Wednesday, March 1, 2017

Artifact Analysis

  • What Is an “Artifact”?
An artifact is one or more files that accomplish a single task or have a well-defined purpose.
Tools used by intruders to gather information about networks or hosts
Tools used by intruders to exploit vulnerabilities
Tools installed by intruders on compromised  hosts
A malicious program (e.g., virus, worm, Trojan horse, bot, etc.)
Soft evidence (e.g., algorithms, descriptions, partial artifacts, network traces, etc.)

What is Artifact Analysis?
The study of Internet attack technology, otherwise known as malicious code, or “malware”
Viruses
Worms
Trojan horses
Rootkits
Bots
Denial-of-service tools
Vulnerability exploits
Spyware
Etc..
https://www.first.org/conference/2005/papers/kevin-houle-slides-1.pdf

  • payload
In computer security, the payload is the part of malware such as worms or viruses which performs the malicious action; deleting data, sending spam or encrypting data.In addition to the payload, such malware also typically has overhead code aimed at simply spreading itself, or avoiding detection.

https://en.wikipedia.org/wiki/Payload_(computing)

  • WHAT IS A PAYLOAD-BASED SIGNATURE?

Payload-based signatures detect patterns in the content of the file rather than attributes, such as a hash, allowing them to identify and block altered malware

Security tools often utilize signatures based on easily changed variables like hash, file name or URLs to identify and prevent known malware from infecting systems. With this type of signature, identifying threats requires essentially a one-to-one match against the specific variables the signature is looking for.

Malware authors can now easily create thousands of variants of existing malware, containing only slight changes, in order to get around signature matching
As legacy signatures require a static one-to-one match for each unique file, these slight changes allow malware to go undetected.

If a piece of known malware has been altered in any way, resulting in an entirely new hash or other small change, payload-based signatures would still be able to identify and block what would otherwise have been treated as a new unknown threat.

https://www.paloaltonetworks.com/cyberpedia/what-is-a-payload-based-signature

  • In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users and untrusted websites.A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted.
In the sense of providing a highly controlled environment, sandboxes may be seen as a specific example of virtualization. Sandboxing is frequently used to test unverified programs that may contain a virus or other malicious code, without allowing the software to harm the host device.
https://en.wikipedia.org/wiki/Sandbox_%28computer_security%29
  • A sandbox is a testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development including Web development and revision control. Sandboxing protects "live" servers and their data, vetted source code distributions, and other collections of code, data and/or content, proprietary or public, from changes that could be damaging (regardless of the intent of the author of those changes) to a mission-critical system or which could simply be difficult to revert
The concept of the sandbox (sometimes also called a working directory, a test server or development server) is typically built into revision control software such as CVS and Subversion (SVN), in which developers "check out" a copy of the source code tree, or a branch thereof, to examine and work on. Only after the developer has (hopefully) fully tested the code changes in their own sandbox should the changes be checked back into and merged with the repository and thereby made available to other developers or end users of the software
https://en.wikipedia.org/wiki/Sandbox_%28software_development%29



  •  Malware Sandbox and Breach Detection Evasion Techniques
   a malware uses 4 basic evasion techniques that include:
    Configuration-specific — sleep calls, time triggers, fast flux, and process hiding
    Human interaction — mouse clicks and dialog boxes
    Environment-specific — version, embedded iframes, and DLL loaders
    VMware-specific — system-service lists, unique files, and the VMX port
http://www.drchaos.com/malware-sandbox-and-breach-detection-evasion-techniques

  • Traditionally, your anti-virus and anti-spyware software work with your email software to identify malicious software as soon as it is received, or at least, as soon as it begins to execute in your computer. That works well for well-known viruses and spyware but leaves you vulnerable to zero-day exploits, that is, vulnerable to malicious software that is not yet properly identified by the security software.

For example, suppose you get an email message with the virus that presents itself as an attachment called Click_Me_For_Best_Joke_Ever.exe. Suppose you don't know this is a virus, and further suppose that your anti-virus has not yet been updated to identify this particular virus. You click the attachment, and it delivers the best joke ever, but it also secretly installs malicious software.

If you run your email program sandboxed, then Click_Me_For_Best_Joke_Ever.exe also runs sandboxed, and any changes it makes to the computer, or software it installs, will be confined to the sandbox. These changes will be discarded in their entirety as soon as you delete the sandbox.

https://www.sandboxie.com/?EmailProtection

  • Joe Sandbox Mail is an easy to use Microsoft Outlook add-in which enables you to:

    analyze potentially malicious e-Mail attachments (any file type) in one click
    detect malicious e-Mails
    delete malicious e-Mails
    access behavior analysis reports of analyzed e-Mail attachments
    mark and categorizes malicious e-Mails

Joe Sandbox Mail integrates into Microsoft Outlook as a new Ribbon, and just with a simple click of the “analyze” button, the e-Mail attachments are being sent to Joe Sandbox Cloud, Joe Sandbox Desktop, Joe Sandbox Complete or Joe Sandbox Ultimate to be analyzed.
https://www.joesecurity.org/joe-sandbox-mail

  • Test downloads in a safe environment on your PC before installing them on your hard drive. We show how to install and run software in a sandbox with the free BufferZone app
http://www.pcadvisor.co.uk/how-to/security/test-downloads-files-with-sandbox-3407128/

  • Use the Email > Settings > File Sandboxing page to send suspicious files received in email messages to a cloud-hosted sandbox for analysis. The sandbox activates the file, observes the behavior, and compiles a report. If the file is malicious, the message is either quarantined, or an email alert is sent to the administrators that you specify, containing summary information and a link to the report.
https://www.websense.com/content/support/library/email/hosted/admin_guide/email_threat_analysis.aspx

  • You could do all sorts of cool things with a sandboxed Python:
A "Sandboxed Python" would let you permit or forbid modules, limit execution slices, permit or deny network traffic, constrain filesystem access to a particular directory (floated as "/"), and so on. It is also referred to as restricted execution, a topic brought up by Mitch Kapor at PyCon and noted on his blog.
https://wiki.python.org/moin/SandboxedPython


  • As its name suggests, this library is a NodeJS sandbox for executing untrusted Python code in Docker containers.

https://github.com/christophetd/docker-python-sandbox


  • pysandbox is a Python sandbox. By default, untrusted code executed in the sandbox cannot modify the environment (write a file, use print or import a module). But you can configure the sandbox to choose exactly which features are allowed or not, eg. import sys module and read /etc/issue file.

https://pypi.org/project/pysandbox/

  • As a security analyst, you can look for threats that evaded detection by analyzing reconstructed artifacts, such as files and images. To understand the connections between collaborators and artifacts, you can also investigate the links to and from these files and images.

Several systems are infected despite all of the security measures that are in place. After he identifies and quarantines these systems, John needs to find out how these systems became infected and whether other assets are similarly compromised.
https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.7/com.ibm.qradar.doc/c_qif_ug_artifact_an_ov.html


Malware analysis is a process that uses various tools and techniques to determine how malicious code
is working. Unfortunately, there is no single algorithm to indicate how to analyze such code. Various
approaches are usually needed including static analysis, behavioral analysis, executable debugging
or analysis of disassembled code. Moreover, each analyst usually tends to have his or her own favorite techniques and preferred tools.

Basic static analysis
The  goal  of  this  analysis  is  to gather information about potential malware functionality and any characteristic  file  features
that could  later  be  used  to  create malware signature

Behavioral analysis
In  this  analysis, malicious  code  is  intentionally  executed  in a controlled  environment  to  observe  what  changes  it  makes to  the operating  system
https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/documents/artifact-analysis-fundamentals-handbook


  • Difference Between Static Malware Analysis and Dynamic Malware Analysis


Malware analysis is a process or technique of determining the origin and potential impact of a specified malware sample.
Malware could be anything that looks malicious or acts like one like a virus, worm, bug, Trojan, spyware, adware, etc. Any suspicious software that may cause harm to your system can be considered as a malware.

What is Static Malware Analysis?
Static analysis is a process of analyzing a malware binary without actually running the code. Static analysis is generally performed by determining the signature of the binary file which is a unique identification for the binary file and can be done by calculating the cryptographic hash of the file and understanding each component.
The malware binary file can be reverse-engineered by loading the executable into a disassembler such as IDA. The machine-executable code can be converted assembly language code so that it can be easily read and understood by humans.

What is Dynamic Malware Analysis?
Dynamic analysis involves running the malware sample and observing its behavior on the system in order to remove the infection or stop it from spreading into other systems. The system is setup in a closed, isolated virtual environment so that the malware sample can be studied thoroughly without the risk of damage to your system.

http://www.differencebetween.net/technology/difference-between-static-malware-analysis-and-dynamic-malware-analysis/


  • Classification
Static analysis tools
PEiDExeinfo PE
PEview
CFF Explorer
Resource Hacker
BinText
Upx

Dynamic analysis tools
Process Explorer
Process Monitor
Regshot
GMER

Network analysis tools
Tcpdump
Wireshark
Mitmproxy
INetSim

Automatic analysis tools
Cuckoo Sandbox

https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/documents/artifact-analysis-fundamentals-handbook

  • Cuckoo Sandbox is a malware analysis system.
In other words, you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.
https://cuckoosandbox.org/
  • CuckooMX: Automating Email Attachments Scanning with Cuckoo
Today,  classic anti-virus protections are not enough reliable to protect against modern malware. To have a better understanding and, if possible, block them, it’s best to execute the code in a safe environment and to analyze its behavior. Does it create new processes or files, are outbound connections performed via suspicious domains or IP addresses? Does it implement hooks? This method of performing malware analysis in a sandbox is more and more common.
https://blog.rootshell.be/2012/06/20/cuckoomx-automating-email-attachments-scanning-with-cuckoo/

  • CuckooMX is a project to automate the analysis of files transmitted over SMTP (using the Cuckoo sandbox)
https://github.com/xme/cuckoomx

  • One    Flew    Over    the    Cuckoo’s    Nest   
http://conference.hitb.org/hitbsecconf2012ams/materials/D1T1%20-%20Claudio%20Guarnieri%20-%20One%20Flew%20Over%20the%20Cuckoos%20Nest.pdf
  • Delete VMDK Files Securely
To help prevent sensitive data in VMDK files from being read off the physical disk after it is deleted, write zeros to the entire contents of a VMDK file ("zero out") before you delete it, overwriting the sensitive data. When you zero out a file, it is more difficult for someone to reconstruct the contents.
https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-A9EA80D8-9D7A-48CB-9109-992782C88EA7.html

  •  The partition is deleted and space returned for the pool to be used by another virtual machine. This means the next time someone buys a virtual machine with the same host, some of the blocks that made up your filesystem could end up making up their filesystem. The metadata will be wiped clean when the filesystem is formatted of course, so they won’t just see your files listed, but the blocks can still contain your data. It depends on how they’re managing their disks. go buy a virtual machine somewhere and pipe the contents of your new disk through the strings command and look out for anything that isn’t yours (ssh root@newmachine "dd if=/dev/sda1 bs=1M | strings").

 you’re probably careful and securely wipe your sensitive data before you leave. But disk space is virtualized too. The blocks that make up your disk might not all be in order or even all be on the same disk. snapshots, your data may exist in duplicate too that you can’t even access what about if you bought extra disk space, then removed it?

 All virtual machine disks are wiped at the block level when the machine is deleted or when a new machine is created.
 if a disk image is extended into space that had previously been used as a snapshot or as a disk that was shrunk.

 https://www.brightbox.com/blog/2007/12/04/secure-virtual-disk-deletion-is-your-data-safe/
  • In software development, obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand.
Programmers may deliberately obfuscate code to conceal its purpose (security through obscurity) or its logic, in order to prevent tampering, deter reverse engineering, or as a puzzle or recreational challenge for someone reading the source code.
http://en.wikipedia.org/wiki/Obfuscation_%28software%29


  • Reverse Engineering Virtual Machine Protected Binaries
it’s crucial to know how this code obfuscation technique really works behind the scenes. The virtual machine first starts by setting its “address space” in the executing process’s virtual address space. In other words, it allocates the needed space for its memory, stack and registers then start executing the code. Code execution is done within what is called a virtual machine loop. Inside this loop, the virtual machine plays the processor part by parsing each of its predefined opcodes and their operands then using the mother architecture to execute the instructions. Iterating through the VM loop will continue until reaching a special exit opcode.
http://resources.infosecinstitute.com/reverse-engineering-virtual-machine-protected-binaries/#gref
  • Code Virtualizer is a powerful code-obfuscation system for Windows, Linux, and Mac OS X applications that helps developers to protect their sensitive code areas against Reverse Engineering with very strong obfuscation code, based on code virtualization.
https://oreans.com/codevirtualizer.php
  • Tigress is a diversifying virtualizer/obfuscator for the C language that supports many novel defenses against both static and dynamic reverse engineering and de-virtualization attacks.
http://tigress.cs.arizona.edu/


  • According to a Friday morning tweet from the contest's organizers, members of Qihoo 360's security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware, contest organizers reported Friday morning on Twitter. The result was a "complete virtual machine escape."

"We used a JavaScript engine bug within Microsoft Edge to achieve the code execution inside the Edge sandbox, and we used a Windows 10 kernel bug to escape from it and fully compromise the guest machine," Qihoo 360 Executive Director Zheng Zheng wrote in an e-mail. "Then we exploited a hardware simulation bug within VMware to escape from the guest operating system to the host one. All started from and only by a controlled a website."
https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

  • Anti-VM and Anti-Sandbox Explained
    Understand how malware authors detect when malware is running in a virtual environment
    Harden your security systems to reduce the odds of evasion
    Identify anti-VM behavior in order to improve detection.

    Malware analysts and investigators often use isolated environments, such as virtual machines (VMs) or sandboxes, to analyze unknown code for malware. In the same manner security products often use VM’s and sandboxes to execute potentially malicious code before it is approved to enter the organizational network.

    In an attempt to evade analysis and bypass security systems malware authors often design their code to detect isolated environments. Once such an environment is detected the evasion mechanism may prevent the malicious code from running, or it may alter the malware’s behavior to avoid exposing malicious activity while running in a VM

    multiple tactics used by malware authors for detecting sandboxes in general, and virtual environments in specific.
     Malware authors implement this in various ways such as Windows API, WMI queries or specific CPU instructions.

     Some of the methods described herein can be monitored by automatic analysis systems and added as behavioral signatures indicating potential malicious activity, in order to improve detection.

https://www.cyberbit.net/endpoint-security/anti-vm-and-anti-sandbox-explained/

  • What Happens When APTs Advance to Lateral Movement?
Lateral movement tactics used by attackers are mainly divided into three parts: the reconnaissance period where they gather inside information to move freely in a network, the stealing of legitimate credentials, and the actual intrusion to computers using these credentials.
http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-happens-when-apts-advance-to-lateral-movement-


  • An advanced persistent threat is a set of stealthy and continuous computer hacking processes, often orchestrated by a person or persons targeting a specific entity. An APT usually targets either private organizations, states or both for business or political motives. APT processes require a high degree of covertness over a long period of time. The "advanced" process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The "persistent" process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The "threat" process indicates human involvement in orchestrating the attack



Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques but also extend to conventional intelligence-gathering techniques such as telephone-interception technologies and satellite imaging. While individual components of the attack may not be classed as particularly "advanced" (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it

Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or another gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives.

Mitigation strategies
While APT activities are stealthy and hard to detect, the command and control network traffic associated with APT can be detected at the network layer level
Agents can be used to collect logs (TCP and UDP) directly from assets into a syslog server.
Then a Security Information and Event Management (SIEM) tool can correlate and analyze logs.
While it is challenging to separate noises from legitimate traffic, a good log correlation tool can be used to filter out the legitimate traffic so security staff can focus on the noises.
Good asset management with documented components of the original Operation System plus software will help IT security analysts detect new files on the system.

Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code

https://en.wikipedia.org/wiki/Advanced_persistent_threat
  • Lateral movement: the key to any attack or escape
 real life example of this malicious lateral movement in your network is the Destover Wiper malware which uses the SMB protocol via Netbios API, port 139—a protocol not monitored by most sandboxing tools—to move laterally across a network to gain access to confidential data and transport the desired data across the network where it can later be pulled out of the network.
 http://community.hpe.com/t5/Protect-Your-Assets/Lateral-movement-the-key-to-any-attack-or-escape/ba-p/6759654#.V2J9zqLSzuh

  • Lateral Movement – A Critical Opportunity to Detect an In-progress Cyber Attack
 the attacker begins to move laterally around the network, taking inventory of the resources, and looking for opportunities to collect additional credentials or upgrade the privileges they already have to gain access
 http://www.countertack.com/blog/bid/124216/Lateral-Movement-A-Critical-Opportunity-to-Detect-an-In-progress-Cyber-Attack
  • Criminals have strong motives to prevent their malware from being analyzed, which is a  mandatory step in performing incident response. The classical model of an executable protection is that of a wrapper around a single executable. At the time of creation, the protector will compress and/or encrypt the contents of the executable’s sections. It will then append a new code section that is responsible for decompressing and/or decrypting the sections when executed, as well as for thwarting attempts at reverse engineering. The executable’s entry point is redirected into this new code (termed the ”unpacking stub”), and upon completion, execution is transferred back to the original entry point. The program will subsequently function identically to the original, unprotected executable.

Each assumes that the hidden code from the protected program will be completely unprotected in memory at some point during execution, and each uses various measures to guide execution until this point. Some tools additionally have the goal, beyond merely identifying hidden code and the original entry point, of producing working, unprotected executables.
http://static.usenix.org/event/woot09/tech/full_papers/rolles.pdf
  • At YaraRules Project we want to offer to the Community a new online service: “YaraRules Analyzer”. It allows you to analyze your files on the cloud using the full YaraRules ruleset, so you do not need to install Yara in your local computer and you also make sure to analyze your files against the latest YaraRules ruleset.
http://yararules.com/


  • Yara Rules
Yara is an open source malware attribution tool used to classify malware samples based on textual or binary patterns once they have been analyzed in Cuckoo. Using Yara, researchers write descriptions of malware families based on patterns. These descriptions are called rules, hence the name Yara (which stands for “Yet Another Recursive Acronym”) Rules. It allows researchers to recognize and categorize seemingly similar variants of malware and can be integrated to use within Cuckoo.
https://www.cyberbit.net/endpoint-security/open-source-malware-analysis-tools


  • Reverse Engineering involves the analysis of malicious files in depth which involves time and cost. It is considered a good practice to observe malware behavior, group them in a signature, and then identify the related infected files. To cut the costs of R.E and identifying malware families based on signatures,q we can use an open source tool known as YARA.

YARA is a popular tool that provides a robust language, which is compatible with Perl-based Regular Expressions and is used to examine the suspected files/directories and match strings as is defined in the YARA rules with the file.
https://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/#gref


  • This project covers the need of a group of IT Security Researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and began as an open source community for collecting Yara rules.

https://github.com/Yara-Rules/rules

The pattern matching swiss knife for malware researchers
YARA is multi-platform, running on Windows, Linux, and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.
https://virustotal.github.io/yara/


  • That’s why playing “retro hunting” is also important. I like this name: it comes from a VirusTotal feature that allows the creation of YARA rules and to search backward for samples that match them. Here is an example based on MISP and Splunk. The first step is to export interesting IOC’s like IP addresses, hostnames or hashes from the last day. Export them in CSV format into your Splunk via a simple crontab
https://isc.sans.edu/diary/Retro+Hunting%21/22189


  • Retrohunt: Yara back in time

Create a Yara rule and apply it back in time to the existing dataset in order to discover early versions of new attacks that you might have recently discovered.
https://www.virustotal.com/#/hunting-overview
  • A Linux Toolkit for Reverse-Engineering and Analyzing Malware.REMnux® is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.
https://remnux.org/

  • Radare is a portable reversing framework that can

  •     Disassemble (and assemble for) many different architectures
        Debug with local native and remote debuggers (gdb, rap, webui, r2pipe, winedbgwindbg)
        Run on Linux, *BSD, Windows, OSX, Android, iOS, Solaris and Haiku
        Perform forensics on filesystems and data carving
        Be scripted in Python, Javascript, Go and more
        Support collaborative analysis using the embedded webserver
        Visualize data structures of several file types
        Patch programs to uncover new features or fix vulnerabilities
        Use powerful analysis capabilities to speed up reversing
        Aid in software exploitation
    https://rada.re/r/

  • Medusa is a disassembler designed to be both modular and interactive. It runs on Windows and Linux, it should be the same on OSX. This project is organized as a library. To disassemble a file you have to use medusa_text or Medusa.
https://github.com/wisk/medusa


  • Hopper Disassembler, the reverse engineering tool that lets you disassemble, decompile and debug your applications

https://www.hopperapp.com/


  • Hiew
    view and edit files of any length in text, hex, and decode modes    x86-64 disassembler & assembler (AVX instructions include)
    physical & logical drive view & edit
    support for NE, LE, LX, PE/PE32+, ELF/ELF64(little-endian), Mach-O(little-endian), TE/TE64 executable formats
    support for Netware Loadable Modules like NLM, DSK, LAN,...
    following direct call/jmp instructions in any executable file with one touch
    pattern search in disassembler
    built-in simple 64bit decrypt/crypt system
    built-in powerful 64bit calculator
    block operations: read, write, fill, copy, move, insert, delete, crypt
    multifile search and replace
    keyboard macros
    unicode/utf8 support
    Hiew Extrenal Module (HEM) support
    ArmV6 disassembler
http://www.hiew.ru/


  • IDA Pro is a disassembler
As a disassembler, IDA Pro explores binary programs, for which source code isn't always available,
to create maps of their execution. The real interest of a disassembler is that it shows the instructions that are
actually executed by the processor in a symbolic representation called
assembly language. If the friendly screen saver you have just installed is spying on your e-banking session or logging your e-mails, a
disassembler can reveal it. However, assembly language is hard to make sense of. That's why advanced
techniques have been implemented into IDA Pro to make that code more readable, in some cases, quite close
to the original source code that produced the binary program. The map of the program's code then be
post-processed for further investigations

IDA Pro is a debugger
Hostile code usually does not cooperate with the analyst. Viruses, worms, and trojans are often armored and obfuscated
The debugger in IDA Pro complements the static analysis capabilities of the disassembler: by allowing to
single step through the code being investigated, the debugger often bypasses the obfuscation and helps obtain
data that the more powerful static disassembler will be able to process in depth. IDA Pro can be used as a
local and as a remote debugger on various platforms, including the ubiquitous 80x86 (typically
Windows/Linux) and the ARM platform (typically Windows CE PDAs) and other platforms. Remote
debuggers are very useful when one wants to safely dissect potentially harmful programs.

Hostile Code analysis
When eEye isolated a new worm whose payload targeted the White House's website, IDA Pro was used to
analyze and understand it: it helped the talented eEye analysts deliver a prompt and accurate warning of the impending attack. 

Vulnerability research
IDA Pro is the ideal tool to investigate why software breaks.

COTS validation
A lot of software is now developed outside the country where it is used
IDA provides a convenient means to check if a program really does what it claims to do

Privacy protection

https://www.hex-rays.com/products/ida/ida-executive.pdf



  • Viruses

A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels
Worms
Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate

https://www.cisco.com/c/en/us/about/security-center/virus-differences.html
  • OllyDbg is a 32-bit assembler level analyzing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where the source is unavailable. OllyDbg is a shareware, but you can download and use it for free
http://www.ollydbg.de/


  • OllyDbg

OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants, and strings, as well as locates routines from object files and libraries. It has a friendly interface, and its functionality can be extended by third-party plugins.

OllyDbg is often used for reverse engineering of programs. It is often used by crackers to crack software made by other developers. For cracking and reverse engineering, it is often the primary tool because of its ease of use and availability; any 32 bit executable can be used by the debugger can be edited in bitcode/assembly in real-time. It is also useful for programmers to ensure that their program is running as intended. Furthermore, it can be used for malware analysis purposes as well
http://en.wikipedia.org/wiki/OllyDbg

  • WinDbg
WinDbg is a multipurpose debugger for Microsoft Windows, distributed on the web by Microsoft. It can be used to debug user mode applications, drivers, and the operating system itself in kernel mode.

WinDbg can be used for debugging kernel-mode memory dumps, created after what is commonly called the Blue Screen of Death which occurs when a bug check is issued. It can also be used to debug user-mode crash dumps. This is known as post-mortem debugging.

Recent versions of WinDbg have been and are being distributed as part of the free Debugging Tools for Windows suite, which shares a common debugging back-end between WinDbg and command line debugger front-ends like KD, CDB, and NTSD.
http://en.wikipedia.org/wiki/WinDbg


  • Freeware Hex Editor Neo allows you to view, modify, analyze your hexadecimal data and binary files, edit, exchange data with other applications through the clipboard, insert new data and delete existing data, as well as perform other editing actions.

http://www.hhdsoftware.com/free-hex-editor


  • Spyware
Spyware is a software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge


"Spyware" is mostly classified into four types: system monitors, trojans, adware, and tracking cookies.
Spyware is mostly used for the purposes such as; tracking and storing internet users' movements on the web; serving up pop-up ads to internet users.

Whenever spyware is used for malicious purposes, its presence is typically hidden from the user and can be difficult to detect. Some spyware, such as keyloggers, may be installed by the owner of a shared, corporate, or public computer intentionally in order to monitor users.

While the term spyware suggests software that monitors a user's computing, the functions of spyware can extend beyond simple monitoring. Spyware can collect almost any type of data, including personal information like Internet surfing habits, user logins, and bank or credit account information. Spyware can also interfere with user control of a computer by installing additional software or redirecting Web browsers. Some spyware can change computer settings, which can result in slow Internet connection speeds, un-authorized changes in browser settings, or changes to software settings.

http://en.wikipedia.org/wiki/Spyware


  • How to: Use NETSTAT.EXE to detect spyware/malware


This video just explains how to use netstat command to detect executables on established connections
"netstat -b" should be used.
http://www.mappingwireless.com/internet-security/how-to-use-netstatexe-to-detect-spywaremalware



  • Elicitation Techniques

Elicitation is a technique used to discreetly gather information. It is a conversation with a specific purpose: collect information that is not readily available and do so without raising suspicion that specific facts are being sought.

A person may never realize she was the target of elicitation or that she provided meaningful information
Many competitive business intelligence collectors and foreign intelligence officers are trained in elicitation tactics. Their job is to obtain non-public information

A business competitor may want information in order to out-compete your company, or a foreign intelligence officer may want insider information or details on US defense technologies.

Elicitors may use a cover story to account for the conversation topic and why they ask certain questions.
Elicitors may collect information about you or your colleagues that could facilitate future targeting attempts.

Elicitation can occur anywhere— at social gatherings, at conferences, over the phone, on the street, on the Internet, or in someone’s home.

For example, have you ever planned a surprise party for someone and needed to know their schedule, wish list, food likes and dislikes or other information without that person finding out you were collecting the information or for what purpose?


Why Elicitation Works
Natural tendencies an elicitor may try to exploit include:

    A desire to be polite and helpful, even to strangers or new acquaintances
    A desire to appear well informed, especially about our profession
    A desire to feel appreciated and believe we are contributing to something important
    A tendency to expand on a topic when given praise or encouragement; to show off
    A tendency to gossip
    A tendency to correct others
    A tendency to underestimate the value of the information being sought or given, especially if we are unfamiliar with how else that information could be used
    A tendency to believe others are honest; a disinclination to be suspicious of others
    A tendency to answer truthfully when asked an “honest” question
    A desire to convert someone to our opinion


For example, you meet someone at a public function and the natural getting-to-know-you questions eventually turn to your work. You never mention the name of your organization. The new person asks questions about job satisfaction at your company, perhaps while complaining about his job. You may think, “He has no idea where I work or what I really do. He’s just making idle chat. There’s no harm in answering.” However, he may know exactly what you do but he relies on his anonymity, your desire to be honest and appear knowledgeable, and your disinclination to be suspicious to get the information he wants. He may be hunting for a disgruntled employee who he can entice to give him insider informat


Techniques

Assumed Knowledge: 
Pretend to have knowledge or associations in common with a person. According to the computer network guys I used to work with…

Bracketing: 
Provide a high and low estimate in order to entice a more specific number. “I assume rates will have to go up soon. I’d guess between five and 15 dollars.” Response: Probably around seven dollars.

Can you top this? 
Tell an extreme story in hopes the person will want to top it. “I heard Company M is developing an amazing new product that is capable of …

Confidential Bait: 
Pretend to divulge confidential information in hopes of receiving confidential information in return. “Just between you and me…” “Off the record…”

Deliberate False Statements / Denial of the Obvious:
Say something wrong in the hopes that the person will correct your statement with true information

Feigned Ignorance:
Pretend to be ignorant of a topic in order to exploit the person’s tendency to educate.

Flattery:
Use praise to coax a person into providing information

Good Listener:
Exploit the instinct to complain or brag, by listening patiently and validating the person’s feelings (whether positive or negative)

The Leading Question:
Ask a question to which the answer is “yes” or “no,” but which contains at least one presumption

Macro to Micro:
Start a conversation on the macro level, and then gradually guide the person toward the topic of actual interest.
A good elicitor will then reverse the process taking the conversation back to macro topics.

Mutual Interest:
Suggest you are similar to a person based on shared interests, hobbies, or experiences, as a way to obtain information or build a rapport before soliciting information.

Oblique Reference:
Discuss one topic that may provide insight into a different topic. A question about the catering of a work party may actually be an attempt to understand the type of access outside vendors have to the

facility.

Opposition/Feigned Incredulity:
Indicate disbelief or opposition in order to prompt a person to offer information in defense of their position

Provocative Statement:
Entice the person to direct a question toward you, in order to set up the rest of the conversation.

Questionnaires and Surveys:
State a benign purpose for the survey.

Quote Reported Facts:
Reference real or false information so the person believes that bit of information is in the public domain


Ruse Interviews:
Someone pretending to be a headhunter calls and asks about your experience, qualifications, and recent projects

Volunteering Information / Quid Pro Quo:
Give information in hopes that the person will reciprocate

Word Repetition:
Repeat core words or concepts to encourage a person to expand on what he/she already said


Deflecting Elicitation Attempts

You can politely discourage conversation topics and deflect possible elicitations by:

    Referring them to public sources (websites, press releases)
    Ignoring any question or statement you think is improper and changing the topic
    Deflecting a question with one of your own
    Responding with “Why do you ask?”
    Giving a nondescript answer
    Stating that you do not know
    Stating that you would have to clear such discussions with your security office
    Stating that you cannot discuss the matter

If you believe someone has tried to elicit information from you, especially about your work, report it to your security officer.



http://www.fbi.gov/about-us/investigate/counterintelligence/elicitation-techniques



  • The Insider Threat

An introduction to detecting and deterring an insider spy




Personal Factors

Greed or Financial Need: A belief that money can fix anything. Excessive debt or overwhelming expenses.

Anger/Revenge: Disgruntlement to the point of wanting to retaliate against the organization.

Problems at work: A lack of recognition, disagreements with co-workers or managers, dissatisfaction with the job, a pending layoff.

Ideology/Identification: A desire to help the “underdog” or a particular cause.

Divided Loyalty: Allegiance to another person or company, or to a country besides the United States.

Adventure/Thrill: Want to add excitement to their life, intrigued by the clandestine activity, “James Bond Wannabe.”

Vulnerability to blackmail: Extra-marital affairs, gambling, fraud.

Ego/Self-image: An “above the rules” attitude, or desire to repair wounds to their self-esteem. Vulnerability to flattery or the promise of a better job. Often coupled with Anger/Revenge or Adventure/Thrill.

Ingratiation: A desire to please or win the approval of someone who could benefit from insider information with the expectation of returned favors.

Compulsive and destructive behavior: Drug or alcohol abuse, or other addictive behaviors.

Family problems: Marital conflicts or separation from loved one



Organizational Factors

The availability and ease of acquiring proprietary, classified, or other protected materials. Providing access privileges to those who do not need it.


Behavioral Indicators

Some behaviors may be a clue that an employee is spying and/or methodically stealing from the organization:


http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat




  • Internet Social Networking Risks




http://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks


  • How to Detect Spyware on a Cell Phone


There are a few subtle signs that spyware has been installed on your cell phone.

Notice if your phone lights up when you’re not using it to make or receive a call or access any of the phone’s apps. Spyware has to “call” your phone to get information.
Note any strange background noises or clicks when you’re on a call.
Notice an increase in GPRS activity. This indicates spyware is tracking your location.
Check your phone bill closely. Notice whether it lists more text messages than you remember sending or calls you did not make.
Ask anyone who may have borrowed your phone whether they installed any software, wallpapers or ringtones.

Tips & Warnings
Use an anti-virus software on your phone to detect and remove viruses or spyware
Take your phone to your service provider, who can erase the phone’s memory and restore the factory default settings.
You’ll lose all your data, but the spyware will be eliminated.
Make a hard copy of any information in your phone that you wish to retain.
Do not give your cell phone number to strangers or post it on the Internet.
Spyware can be installed on your phone from a remote location simply by calling it.
If you let a stranger borrow your phone to make an “emergency” call before you noticed any of these signs, the number they called most likely installed spyware on your phone.
This is commonly used to set up a program to send large numbers of text messages to your phone for which you are charged.

http://www.ehow.com/how_4826956_detect-spyware-cell-phone.html#ixzz2MfR4Vj46


  • How to detect and remove Ramnit
Ramnit is malware that’s infecting PCs running Microsoft Windows. When a PC has been infected, the malware will disable a series of Windows security features (Windows Defender, Windows Firewall, User Account Control), Windows Update, and remove the ability to install other antivirus software
http://windows.microsoft.com/en-us/windows/detect-remove-ramnit-virus

  • spyeye
SpyEye was written in C++ and the size of the compiled binary is of 60 KB, the operating systems supported are from Windows 2000 to the recent Windows 7, it works in ring3 mode (same as Zeus Trojan). It is sold as undetected from most Antivirus Software and it is invisible from the task managers and other user-mode applications, it hides the files from the regular explorer searches and it hides also its registry keys.
http://thehackernews.com/2011/08/spyeye-1345-download-loader-source-code.html

  • Zeus
Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.
https://en.wikipedia.org/wiki/Zeus_(malware)

  • advanced threat analytics(ATA)
Using deep packet inspection technology, Microsoft Advanced Threat Analytics analyzes all Active Directory traffic. It can also collect relevant events from SIEM and other sources.
https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics#CP_CaseStudy_2



  • Crypters are computer applications which are solely used to bypass the antivirus detection of malwares. Hackers use crypters to hide viruses, Trojans, RATS, keyloggers and other hack tools into a new executable, whose sole purpose is to bypass the detection of the same from antivirus.
https://www.hackingloops.com/crypters-tutorial-for-hackers-by-hackingloops/

  • crypter is a program which is used to assist malware with evading antivirus signature-based detection. How it does this is it applies an obfuscation method onto the malware so that the antivirus cannot successfully match it with any signature. It then outputs a seemingly "harmless" file called the stub. Once the stub is opened by the victim, it will decrypt the malware and execute it.

https://null-byte.wonderhowto.com/how-to/security-oriented-c-tutorial-0xfb-simple-crypter-0168089/
  • Poison Ivy: Assessing Damage and Extracting Intelligence
Here is how a typical Poison Ivy attack works:

    The attacker sets up a custom PIVY server, tailoring details such as how Poison Ivy will install itself on the target computer, what features are enabled, the encryption password, and so on.
    The attacker sends the PIVY server installation file to the targeted computer. Typically, the attacker takes advantage of a zero-day flaw. The target executes the file by opening an infected email attachment, for example, or visiting a compromised website.
    The server installation file begins executing on the target machine. To avoid detection by anti-virus software, it downloads additional code as needed through an encrypted communication channel.
    Once the PIVY server is up and running on the target machine, the attacker uses a Windows GUI client to control the target computer.
https://www.fireeye.com/blog/threat-research/2013/08/pivy-assessing-damage-and-extracting-intel.html


  • Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into some of the most sensitive computer networks on Earth
https://en.wikipedia.org/wiki/Gh0st_RAT

  • Gh0st RAT: Complete Malware Analysis – Part 1
Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.
http://resources.infosecinstitute.com/gh0st-rat-complete-malware-analysis-part-1/

  • Superfish 
The preloaded Superfish adware does more than hijack website ads in a browser. It also exposes Lenovo owners to a simple but dangerous hack that could spell disaster.
http://www.cnet.com/news/superfish-torments-lenovo-owners-with-more-than-adware/


  • The company has been preloading Superfish, a "visual search" tool that includes adware that fakes the encryption certificates for every HTTPS-protected site you visit, on its PCs since at least the middle of 2014. Essentially, the software conducts a man-in-the-middle attack to fill the websites you visit with ads, and leaves you vulnerable to hackers in its wake.

http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html


  • Exploit Kit
Exploit kits are toolkits used to exploit security holes primarily to spread malware. These toolkits come packaged with exploit codes. These exploit kits target software such as Adobe Flash, Java, Microsoft Silverlight, Internet Explorer - software that are commonly installed and used in most PCs. Computers using outdated software/applications are at high risk.
https://www.trendmicro.com/vinfo/us/security/definition/Exploit-Kit

  • to lure users into clicking a URL that points to sites hosting Blackhole Exploit Kit.
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/128/blackhole-exploit-kit-spam-runs-a-threat-vortex


  • An exploit kit, sometimes called an exploit pack, is a toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser. Common exploit targets have been vulnerabilities in Adobe Reader, Java Runtime Environment and Adobe Flash Player.
https://zeltser.com/what-are-exploit-kits

  • Trojan:JS/Kilim is a family of malicious browser extensions that post unauthorized content to the user's Facebook Wall.
Kilim is distributed in executable files that use names such as "flashplayer", "video installer", "premium installer" or similar, in order to lure an unsuspecting user into installing the program.
https://www.f-secure.com/v-descs/trojan_js_kilim.shtml


  • SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.
http://www.securityweek.com/hackers-used-sophisticated-smb-worm-tool-attack-sony

  • In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS, /'s?fs/),[1][2] operates as an application-layer network protocol[3] mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network.
https://en.wikipedia.org/wiki/Server_Message_Block


  • Hack windows xp with metasploit
Metasploit does this by exploiting a vulnerability in windows samba service called ms08-67. This exploit works on windows xp upto version xp sp3.

http://www.binarytides.com/hack-windows-xp-metasploit

  • Remote Access Trojans (RATs) provide cybercriminals with unlimited access to infected endpoints.
https://www.trusteer.com/glossary/remote-access-trojan-rat

  • A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. RATs are usually downloaded invisibly with a user-requested program -- such as a game -- or sent as an email attachment
http://searchsecurity.techtarget.com/definition/RAT-remote-access-Trojan



  • Watering Hole is a computer attack strategy identified in 2012 by RSA Security, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware.
https://en.wikipedia.org/wiki/Watering_Hole
  • In a watering hole attack scenario, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection.

http://www.trendmicro.com.au/vinfo/au/threat-encyclopedia/web-attack/137/watering-hole-101

  • Detecting malware through static and dynamic techniques

Malware analysis involves two key techniques: static analysis and dynamic analysis.
Static analysis examines malware without actually running it. Dynamic analysis (also known as behavior analysis) executes malware in a controlled and monitored environment to observe its behavior

Basic Static Analysis
Basic static analysis examines malware without viewing the actual code or instructions. It employs different tools and techniques to quickly determine whether a file is malicious or not, provide information about its functionality and collect technical indicators to produce simple signatures. Technical indicators gathered with basic static analysis can include file name, MD5 checksums or hashes, file type, file size and recognition by antivirus detection tools.

Basic Dynamic Analysis
Basic dynamic analysis actually runs malware to observe its behavior, understand its functionality and identify technical indicators which can be used in detection signatures. Technical indicators revealed with basic dynamic analysis can include domain names, IP addresses, file path locations, registry keys, additional files located on the system or network.
Additionally, it will identify communication with an attacker-controlled external server for command and control purposes or in an attempt to download additional malware files.
Basic analysis can be thought of as what most automated sandboxes or dynamic malware analysis engines do today



https://technical.nttsecurity.com/post/102efk4/detecting-malware-through-static-and-dynamic-techniques