Virus Information - Page 2
PC Technician - Continues with Virus Info
Continued from page 1 (viruses.pctechnician.com). As I said before the autopwn
ran for more than 6 hours but could not find an exploitable port. I will assume
if I found one I think that getting into my sacrificial computer would have worked.
All the author of the rootkit did was to get into one of the exploitable ports
and as you can see it was in the C:\windows\system32 directory. He then uploaded
the two rootkit programs (one is an .exe file the other is a .zip file). These are
the two icons on the left hand side of his backtrack screen. These rootkits were then
executed and could be seen in the running proccesses list. He then was able to actually
hide these processes. The Blacklight program was used to find the rootkits, and it
found the Beast2.07.exec file and deleted it. I could not figure out how he detected
the FU_rootkit program as the audio was kind of garbeld. When he ran sysinternals program
the two entries in the registry showed up but didn't allow him to identify the names of
the proccesses. so I guess you can tell if you have a hidden rootkit process as the sysinternals
program will show you something is wrong (remember it won't give you the name of the process but
at least you will know that something is wrong). I will investigate all of this later for
my own edification, but I still don't know what kind of processes are "thrown" at each port.
I really don't understand what they are doing to break through a port. The author referred to them
as "brute force" objects. For now we will pursue other hacking techniques.
Wait! Hold the phone there is something rotten in Denmark and it ain't swiss cheese. Briefly, I upgraded my son's computer from windows 10 32-bit to 64-bit which now belongs to me. I had to reload VirtualBox and Backtrack 5. Now I could load the 64 bit version of Backtrack, everything loaded correctly but when I tried to run fasttrack it got stuck. The problem is that Metasploit has deprecated the autopwn component ( deprecated is a fancy word for no longer supported). Now what do I do? I finally looked up a tutorial for Metasploit and the link can be found HERE. There is a lot of material here and this probably should be a one semester undergraduate course. The tutorial explains many things but it appears that a lot of the support is for the pro version of Metasploit. This is not a trivial program, and requires a good working knowledge of Metasploit. For example here is a snippet from the tutorial
"A vulnerability is a system hole that one can exploit to gain unauthorized access to sensitive data or inject malicious code. Metasploit, like all the others security applications, has a vulnerability scanner which is available in its commercial version.
With the help of a vulnerability scanner, you can do nearly all the jobs with one application. This facility is not there in the free version of Metasploit. If you are using a free version of Metasploit, then you will have to use Nessus Vulnerability Scanner and then import the results from there. Metasploit uses Nexpose to do the scan."
"A vulnerability is a system hole that one can exploit to gain unauthorized access to sensitive data or inject malicious code. Metasploit, like all the others security applications, has a vulnerability scanner which is available in its commercial version. With the help of a vulnerability scanner, you can do nearly all the jobs with one application. This facility is not there in the free version of Metasploit. If you are using a free version of Metasploit, then you will have to use Nessus Vulnerability Scanner and then import the results from there. Metasploit uses Nexpose to do the scan."
So it seems that brute force is nothing more than cracking passwords to gain entrance into a port. I had in my mind that some really small guy
with a very big sledge hammer knocking at the port. Enough of the rootkit exploits. I will try this in the future just for my own
satisfaction. So now let's move on. Just remember that rootkits are nasty and hard to detect and remove.
okay now let's look at another type of virus.
This annoying attack is called "Ransomware". Here is where the hacker gets you to exeute some code which inserts an image on your computer telling you to send them some money to rid your computer of this image. This attack makes it almost impossible to do anything with your computer unless you pay a "ransom" for the unlock key. I know a few people who have paid the ransom - they should have called me first. I am not exactly sure how the hacker gets you to execute the troublesome code. My guess is that this code may be hidden in email or downloaded images. With all the versions of windows I would suggest reading the info HERE, which should allow you to rollback to a state before you got infected with the ransomware. But, remember you will lose files created after the rollback date and any programs that you installed, but the ransomware will be gone.