This lab will cover the CompTIA-Security lab Trojans and Malware Protection.
Lab 1 has been completed by default which is the creation of the servers.
In this Lab I will be running a setup program that has unintended consequences.
This lab will be completed inside the Win8.1 Client
When the client loads I am told to go into the C:\gtslabs and run the ‘setup’ application
The idea behind this is that we are pretending that this is a legitimate program we want to install.
The program installs like any basic program, I did notice windows defender found it as malware, you can see the message in the image slideshow below.
When the install finished Minesweeper opened, it asks if anything else has happened, but I can’t see anything at this stage.
The lab now tells me to check Task manager and look for anything unusual in the processes.
The only unusual process I see is ‘nc’
The lab now wants me to open Event Viewer and go into the application and system logs, and see if I can see anything unusual.
In Application the only one that stands out is a warning with the message of “Crawl could not be completed on content source…”
In system there were multiple Group Policy changed but there was a Kernel-General that updated 600 keys and created 48 modified pages.
Now I need to check the firewall inbound rules and look for anything odd.
The only rules I find odd is that there are two VPN inbound rules allowed and for a basic install that is not default, so if I was a betting man I would say that this is not something we want.
The lab explains ‘The “Odysseus” software has installed a backdoor application called Netcat on
the computer. This runs with the privileges of the logged-on user (currently
administrator) and allows a remote machine to access the command prompt
on CLIENT…” So I was right in looking at the nc process and maybe the VPN connections.
Now I need to log into the Rogue VM to exploit this backdoor.
Once logged in I can run Angry IP scanner to find my target host
Also here’s some proof this is me doing these labs 😀
Now back on track, the lab wants us to scan the local subnet for hosts with port 4450 open
I had to go into settings and Tick Scan dead hosts, add port number 4450 and tick display alive hosts.
After running the scan I was suppose to find three hosts, one being the Rogue, but in this case I only found myself, I went back into VMware and found the two servers are on a different IP range.
So I changed the scan range on Angry IP scanner and tried again. and still no luck! .. To be continued
After some thinking it turned out that the issue was that the rogue VM was on a static IP and not on the range with the other VM’s so I changed its IPv4 to DHCP and then changed the range of Angry IP scanner and it worked!
Now we have found the host that has the open port we now need to connect to into via Putty
I put the IP address and the port number to 4450 and saved the connection.
Once logged in I can run CMD commands as Admin like I was on the actual infected PC, I can run all but one command in this menu ‘copy c:\GTSLABS\eicar.com %homepath%\documents\diary.exe’ as that file does not exist but the other commands can, now the last command shuts down the infected PC.
As you can see it worked.
ISSUE: As I progressed I found out that the eicar.com is a test virus which needed to be on the Client machine, but it was not on the machine. After talking with a class mate we came to the conclusion to just create the file. ‘X5O! P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H’ adding this text to a notepad file and saving it as eicar.com fixed the issue. Now I re ran the command and it worked. The reason you have to make it is that the eicar.com file is very difficult to download and work around your antivirus.
Now the lab tells me to try connect to the infected VM after it has restarted but not logged in.
This does not work because the backdoor runs only when a user is logged in.
In this exercise we are going to block the Trojan in the Client VM
I have to log into the VM and check Task Manager
and look for ‘ini’ in the start-up processes, alt click it and open its file location and open ini.vbs in notepad
This shows the firewall rules that it adds, so now I need to open the firewall and block those rules known as ‘ Service Firewall’
I found the rules, now I need to disable them.
Now it’s time to see if it worked, I can do this by trying to connect from the Rogue VM
Blocking the firewall rules has stopped the connection.
This exercise we the lab wants me to deploy a group policy to ensure windows defender is enabled on all machines in the domain.
I need to log into the Server VM and go to the Group Policy Management, and turn edit the GPO ‘Turn off Windows Defender’ to disabled as well as ‘ Turn off routine remediation’ and ‘Turn off real-time protection’
Now the GPOs have been updated I can close all the windows and sign out.
In this lab we will use an anti-virus to detect malware, this is done in the client VM.
Now the eicar.com file was sent to the documents file as Diary.exe I now need to try to run it
As soon as I ran the program it was deleted by Windows Defender, and I now need to go into Windows Defender and look at the logs.
I now need to run a quick scan.
After running the scan it found the EICAR_TEST_FILE but also another tool I’m pretty sure is needed for another lab, so I did not remove that one.
Now after a quick scan I need to run a full scan, while that is being done I need to try to connect to the Client PC through the Rogue again.
Now this did not work, and I know why it didn’t and that is because the ‘nc’ backdoor has a startup script to re-enable the firewall rules, so if I restart the Client and try to connect via the Rogue, it will work.
The next part of the Lab is securing that startup process that enabled the firewall rules.
This is done by going into the firewall inbound rules and going to new rule, and following the labs config.
This stopped the back door Trojan and ends this lab
This lab was pretty difficult, and not in the way of I was unsure on what to do, but because some of the lab did not go the way it was supposed to, for example;
- EICAR was not in the Client VM and I had to source the information about the file and build it myself
- Windows defender detected core lab systems I need to use and could have deleted them if I was not paying attention
- The Rogue VM was not on a DHCP address and needed to be changed
- The Angry IP scanner range needed to be set to 10.1.0.1 – 10.0.1.255 to detect my servers.
I was amazed with how easy a backdoor can be created and used, and also Windows defender did not even notice a program making firewall inbound rules! This can have huge consequences for a business environment. I had full admin control over a Client.
This lab really showed me how dangerous downloading a file can be, and how you can not always trust an antivirus.
I don’t think I could have done the lab any better, as I am comfortable in a virtual environment.