MSC.BAT was used to initialize the persistent installation of the other two binaries, NTLHAFD.GCP and NTSVCHOST.EXE, and cleanup the installation. A Windows registry Autorun key was set to provide persistence. NTLHAFD.GCP was the backdoor and was encrypted with RC4 stream cipher and compressed using the Zlib library (GReAT, 2013a). Before executing the decryption and memory load routines, the loader, NTSVCHOST.EXE, first attempted to connect to legitimate Microsoft domains (update.microsoft.com, www.microsoft.com, and support.microsoft.com) to determine if the victim computer was able to route to the internet. If the infected computer was not online, the loader would not decrypt the backdoor, NTLHAFD.GCP. When online, the loader would execute the decryption and memory load routines, and the backdoor would communicate periodically with the designated Command-and-Control server. From an antivirus perspective, the backdoor that was on disk was encrypted, and the more nefarious code was only in its unencrypted form while in memory. In order to reverse engineer the malware, it required either connecting to the internet or tricking the malware into believing it was on the internet.
Red October’s Second Stage – Command-and-Control and Loaded Modules After successfully establishing a connection to one of the three hardcoded Command-and-Control servers built into every installation of Red October, the backdoor was capable of loading additional modules. Some of these
Received a call from Billy, had him take his computer off the network and boot it back up. Walked Billy through confirming he did have the crypto virus. Had Billy shut his computer back off, and informed him someone would be on their way to pick up his laptop. Explained to Billy we will need to wipe and reload his computer. With Chris from or offices assistance we located the files that were encrypted. Using a script created by mark we confirmed it was only Billy’s user folder that was encrypted. We did find traces of help_decrypt in the QuickBooks folder, but the QuickBooks data was intact. Using Shadow copy I resorted Billy’s user folder back to 7:00 AM Tuesday, but his files were still encrypted. Restored back to Monday at 12:00 AM and confirmed
After initial intrusion malicious software is installed on victim host that is re-ferred as RAT (remote access Trojan). RAT takes the responsibility to connect with attacker and regularly performed the actions that instructed by attacker. At this intruder take the full command and control (C2) over target host. The fact is that the initial connection is established by victim host, not by the attacker [6]. This will happens mainly for two reasons: (i) organizations firewall usually allows the connections initialized by internal hosts, and (ii) this will help the attacker to not to detected easily. Because intrusion detection systems [7] can easily detect the extremely suspicious activity such as downloads from outside hosts.
To answer question 1, the malware that I found in this assignment image is the application background processes, namely ‘csrss.exe’. It runs after windows logon process complete and running under user profile. This malware will random the targeted file from the targeted location, C:\Documents and Settings\ , and start process by move targeted file from normal extension to be the extension that end with ‘1’ as show on Figure 1 on appendix A. After that, malware will send targeted file name after rename the extension to gpg2 for encryption. This means that, this malware tries to encrypt user’s information on the system by using ‘gpg2.exe’ application with specific key for encryption. The malware will call ‘gpg2.exe’ by using command line, as
When all of a sudden, customers find a process in the Task Manager named CTF Loader, they fail to realize as to what it is. The file remains placed in the C:\Windows\SysWOW64 and it becomes difficult to determine if it is a virus or a genuine process. The file version is 6.3.9600.16384.
When BKDR_WIPALL.B is dropped, it stays latent for 10 prior minutes beginning to erase documents and halting the Microsoft Exchange Information Store administration. The vindictive code then goes latent again for two hours and makes system re-start it self. BKDR_WIPALL.B is exceptionally forceful and obtrusive. It actualizes a peculiarity that permits it to execute duplicates of itself with different limitation. With this system the mal-ware completes different program task, including erasing records and dropping extra segments. The extra segment "usbdrv32.sys" for instance gives assailants read/write access to introduced new files to the
This allowed the worm to be recognized as a device driver and to not be rejected by the Windows operating system.
this virus was more than they thought, they tried desperately to do anything they could try to
3. Install Antivirus software (i.e. McAfee AV or Eset) with real-time protection or an internet security
This particular program is a Windows Trojan but what makes it unique is that it does not rely on the presence of a Windows binary file (an executable file on disk) to maintain its infection of a computer (Information on malware known as Poweliks, 2014).
To answer question 1, after we completed challenge 1 and 2, we already knew the malware objectives and we can specify application tools that malware using for encryption, refer to Figure 1 on appendix A. The key that malware use in this image is consists 2 keys. The first one is the public key that located in C:\WINDOWS\system32\csrss\NetServices\pubring.gpg. The second key is the secret key/private key that located in C:\WINDOWS\system32\csrss\NetServices\secring.gpg. We can list all public keys and secret key information by using command line on below by running this command in command line application under folder ‘C:\WINDOWS\system32\csrss\’
Moreover, while looking at processes not identified as a threat by RedLine, one more suspicious process was identified. This process is named ‘UPnP.exe’. This innocuous looking file is an executable file that can be used to capture keyboard and mouse input and send it to a remote location (Spyware-net Database, 2016). All three of these processes are illustrated in Appendix A, figure 4. Additionally, all of these processes can be identified by performing a hidden/terminated process scan (‘psscan’) using Volatility (Appendix A, figure
Backing up your registry files can be extremely important when dealing with modifications to your registry. Why would someone want to tamper with these files if by doing so can mess up your precious computer, well it 's the same as people who shorten computer part 's lifespan by overclocking, to gain better and faster performance. By backing up or saving these registry files before modifying the registries content you insure all the changes to your system can be reversed in case your computer doesn 't work the way it did before you started modifying the registry. Another reason to back up these files is to protect the registry from viruses and such. Some viruses and spyware add files to your registry making these harmful programs launch at startup making you wonder "what 's wrong with my computer". By backing up your registry files when they aren 't infected with viruses you can make sure these viruses will be gone from your system by using a virus removal program and then importing your backed up registry. To begin with your mouse click on the start button and then click on run. When this little box appears type in the word regedit and click on ok. The registry window will appear so from here all you do is click on file and then click export. Now just rename the file to your liking and find a place to save this file to and click save. Now anytime you tamper with your registry files and find out the you chose are affecting your system 's performance simply follow these next
In Kim Zetter’s article, she describes how a “hacking tool, believed to be a product of the NSA” (Zetter, 2017), is not only disturbing, but very impressive. The tool is known as “nls_933w.dll” and has the ability to create invisible storage, steal and hide data, and infect the ROM of a computer. The reason that this is unsettling is that even if a user suspects a virus on their computer, completely reinstall the operating system, the virus will not be touched. The malicious code will reside in the ROM chip and will still possess its ability to steal user information. The article goes on to mention that “even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for
Computer viruses are minute program which is “embedded inside an application or within a data file which can copy itself into another program“(Adams et al, 2008 ) for the sole determination of meddling with normal computer operations. The consequences may range from corruption and deletion of data; propagation of virus on to network and deployment through attachments through emails in order to further creating havoc to all associated computing devices.
To understand the business of malware, one must understand how malware has evolved in the past twenty-five years. Malware, which includes all kinds of malicious software, was originally created to show the weaknesses of computers. The first type of malware, created in 1986, was a virus called “Brain.A. Brain.A was developed in Pakistan, by two brothers - Basit and Amjad. They wanted to prove that PC is not secure platform, so they created virus that was replicating using floppy disks” (Milošević). Even today malware is still used to check the security of machines.