. 63 00:05:21,830 --> 00:05:28,260 But for example the address of a computer we broke into yesterday. 64 00:05:28,340 --> 00:05:33,710 You can also request the program to send out an e-mail to a submitted address. 65 00:05:33,730 --> 00:05:38,430 You can also be notified of a new victim through the instant messenger. 66 00:05:38,500 --> 00:05:40,830 We'll use the TCAP protocol instead. 67 00:05:43,370 --> 00:05:48,320 You can specify on the startup tab if your trojan is to survive the terminations of the program to which 68 00:05:48,320 --> 00:05:55,960 it's injected or perhaps survive system restart over the next modules We'll examine mechanisms for automatically 69 00:05:55,960 --> 00:05:58,340 running objects during a system launch. 70 00:06:02,170 --> 00:06:06,400 It'll turn out the registry key and an active controls are a good place for hiding 71 00:06:10,240 --> 00:06:16,000 the threat of detection by an end a virus can be lowered by disabling one of over 300 anti-virus scanners 72 00:06:16,000 --> 00:06:25,080 in a VFW kill tab. 73 00:06:25,140 --> 00:06:30,630 You can even disable them every five seconds just in case a user fights back and tries to run them again 74 00:06:30,630 --> 00:06:35,450 and again since XP firewall was so popular several years ago. 75 00:06:35,450 --> 00:06:38,720 It has its own checkbox. 76 00:06:38,820 --> 00:06:44,410 You can disable it here without having to go through a list of 300 programs. 77 00:06:44,410 --> 00:06:51,930 Another option allows you to enable a key logger a key logger is a program that monitors the sequences 78 00:06:51,930 --> 00:06:59,420 of pressed keys on a remote computer if it's enabled it's enough to wait for a user to log onto a Web 79 00:06:59,420 --> 00:07:04,030 site or run their mailer program to provide a password. 80 00:07:04,160 --> 00:07:07,820 It's not cached of course because the user protects the credentials 81 00:07:11,530 --> 00:07:12,790 the server is built. 82 00:07:13,060 --> 00:07:14,190 Let's now save it. 83 00:07:16,750 --> 00:07:19,990 As you can see below Here's what our Trojan looks like. 84 00:07:21,520 --> 00:07:24,500 It's not highly probable that a user will decide to run it. 85 00:07:26,530 --> 00:07:32,230 If a program that's provided in this manner or found on the Web site is launched by a user there's no 86 00:07:32,230 --> 00:07:34,630 use talking about system security anymore. 87 00:07:36,190 --> 00:07:40,000 Let's try to make the program more slight. 88 00:07:40,160 --> 00:07:42,260 We use binder for this purpose. 89 00:07:43,530 --> 00:07:47,820 We need to select the Trojan and then select some random popular application. 90 00:07:48,430 --> 00:07:55,720 For example the newest version of OpenOffice or a decoder which will convert files from x to y. 91 00:07:55,880 --> 00:08:02,980 We also want our Trojan horse to have an icon from the selected file rather than no icon click on bind 92 00:08:02,980 --> 00:08:07,990 files and save the modified program making it seem like the newest free version of the program 93 00:08:11,880 --> 00:08:14,450 for example exact file free version 3. 94 00:08:14,500 --> 00:08:17,400 X-Sea. 95 00:08:17,600 --> 00:08:22,170 If you take a closer look at it the program is a bit larger than the original software. 96 00:08:25,330 --> 00:08:31,030 I don't think anyone will notice this during the download. 97 00:08:31,130 --> 00:08:35,650 The program was copied to a remote computer for the purpose of this presentation. 98 00:08:35,970 --> 00:08:42,740 Ignore the social engineering aspect for a moment simply assume that somehow we've succeeded in persuading 99 00:08:42,740 --> 00:08:45,020 the user to download and run the program. 100 00:08:46,680 --> 00:08:50,690 Let's see what happens if the victim runs an integrity checker with the injected code 101 00:08:56,010 --> 00:08:58,870 to get a better picture of the attack as it unfolds. 102 00:08:58,920 --> 00:09:01,960 We'll also show you what happens to the attackers computer. 103 00:09:03,710 --> 00:09:11,960 A victim launches the program and will start our server in this way we're controlling two machines Alice 104 00:09:12,090 --> 00:09:12,850 and Cecil. 105 00:09:12,850 --> 00:09:16,520 Are the users logged onto the computers. 106 00:09:16,690 --> 00:09:22,170 Cecil will become the first target will use the go beast button to connect to a selected computer 107 00:09:29,580 --> 00:09:30,460 thinks to be used. 108 00:09:30,480 --> 00:09:36,260 You can now view the directories on the victim's hard disk. 109 00:09:36,320 --> 00:09:41,390 You can download and delete files change file names and run processes. 110 00:09:41,390 --> 00:09:45,130 You have control over the computer. 111 00:09:45,170 --> 00:09:53,370 You can also view the victim's configuration by looking at registry keys. 112 00:09:53,390 --> 00:09:56,870 You can also see the programs launched by the victim. 113 00:09:56,940 --> 00:09:58,560 The list includes our program 114 00:10:03,330 --> 00:10:11,220 will simulate a scenario where the victim has for example opened a web browser using the kill out button. 115 00:10:11,220 --> 00:10:20,980 You can terminate any program running on a remote computer. 116 00:10:21,010 --> 00:10:25,870 Besides these options reast offers many features added for entertainment. 117 00:10:26,050 --> 00:10:31,680 You can't for example hide icons on the victim's desktop or eject and insert CD drives. 118 00:10:34,010 --> 00:10:39,770 If your computer begins to act up after you download and run the newest version of a program icons appear 119 00:10:39,770 --> 00:10:43,430 and disappear the system clock appears and disappears. 120 00:10:43,430 --> 00:10:46,700 Strange process as a runner terminated. 121 00:10:46,760 --> 00:10:48,360 This is not Windows fault. 122 00:10:50,580 --> 00:10:55,270 The cause could be that the program you run contains an injected Trojan horse. 123 00:10:55,270 --> 00:10:59,100 Your system is now controlled by someone else. 124 00:10:59,150 --> 00:11:03,980 If you suspect that a given application can be the source of the problems and terminate it you'll see 125 00:11:03,980 --> 00:11:07,320 that this doesn't bring about any changes. 126 00:11:07,370 --> 00:11:09,040 The Trojan is still running. 127 00:11:09,260 --> 00:11:16,620 And with that we're ending the first presentation on Trojan horses Trojan horse attacks which could 128 00:11:16,620 --> 00:11:23,650 be mounted for example using beast are a result of user's ignorance to tell you the truth. 129 00:11:23,650 --> 00:11:25,870 Ignorance is perhaps the wrong word here. 130 00:11:27,280 --> 00:11:31,840 Many people are perfectly aware of the risks related to running files you come across on the internet 131 00:11:33,390 --> 00:11:38,280 but think that since their computer doesn't contain any sensitive or important data they can take the 132 00:11:38,280 --> 00:11:43,310 risk and download some program from the internet instead of buying it. 133 00:11:43,350 --> 00:11:48,430 If the price is advertizement pop ups and mornings it can be forwarded. 134 00:11:48,450 --> 00:11:53,340 Many people seem to decide that their data can be sacrificed and that it's worth it to take the risk 135 00:11:53,340 --> 00:11:56,260 that their computer can be used for attacking other systems. 136 00:11:57,300 --> 00:12:04,490 Running a program is more important for them approaches common but still is perilous and the stakes 137 00:12:04,490 --> 00:12:05,390 are high.