Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | [3] | >> (show all)   Print Thread
Standard User jamie543
(regular) Thu 23-Apr-15 19:58:45
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
All i can say is the AntiVirus system must be rubbish if a user can disable it. I work for an IT firm and look after parts of our AntiVirus software we have it set so that users cannot turn off on access scanning etc without knowing a pasword setup via McAfee EPO we also have alerts setup for when our Antivuris detects viruses/malware and what action the Antivirus software has taken to remove the threat.
I can understand the need to disable on access scanning some of the time especially when installing software such as Oracle as on access scanning really slows the install process down.

Standard User nemeth782
(member) Thu 23-Apr-15 21:53:04
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
Take ransomware as an example, it could encrypt any files it has write access to. That includes files on a shared drive, it doesn't need to execute on the file server.

A trojan allowing remote access and control of the laptop could have provided a hacker with a point of entry to the company network, within the company firewall. It could be executed on the laptop while at home with av disabled, then stop the av from later working correctly, then phone home when on the company lan and be used to access other machines.

Its all conjecture but the company are right to take it seriously.
Standard User majika2007
(member) Fri 24-Apr-15 00:42:27
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
Hi Rygar1,

some of which I think are pretty exaggerated to say the least


I would personally consider any breach in security a very serious matter which opens the company up to all manner of possible issues.

FYI: Even the most up to date AV/ IDS systems can still be fooled via any number of tricks and techniques such as custom "undetectable" stubs and modifications of the PE in the case of a .exe/.scr/.pdf, etc.

Many windows (and other platforms) have many exploitable runtimes as was mentioned previously a good example of a fairly insecure and easy to exploit runtime and is installed on most *win based OS'es is Java JRE/JDK/JIT.

Even when processes are sandboxed you can break out and escalate and run arbitrary code. Several *new* vector have recently been discovered and disclosed to general public. as per the CVE's not so long ago.

JAVA is used here as one example, however there are many, many more holes which are 0day, 0sec exploits. many documented and many are not.

In answer to your question as soon as a "hacker". (lol) gains a foothold in your system and is actively targeting your network(s) your in obvious trouble. Furthermore once a machine is exploited it remains vulnerable to any number of follow up attacks (until patched) which can be launched from or targeted further towards the system(s) in question. In gaining the initial foothold via whatever means was used in your case this could only be the start of a larger scale attack.

As what was correctly mentioned above there are a number of methods employed to get arbitary code to execute, as a example even in a simple jpeg file can be corrupted to run malicious code via EXIF tags (http://en.wikipedia.org/wiki/Exchangeable_image_file_format)

To conceal any sensitive information captured from your corporate lan can also be easily transferred in/out and pushed through any F/W policies by simply using basic Steganography techniques (http://en.wikipedia.org/wiki/Steganography) and masquerading as another data type, etc.

To take this example further infected data can be passed on to your networks shared resources and propagated even further and could prove another method to get malicious data to "jump" from machine to machine.

Again, these are all simple example's, however these are all quite easy to accomplish and quite simple to "chain together" coupled with a rootkit and a undetectable header can fool most heuristics based AV scans, it all depends on the level of skill the attacker has, the value you data holds to the hacker 'or his/her employer' would give you a good idea about the approximate risks which you are facing.

From a personal perspective I have been both a target and also the one who had to "clean up" the mes of such cases as outlined in your OP.

Simple tools for penetration testing can reveal a great deal of holes in your system. these same tools can also be used to see what exactly has gone on if used in a whitehat perspective. The transportation methods used to get in/out of the infected system doesn't matter and can easily be "worked around" whether its PPTP, L2TP, SSTP or PPPoE or whatever.. The point is that "in the wild" there are payloads which exist to specifically tackle each and any obstacle in the attackers path. The key part which seems to already have occurred is that a foothold has already been achieved.

Regarding actual viruses this is a broad subject; A polymorphic based viruses/worm which mutate leaving the original algorithm intact can and will quite easily hop over to a second logical/physical disk, network attached or whatever.but a distinction should be made as to whether you are talking about a virus or a worm which could be a metamorphic based algorithm or a trojan/rat, dropper, etc.
Any number of mechanisms can be used by the algorithm to propagate/replicate

Worms are self managed/standalone. kind of like this:-

1) Infected host
2) Cloned itself into all .pst/.ost, etc files
3) used 6060 and irc to communicate to C&C
4) scanned a range of IP's within the initial target subnet and then random
5) used a dictionary based brute force attack to login to common network services
6) Downloaded a cacophony of other modules like CodeRed/Slammer, etc
7) scanned for open ssh/ftp/ ports and bruteforced.
8) sends itself to any number of vulnerable hosts found in the previous steps above,
9) rinse and repeat, etc..

Viruses work like this:
A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels.

1) infected
2) makes a copy of itself and inserts into another program (it may also change in the process)
3) transmits on execution of the infected file.
4) ...
5) ...
6) etc, etc


I dont feel comfertable with sharing detailed instructions on how to find virus source code on a public forum and the same can be said for trojans etc. but a good port of call to begin with can be metasploit which was part of the Backtrack live boot *nix distro which has been forked to Kali (https://www.kali.org/) this will get you started but with respect to researching live virus code I dont think sharing information here would be a good idea there are several open FTPstros which contain some "older" code samples and there are plenty of open (public) forums but the more modern "script-kiddie" one-click mallicious tools are found predomnantly on closed forums which provide more "custom" stubs, which are most likely still classed as undetected by AV scanners which you could take a look at and im sure should not be to hard to find.

Tips. if you are trying to learn about virri code i suggest you make a Virtual machine or better still use a air-gapped old machine.

Make use of virustotal.com to be sure that you are not accidentally infecting yourself prior to executing any test code which you maybe researching.

If possible always try to grab the source code along with the binary or better still compile yourself with VS2013/MinGW etc.

If you insist on learning about this stuff a great resource is always the vulnerability databases to aid with your searches. (http://www.securityfocus.com/) <== there are also some useful tools here to.

Further reading on the differences: Viruses, Worms, Trojans, and Bots:
http://www.cisco.com/web/about/security/intelligence...


Also how serious a threat is direct hacking* when you are behind a router & software firewall? Again any links would be great (*Not the type of hacking that involves someone getting access to your machine because you clicked on a link in email or opened a dodgy attachment etc, actual proper hacking).


METASPLOIT :!:

All the tools/payloads/penetration testing tools are in there .
Scan a net range of your target,
once you map out the network
Identify a common vulnerability. nmap will help here
test and check to see if a segment of the mapped network is vulnerable open to exploits
Find a payload. Change some bitecode
send it off..
gain foothold.
come back later.
something like that...


Register (or login) on our website and you will not see this ad.

Pages in this thread: 1 | 2 | [3] | >> (show all)   Print Thread

Jump to