Analysis of Advanced Attacks and Malware Techniques (part 1)

Discussion in 'Malware Analysis' started by LabZero, Nov 28, 2015.

  1. LabZero

    LabZero Guest

    Recently I'm studying about some sophisticated attack techniques used by criminals to break and infect the systems (Home and Enterprise Network).
    The goal is always to steal data and remain persistent in the affected system: "fly under the radar".

    The attacker wants to infect while remaining invisible, thus avoiding triggering "alarms", leaving traces in the logs, be detected by various solutions such as firewalls, IDS/IPS, Antimalware and HIPS.

    This article is focused on some of the techniques used during the attack.

    After compromise a machine, it is necessary to maintain persistent access to the network, for this purpose the choice of payload is crucial.

    It's often used a reverse http shell


    • REVERSE: the target use firewall with more or less restrictive rules and very often the only configuration is rejecting all incoming connections, especially if the request originated from a computer within the network.Important to the success of the attack, once compromised the remote machine, then get a shell back. The default setting provides for the attackers to connect directly to the shell meeting in this case the firewall block. By setting the reverse option they get to be the compromised machine to act as a client and to contact the C&C (command and control) of the attackers. (It's the same method used by botnets)
    • WINDOWS: In this case the target machine has the Windows operating system and the exploited process has the features needed to use this method.This method allows to load the payload as a DLL within the process itself, which is very useful to avoid white list of applications on the host to process some HIPS (Host Intrusion Prevention System) and some Antivirus that not support memory scan; especially if the process is authorized and signed, only later, loads the DLL inside it.
    • HTTPS: some security systems (Enterprise for example) use other rules to filter outbound traffic, allowing only certain ports/from some applications/with some protocols. In this way all applications are blocked which try to communicate on the Internet (significantly reducing the window of attack), for example: FTP, IRC, TOR, P2P and a large part of malicious agent. The HTTP shell is programmed to seek, on a regular basis, the connection with the attackers and the type of communication choice causes that traffic looks, to the devices willing to perimeter security, as a surfing the internet consisting of requests and responses.
    • FUD: to prevent the various antivirus products recognize the payload, some techniques are implemented to obfuscate the payload and make it unrecognizable to the antimalware signature database, are usually used not public Crypter who remain FUD for a few weeks.
    Some of the advanced features of this type of shell are:

    • The ability to use proxy.

    • The payload has a "hardcoded" deadline in it, the default setting is usually one week from the date on which it is generated, this is to prevent a forgotten connection try to connect indefinitely. When it reach this value the shell terminates. The SessionExpirationTimeout to 0 setting will cause the shell to attempt to connect this up when the process is finished or the target machine restarted.

    Exit from a session normally results in "killed" the exploit but the attackers use the detach command (by setting the SessionCommunicationTimeout variable to 0 when generating the payload) so the connection is not terminated and it is recoverable; unless the condition is reached SessionExpirationTimeout or that the process is killed.

    Some security systems are making further checks, monitoring network traffic and making sure the content of outgoing packets is acceptable (Egress Filter). These controls are able to identify credit card numbers, users, login and various pattern; all this to notice in real time any breaches within the network.

    If credit card data in transit, some of these controls stop traffic and warn network administrators, assuming an internal breach that allowed the dump and the exfiltration of data. To overcome these problems it is then used a HTTPS shell, by encrypting the connection and making data unreadable to those tools, while minimizing the risk of being detected (POS malware for example).


    Generally the security apps (Enterprise especially) block incoming ICMP packets but often allow the same output, thanks to this configuration, an attacker can use ICMP packets to transfer TCP payload(ICMP tunnel).

    • attacker: TCP connection to TCP PROXY software that sends the request to the remote client.
    • remote client :encapsulate TCP payload to ICMP ECHO packets and sends them to the PROXY.
    • PROXY: de-encapsulates the packets and sends TCP responses to the attacker.

    Many attackers use Ping Tunnel


    An old method but it still works pretty well to bypass IDS and IPS is to use unused TCP parameters packets .

    Some of the fields that can be used for this purpose are:

    • IP Identification: you must have already established a session between the two sides, after which the data is transferred from bitwise within this field.
    • TCP initial sequence number: this method does not require either to make a connection. A SYN packet is sent with the initial sequence number that contains the payload.
    • Although the answer is RST, the content is already checked out.

    TCP initial sequence acknowledgement number: more complex than the previous method, It's necessary to use a bounce server whose only purpose is to receive packets and forward them to the attacker's machine.

    • The client generates a TCP SYN packet with source, the server address of the attackers (IP address spoofing) and destination address of the bounce server.
    • The value of the Initial Sequence Number (ISN) contains the encoded character (ISNq).
    • The Bounce server receives the packet and responds with SYN/ACK or RST, It depends on whether the door is open or closed. The response is sent to the receiving server (the attacker server) because it has been "spoofed" his address.
    • The answer will be in this format SYNB, ACK (ISNq + 1).
    • The attacker's server receives this packet and retrieves the value from the field.


    I conclude this thread saying that these techniques include not only attacks that include network intrusion target but the attackers also provide other techniques: Social Engineering and Phishing that cause many victims, especially among inexperienced users.

    In the next threads I will explain other persistent attack techniques.

    Thanks for reading :)
  2. kaddy

    kaddy Level 2

    Jan 23, 2016
    Very good.
  3. KenYang

    KenYang New Member

    Mar 10, 2016
  4. Akshay Gupta

    Akshay Gupta New Member

    Aug 25, 2016
    Hey after deleting sysnetwrk.exe file from dsq folder I am not to connect to server and not able to use browser any more showing no interest connection plz help me what do?
    AtlBo, DardiM and Der.Reisende like this.
  5. davidp

    davidp Level 1

    Aug 16, 2016
    Bay Area
    Thanks for sharing this information.
  6. Raheel99

    Raheel99 Level 1

    Sep 15, 2016
    Windows 7
    Well written. Thanks for sharing.
    kodesilo, AtlBo, DardiM and 1 other person like this.
  7. cheburash

    cheburash Level 1

    Apr 14, 2017
    MacOS High Sierra
    Good reading, thanks
  8. kodesilo

    kodesilo Level 1

    Dec 12, 2016
    san jose
    Good reading, thanks
  9. kodesilo

    kodesilo Level 1

    Dec 12, 2016
    san jose
    Very good.
  10. Malware Person

    Malware Person Level 4

    Jun 8, 2016
    United States
    Windows 10
    nice info! very useful :)
  11. David R

    David R Level 1

    May 31, 2017
    Atlanta, GA
    MacOS High Sierra
    Nice write up!
  • About Us

    Our community has been around since 2010, and we pride ourselves on offering unbiased, critical discussion among people of all different backgrounds about security and technology . We are working every day to make sure our community is one of the best.
  • Need Malware Removal Help?

    If you're being redirected from a site you’re trying to visit, seeing constant pop-up ads, unwanted toolbars or strange search results, your computer may be infected with malware. We offer free malware removal assistance to our members in the Malware Removal Assistance forum.
  • Quick Tip

    Without meaning to, you may click a link that installs malware on your computer. To keep your computer safe, only click links and downloads from sites that you trust. Don’t open any unknown file types, or download programs from pop-ups that appear in your browser.