| About Blog Cheatsheets Defense Links Offense |
| Defense |
| Architecture Authorities Concept Forensic Introduction ITlawCH Malware Management Measures Methods Network Policy Risks Rules Threats Unix Linux Windows |
Malware
|
Definitions adware = shows annoying ads anomaly = anomaly-based virus detection ansi bomb = keyboard remapping over ansi.sys (Dos) appender = appends viral code to binary backdoor = hidden remote access possibility bootkit = rootkit at boot level bot = computer under remote control bot herder = botnet owner/controller botnet = network of bots c&c = command and control click fraud = automated clicking for counters/votes clickjacking = hijacking user clicks with overlay companion = replaces binary with viral code crimeware = malware for cybercrime dialer = dials commercial phone numbers doubleflux = dns layer in-between, use NS-records auto-mechanisms dropper = a trojan initiating a network infection eicar = non-malicious anti virus trigger file entry point obscuring (epo) = file infector changes infection point dynamically fastflux = dns layer in-between for hiding hoax = send this mail to all keylogger = sniffs user keystrokes heuristic = behaviour-based virus detection landing zone = malware connects to there to be controlled remotely logic bomb = malware activating through time/condition macrovirus = virus using macro language in office programs methamorph = abstract code functions and changing them with rules money mule = person transferring money between countries multipartite = several ways to spread and infect oligomorph = simple polymorphic changes overwriter = overwrites binary with viral code payload = code transported with virus pharming = dns spoofing/social engineering phishing = web redirection/social engineering polymorph = changing code from generation to generation prepender = puts viral code at start of binary ransomware = encrypt data and give code to decrypt for money resident = malware is resident in memory rootkit = hidden backdoor deep in system scareware = scare the user to install something signature = signature-based virus detection singleflux = dns layer in-between, use A-records auto-mechanisms spam = unsolicited emails spyware = phones home, gathers data stealware = malware for data stealing trigger = date/condition malicious behaviour trojan = hidden malicious functionality virus = file, program, script or mbr (master boot record) infection web bug = picture loaded from webserver fro tracing worm = self-propagating virus zombie = infected host for DoS-attacks |
|
Rootkit Generations 1) File Modification (single file patching) 2) User/Kernel Mode (function hooking, static object patching) 3) Advanced User/Kernel Mode (direct kernel object modification DKOM, exclusive kernel mode) 4) Vitualisation and more (virtual memeory subversion, hypervisor-based, bootkits, hardware, databases) |
|
Hooking Locations DKOM = Direct Kernel Object Modification IAT = Import Address Table SSDT = System Service Descriptor Table IDT = Interrupt Descriptor Table IRP = I/O Request Patches GDT = Global Descriptor Table LDT = Local Descriptor Table IFH = Inline Function Hooking |
|
Rootkit Detection/Removal links to free rootkit detection and removal tools: gmer, icesword, radix, rootrepeal, rootkit hunter, chkrootkit, more |
|
Locations Windows Files: %Application Data%\Microsoft\ %System%\[Filename].dll %Program Files%\Internet Explorer\[Filename].dll %Program Files%\Movie Maker\[Filename].dll %All Users Application Data%\[Filename].dll %Temp%\[Filename].dll %System%\[Filename].dll %Temp%\[Filename].tmp Processes: explorer.exe, services.exe, svchost.exe Disabled Services: Windows Automatic Update Service (wuausrv) Background Intelligent Transfer Service (BITS) Windows Security Center Service (wscssvc) Windows Defender Service (WinDefend) Windows Error Reporting Sevice (ERSvc, WerSvc) Registry: HKLM\System\CurrentControlSet\Services HKLM\Software\Microsoft\Windows\CurrentVersion HKLM\Software\Microsoft\WindowsNT\CurrentVersion HKCU\Software\Microsoft\Windows\CurrentVersion Other: Infects USB drives Infects drives other than c: Changes timestamps Uses Alternate Data Streams (ads) Uses System Restore Points |
|
Locations Unix/Linux Files: /bin/login, /bin/.login, /bin/ps, /etc/, /etc/rc.d/, /tmp, /usr/bin/.ps, /usr/lib/, /usr/sbin/, /usr/spool/, /usr/scr/ Processes: apached, rpc.statd, lpd, synscan, update Disabled Services: apached, ftpd, rpc.statd, lpd, zzsld Other: Changes timestamps Drives other than / |
|
Actual Trends embedded components, hardware interaction, reverse connections on landing zone, use of fluxnet technologies, modular updating features, use of encryption, user space hiding techniques, use of rootkit technology, persistent measures, security hole patching, sleeping routines, guarantees for being undetectable, commercial malware with end user license agreements, targeted infections |
|
Online Analysis links to online malware analyzing services: virus total, no virus thanks, cwsandbox, wepawet, anubis, malbox, norman, malware forensics, gfi sunbelt, trojanscan, malware hash registry, malicious code |
|
Sandboxing sandboxie with buster sandbox analyzer, zerowine, zerowine-tryout, remnux |
|
Antivirus links to free antivirus software: security essentials, windows defender, free avg, avira antivir, clamav, clamwin, malwarebytes, f-prot, spybot, mcafee stinger, more |
|
Malware Analysis 1) Set up vmware target system with file, registry and network monitoring (baselining) regshot, filemon, regmon, tcpview, process explorer, autoruns, fport, wireshark, resource hacker, sandboxie with buster sandbox analyzer 2) Save snapshot in vmware 3) Execute suspect binary 4) Inspect tools for system changes from the baseline 5) Interact with binary to fake dns, mail and irc as required malcode 6) Compare results to the baseline and document findings 7) Revert snapshot and repeat process if needed |
|
Down to the Beef 1) Try to identify binary peid, strings 2) Unpack the binary if necessary upx, aspack, telock 3) Run and dump unpacking lordpe, pedumper 4) Debugger-assisted unpacking ollydbg (ollydbg.ini), ollybone, ollydump 5) IDA Pro-assisted unpacking may be malware uses debugger detection, exception handling, debug register manipulation, self-modifying code, debugging prevention, ... ida pro free, ida-x86emu 6) Drive-by website analysis malzilla |
|
Reverse Engineering 1) How the malware installs itself 2) Files associated with malware activity 3) What hosts the malware communication with 4) Capabilities of the malware 5) How to communicate with the malware 6) Vulnerabilities in the malware |
|
Collecting honeypot = vulnerable service(s) for malicious software to exploit honeynet = several networking honeypots software for collecting malware: honeyd, mwcollect, nepenthes, dionaea, honeynet |