				got a virus?

Virus Information - Page 2

PC Technician - Continues with Virus Info

Continued from page 1 (viruses.pctechnician.com). As I said before the autopwn ran for more than 6 hours but could not find an exploitable port. I will assume if I found one I think that getting into my sacrificial computer would have worked. All the author of the rootkit did was to get into one of the exploitable ports and as you can see it was in the C:\windows\system32 directory. He then uploaded the two rootkit programs (one is an .exe file the other is a .zip file). These are the two icons on the left hand side of his backtrack screen. These rootkits were then executed and could be seen in the running proccesses list. He then was able to actually hide these processes. The Blacklight program was used to find the rootkits, and it found the Beast2.07.exec file and deleted it. I could not figure out how he detected the FU_rootkit program as the audio was kind of garbeld. When he ran sysinternals program the two entries in the registry showed up but didn't allow him to identify the names of the proccesses. so I guess you can tell if you have a hidden rootkit process as the sysinternals program will show you something is wrong (remember it won't give you the name of the process but at least you will know that something is wrong). I will investigate all of this later for my own edification, but I still don't know what kind of processes are "thrown" at each port. I really don't understand what they are doing to break through a port. The author referred to them as "brute force" objects. For now we will pursue other hacking techniques.
Wait! Hold the phone there is something rotten in Denmark and it ain't swiss cheese. Briefly, I upgraded my son's computer from windows 10 32-bit to 64-bit which now belongs to me. I had to reload VirtualBox and Backtrack 5. Now I could load the 64 bit version of Backtrack, everything loaded correctly but when I tried to run fasttrack it got stuck. The problem is that Metasploit has deprecated the autopwn component ( deprecated is a fancy word for no longer supported). Now what do I do? I finally looked up a tutorial for Metasploit and the link can be found HERE. There is a lot of material here and this probably should be a one semester undergraduate course. The tutorial explains many things but it appears that a lot of the support is for the pro version of Metasploit. This is not a trivial program, and requires a good working knowledge of Metasploit. For example here is a snippet from the tutorial

"Metasploit is a powerful security framework which allows you to import scan results from other third-party tools. You can import NMAP scan results in XML format that you might have created earlier. Metasploit also allows you to import scan results from Nessus, which is a vulnerability scanner."
"A vulnerability is a system hole that one can exploit to gain unauthorized access to sensitive data or inject malicious code. Metasploit, like all the others security applications, has a vulnerability scanner which is available in its commercial version. With the help of a vulnerability scanner, you can do nearly all the jobs with one application. This facility is not there in the free version of Metasploit. If you are using a free version of Metasploit, then you will have to use Nessus Vulnerability Scanner and then import the results from there. Metasploit uses Nexpose to do the scan."

Well, it appears that getting the pro verison would be easier to follow the tutorial. By the way, the version of Backtrack is Kali-Linux.

At this point I would like to leave this topic and go on to other viruses. I would like to say that I really didn't understand what was meant by "brute force" to gain entrance into a port so see the paragraph below (taken from the tutorial).

"In a brute-force attack, the hacker uses all possible combinations of letters, numbers, special characters, and small and capital letters in an automated way to gain access over a host or a service. This type of attack has a high probability of success, but it requires an enormous amount of time to process all the combinations. A brute-force attack is slow and the hacker might require a system with high processing power to perform all those permutations and combinations faster. In this chapter, we will discuss how to perform a brute-force attack using Metasploit."
So it seems that brute force is nothing more than cracking passwords to gain entrance into a port. I had in my mind that some really small guy with a very big sledge hammer knocking at the port. Enough of the rootkit exploits. I will try this in the future just for my own satisfaction. So now let's move on. Just remember that rootkits are nasty and hard to detect and remove.

But before moving on to the next topic you can read my attempt to use a penetration tool call sn1per. It allowed me to almost get into one of my sacrifical computers. You can read about this HERE

okay now let's look at another type of virus.

This annoying attack is called "Ransomware". Here is where the hacker gets you to exeute some code which inserts an image on your computer telling you to send them some money to rid your computer of this image. This attack makes it almost impossible to do anything with your computer unless you pay a "ransom" for the unlock key. I know a few people who have paid the ransom - they should have called me first. I am not exactly sure how the hacker gets you to execute the troublesome code. My guess is that this code may be hidden in email or downloaded images. With all the versions of windows I would suggest reading the info HERE, which should allow you to rollback to a state before you got infected with the ransomware. But, remember you will lose files created after the rollback date and any programs that you installed, but the ransomware will be gone.

Back to Main Page
Next Page Page 3

Cool Counters @ pctechnician.com

Virus info Page 2