- What Is an “Artifact”?
Tools used by intruders to gather information about networks or hosts
Tools used by intruders to exploit vulnerabilities
Tools installed by intruders on compromised hosts
A malicious program (e.g., virus, worm, Trojan horse,
Soft evidence (e.g., algorithms, descriptions, partial artifacts, network traces, etc.)
What is Artifact Analysis?
The study of Internet attack technology, otherwise known as malicious code, or “malware”
Viruses
Worms
Trojan horses
Bots
Denial-of-service tools
Vulnerability exploits
Spyware
Etc..
https://www.first.org/conference/2005/papers/kevin-houle-slides-1.pdf
- payload
https://en.wikipedia.org/wiki/Payload_(computing)
- WHAT IS A PAYLOAD-BASED SIGNATURE?
Payload-based signatures detect patterns in the
Security tools often
Malware authors can now easily create thousands of variants of existing malware, containing only slight changes,
As legacy signatures require a static one-to-one match for each unique file, these slight changes allow malware to go undetected.
https://www.paloaltonetworks.com/cyberpedia/what-is-a-payload-based-signature
- In computer security, a sandbox is a security mechanism for separating running programs.
to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users and untrusted websitesIt is often used A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices. or heavily restricted.are usually disallowed
https://en.wikipedia.org/wiki/Sandbox_%28computer_security%29
- A sandbox is a testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in
software development including Web development and revision control.the context of protects "live" servers and their data, vetted source code distributions, and other collections of code, data and/or content, proprietary or public, from changes that couldSandboxing (regardless of the intent of the author of those changes) to a mission-critical system or which couldbe damaging be difficult to revertsimply
https://en.wikipedia.org/wiki/Sandbox_%28software_development%29
- Malware Sandbox and Breach Detection Evasion Techniques
Configuration-specific — sleep calls, time triggers, fast flux, and process hiding
Human interaction — mouse clicks and dialog boxes
Environment-specific — version, embedded
http://www.drchaos.com/malware-sandbox-and-breach-detection-evasion-techniques
- Traditionally, your anti-virus and anti-spyware software work with your email software to identify malicious software as soon as
, or at least, as soon as itit is received in your computer. That works well for well-known viruses and spyware but leaves you vulnerable to zero-day exploits,begins to execute vulnerable to malicious software thatthat is, by the security software.is not yet properly identified
For example, suppose you get an email message with the virus that presents itself as an attachment called
If you run your email program
https://www.sandboxie.com/?
- Joe Sandbox Mail is an
Microsoft Outlook add-in which enables you to:easy to use
analyze potentially malicious e-Mail attachments (any file type) in one click
detect malicious e-Mails
delete malicious e-Mails
access behavior analysis reports of analyzed e-Mail attachments
mark and categorizes malicious e-Mails
Joe Sandbox Mail integrates into Microsoft Outlook as a new Ribbon, and just with a simple click of the “analyze” button, the e-Mail attachments are being sent to Joe Sandbox Cloud, Joe Sandbox Desktop, Joe Sandbox Complete or Joe Sandbox Ultimate to
https://www.joesecurity.org/joe-sandbox-mail
- Test downloads in a safe environment on your PC before installing them on your hard drive. We show how to install and run software in a sandbox with the free
appBufferZone
- Use the Email > Settings > File
page to send suspicious files received in email messages to a cloud-hosted sandbox for analysis. The sandbox activates the file, observes the behavior, and compiles a report. If the file is malicious, the message isSandboxing quarantined, oreither to the administratorsan email alert is sent you specify, containing summary information and a link to the report.that
- You could do
cool things with aall sorts of Python:sandboxed
https://wiki.python.org/moin/SandboxedPython
- As its name suggests, this library is a
sandbox for executing untrusted Python code in Docker containers.NodeJS
https://github.com/christophetd/docker-python-sandbox
is a Python sandbox. By default, untrusted code executed in the sandbox cannotpysandbox the environment (write a file, use print or import a module). But you can configure the sandbox to choose exactlymodify which features or not,are allowed importeg. module and read /etc/issue file.sys
https://pypi.org/project/pysandbox/
- As a security analyst, you can look for threats that evaded detection by analyzing reconstructed artifacts, such as files and images. To understand the connections between collaborators and artifacts, you can also investigate the links to and from these files and images.
Several systems are infected despite
https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.7/com.ibm.qradar.doc/c_qif_ug_artifact_an_ov.html
Malware analysis is a process that uses various tools and techniques to determine how malicious code
is working. Unfortunately, there is no single algorithm to
or analysis of disassembled code.
Basic static analysis
The goal of this analysis is to gather information about potential malware functionality and any characteristic file features
that could
Behavioral analysis
In this analysis, malicious code
https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/documents/artifact-analysis-fundamentals-handbook
- Difference Between Static Malware Analysis and Dynamic Malware Analysis
Malware analysis is a process or technique of determining the origin and potential impact of a specified malware sample.
Malware could be anything that looks malicious or acts like one like a virus, worm, bug, Trojan, spyware, adware, etc.
What is Static Malware Analysis?
Static analysis is
What is Dynamic Malware Analysis?
Dynamic analysis involves running the malware sample and observing its behavior on the system
http://www.differencebetween.net/technology/difference-between-static-malware-analysis-and-dynamic-malware-analysis/
- Classification
CFF Explorer
Resource Hacker
Dynamic analysis tools
Process Explorer
Process Monitor
GMER
Network analysis tools
Automatic analysis tools
Cuckoo Sandbox
https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/documents/artifact-analysis-fundamentals-handbook
- Cuckoo Sandbox is a malware analysis system.
Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.
https://cuckoosandbox.org/
: Automating Email Attachments Scanning with CuckooCuckooMX
https://blog.rootshell.be/2012/06/20/cuckoomx-automating-email-attachments-scanning-with-cuckoo/
is a project to automate the analysis of files transmitted over SMTP (using the Cuckoo sandbox)CuckooMX
- One Flew Over the Cuckoo’s Nest
- Delete VMDK Files Securely
https://pubs.vmware.com/vsphere-51/index.jsp?topic=
-
The partition and space returned foris deleted . This means the next time someone buys a virtual machine with the same host,the pool to be used by another virtual machine blocks that made up your filesystem could end up making up their filesystem.some of the clean when the filesystemThe metadata will be wiped is formatted so they won’t just see your files listed, but the blocks can still contain your data. It depends on how they’re managing their disks. go buy a virtual machine somewhere and pipe the contents of your new disk through the strings command and look out for anything that isn’t yours (sshof course, "root@newmachine if=/dev/sda1dd | strings").bs=1M
you’re probably careful and securely wipe your sensitive data before you leave. But disk space
if
https://www.brightbox.com/blog/2007/12/04/secure-virtual-disk-deletion-is-your-data-safe/
- In software development, obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code
difficult for humans to understand.that is
http://en.wikipedia.org/wiki/Obfuscation_%28software%29
- Reverse Engineering Virtual Machine Protected Binaries
http://resources.infosecinstitute.com/reverse-engineering-virtual-machine-protected-binaries/#gref
- Code
is a powerful code-obfuscation system for Windows, Linux, and Mac OS X applications that helps developers to protect their sensitive code areas against Reverse Engineering with very strong obfuscation code, based on code virtualization.Virtualizer
- Tigress is a diversifying
/virtualizer for the C language that supports many novel defenses against both static and dynamic reverse engineering and de-virtualization attacks.obfuscator
- According to a Friday morning tweet from the contest's organizers, members of Qihoo 360's security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an
buffer vulnerability inuninitialized , contest organizers reported Friday morning on Twitter. The result was a "complete virtual machine escape."VMware
"We used a JavaScript engine
https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
- Anti-VM and Anti-Sandbox Explained
Harden your security systems to reduce the odds of evasion
Identify anti-VM behavior
Malware analysts and investigators often use isolated environments, such as virtual machines (VMs) or sandboxes, to analyze
multiple tactics used by malware authors for detecting sandboxes
Malware authors implement this in various ways such as Windows API, WMI queries or specific CPU instructions.
https://www.cyberbit.net/endpoint-security/anti-vm-and-anti-sandbox-explained/
- What Happens When APTs Advance to Lateral Movement?
http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-happens-when-apts-advance-to-lateral-movement-
- An
threat is a set of stealthy and continuous computer hacking processes, often orchestrated by a person or persons targeting a specific entity. An APT usually targets either private organizations, states or both for business or political motives. APT processes requireadvanced persistent covertness over a longa high degree of . The "advanced" process signifies sophisticated techniques usingperiod of time to exploit vulnerabilities in systems. The "persistent" process suggests that an externalmalware system is continuously monitoring and extracting data from a specific target. The "threat" processcommand and control human involvement in orchestrating the attackindicates
Advanced
Persistent
Mitigation strategies
While APT activities are stealthy and hard to detect,
Agents can
Then a Security Information and Event Management (SIEM) tool can correlate and analyze logs.
While it is challenging to separate noises from legitimate traffic,
Good asset management with documented components of the original Operation System plus software will help IT security analysts detect new files on the system.
Threat
https://en.wikipedia.org/wiki/Advanced_persistent_threat
- Lateral movement: the key to any attack or escape
http://community.hpe.com/t5/Protect-Your-Assets/Lateral-movement-the-key-to-any-attack-or-escape/ba-p/6759654#
- Lateral Movement
A Critical Opportunity to Detect an In-progress Cyber Attack–
http://www.countertack.com/blog/bid/124216/Lateral-Movement-A-Critical-Opportunity-to-Detect-an-In-progress-Cyber-Attack
- Criminals have strong motives to prevent their malware from being analyzed, which is
step in performing incident response. The classical model of an executable protection is that of a wrapper around a single executable. At the time of creation, the protector will compress and/or encrypt the contents of the executable’s sections. It will then append a new code sectiona mandatory responsible for decompressing and/or decrypting the sections when executed,that is for thwarting attempts at reverse engineering. The executable’s entry pointas well as into this new code (termed theis redirected unpacking stub”), and upon completion,” back to the original entry point. The program will subsequently function identically to the original, unprotected executable.execution is transferred
Each assumes that the hidden code from the protected program will be
http://static.usenix.org/event/woot09/tech/full_papers/rolles.pdf
- At YaraRules Project we want to offer to the Community a new online service: “YaraRules Analyzer”. It allows you to analyze your files on the cloud using the full YaraRules
, so youruleset install Yara in your local computer and you alsodo not need to analyze your files against the latest YaraRulesmake sure to .ruleset
- Yara Rules
https://www.cyberbit.net/endpoint-security/open-source-malware-analysis-tools
- Reverse Engineering involves the analysis of malicious files in depth which involves time and cost.
a good practice to observe malware behavior, group them in a signature, and then identify the related infected files. To cut the costs of RIt is considered E and identifying malware families based on. we can use an open source tool known as YARA.signatures,q
YARA is a popular tool that provides a robust language, which is compatible with Perl-based Regular Expressions and
https://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/#gref
- This project covers the need of a group of IT Security Researchers to have a single repository where different Yara signatures
, classified and kept as up to date as possible, and began as an open source community for collecting Yara rules.are compiled
https://github.com/Yara-Rules/rules
The pattern matching swiss knife for malware researchers
YARA is
https://virustotal.github.io/yara/
- That’s why playing “retro hunting” is also important. I like this name: it comes from a VirusTotal feature that allows
YARA rules and to search backward for samples that match them. Here is an example based on MISP and Splunk. The first step is to export interesting IOC’s like IP addresses,the creation of or hashes from the last day. Export them in CSV format into your Splunk via a simplehostnames crontab
: Yara back in timeRetrohunt
Create a Yara rule and apply it back in time to the existing dataset
https://www.virustotal.com/#/hunting-overview
- A Linux Toolkit for Reverse-Engineering and Analyzing Malware
. ® is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders toREMnux the variety ofstart using tools that can examine malware, yet might be difficult to locate or set up.freely-available
-
is a portable reversing framework that canRadare - Medusa is a disassembler designed to be both modular and interactive. It runs on Windows and Linux, it should be the same on OSX.
as a library. To disassemble aThis project is organized you have to usefile or Medusa.medusa_text
Disassemble (and assemble for)
Debug with local native and remote debuggers (
Run on Linux, *BSD, Windows, OSX, Android,
Perform forensics on filesystems and data carving
Support collaborative analysis using the embedded
Visualize data structures of several file types
Patch programs to uncover new features or fix vulnerabilities
Use powerful analysis capabilities to speed up reversing
Aid in software exploitation
https://rada.re/r/
- Hopper Disassembler, the reverse engineering tool that lets you disassemble,
and debug your applicationsdecompile
https://www.hopperapp.com/
- Hiew
physical & logical drive view & edit
support for NE, LE, LX, PE/PE32+, ELF/ELF64(little-
support for
following direct call/
pattern search in disassembler
built-in simple 64bit decrypt/crypt system
built-in powerful 64bit calculator
block operations: read, write, fill, copy, move, insert, delete, crypt
keyboard macros
Hiew
ArmV6 disassembler
http://www.hiew.ru/
- IDA Pro is a disassembler
to create maps of their execution. The real interest of a disassembler is that it shows the instructions that are
assembly language. If the friendly screen saver you have just installed is spying on your e-banking session or logging your e-mails, a
disassembler can reveal it. However, assembly language is hard to make sense of. That's why advanced
to the original source code that produced the binary program. The map of the program's code then be
post-processed for further investigations
IDA Pro is a debugger
Hostile code
The debugger in IDA Pro complements the static analysis capabilities of the disassembler: by allowing to
data that the more powerful static disassembler will
local and as a remote debugger on various platforms, including the ubiquitous 80x86
Windows/Linux
debuggers are
Hostile Code analysis
When
analyze and understand it: it helped the talented
Vulnerability research
IDA Pro is the ideal tool to investigate why software breaks.
COTS validation
IDA provides a convenient means to check if a program really does what it claims to do
Privacy protection
https://www.hex-rays.com/products/ida/ida-executive.pdf
- Viruses
A computer virus is a
Worms
Computer worms are
https://www.cisco.com/c/en/us/about/security-center/virus-differences.html
is a 32-bit assembler level analyzing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly usefulOllyDbg where the source is unavailable.in cases is a shareware, but you can download and use it for freeOllyDbg
OllyDbg
http://en.wikipedia.org/wiki/OllyDbg
WinDbg
Recent versions of WinDbg have been and are being distributed as part of the free Debugging Tools for Windows suite, which shares a common debugging back-end between WinDbg and command line debugger front-ends like KD, CDB, and NTSD.
http://en.wikipedia.org/wiki/WinDbg
- Freeware Hex Editor Neo allows you to view,
, analyze your hexadecimal data and binary files, edit, exchange data with other applications through the clipboard, insert new data and delete existing data,modify perform other editing actions.as well as
http://www.hhdsoftware.com/free-hex-editor
- Spyware
Spyware is a software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge
"Spyware"is mostly classified into four types: system monitors, trojans , adware, and tracking cookies.
Spyware is mostly used for the purposes such as; tracking and storing internet users' movements on the web; serving up pop-up ads to internet users.
Whenever spywareis used for malicious purposes, its presence is typically hidden from the user and can be difficult to detect. Some spyware, such as keyloggers , may be installed by the owner of a shared, corporate, or public computer intentionally in order to monitor users .
While the term spyware suggests software that monitors a user's computing, the functions of spyware can extend beyond simple monitoring. Spyware can collect almost anytype of data, including personal information like Internet surfing habits, user logins, and bank or credit account information. Spyware can also interfere with user control of a computer by installing additional software or redirecting Web browsers. Some spyware can change computer settings, which can result in slow Internet connection speeds, un-authorized changes in browser settings, or changes to software settings.
http://en.wikipedia.org/wiki/Spyware
This video just explains how to usenetstat command to detect executables on established connections
"netstat -b" should be used .
http://www.mappingwireless.com/internet-security/how-to-use-netstatexe-to-detect-spywaremalware
Elicitation is a technique usedto discreetly gather information. It is a conversation with a specific purpose: collect information that is not readily available and do so without raising suspicion that specific facts are being sought.
A person may never realize she was the target of elicitation or that she provided meaningful information
Many competitive business intelligence collectors and foreign intelligence officers are trained in elicitation tactics. Their job is to obtain non-public information
A business competitor may want informationin order to out-compete your company, or a foreign intelligence officer may want insider information or details on US defense technologies.
Elicitors may use a cover story to account for the conversation topic and why they ask certain questions.
Elicitors may collect information about you or your colleagues that could facilitate future targeting attempts.
Elicitation can occur anywhere— at social gatherings, at conferences, over the phone, on the street, on the Internet, or in someone’s home.
For example, have you ever planned a surprise party for someone and needed to know their schedule,wish list, food likes and dislikes or other information without that person finding out you were collecting the information or for what purpose?
Why Elicitation Works
Natural tendencies an elicitor may try to exploit include:
A desire to be polite and helpful, even to strangers or new acquaintances
A desire to appear well informed, especially about our profession
A desire to feel appreciated and believe we are contributing to something important
A tendency to expand on a topic when given praise or encouragement; to show off
A tendency to gossip
A tendency to correct others
A tendency to underestimate the value of the information being sought or given, especially if we are unfamiliar with how else that information couldbe used
A tendency to believe others are honest; a disinclination tobe suspicious of others
A tendency to answer truthfully when asked an “honest” question
A desire to convert someone to our opinion
For example, you meet someone at a public function and the natural getting-to-know-youquestions eventually turn to your work. You never mention the name of your organization. The new person asks questions about job satisfaction at your company, perhaps while complaining about his job. You may think, “He has no idea where I work or what I really do. He’s just making idle chat. There’s no harm in answering.” However, he may know exactly what you do but he relies on his anonymity, your desire to be honest and appear knowledgeable, and your disinclination to be suspicious to get the information he wants. He may be hunting for a disgruntled employee who he can entice to give him insider informat
Techniques
Assumed Knowledge:
Pretend to have knowledge or associations in common with a person.“ According to the computer network guys I used to work with…
Bracketing:
Provide a high and low estimatein order to entice a more specific number. “I assume rates will have to go up soon. I’d guess between five and 15 dollars.” Response: “ Probably around seven dollars.
Can you top this?
Tell an extreme story in hopes the person will want to top it. “I heard Company M is developing an amazing new productthat is capable of … ”
Confidential Bait:
Pretend to divulge confidential informationin hopes of receiving confidential information in return. “Just between you and me…” “Off the record…”
Deliberate False Statements / Denial of the Obvious:
Say something wrongin the hopes that the person will correct your statement with true information
Feigned Ignorance:
Pretend to be ignorant of a topicin order to exploit the person’s tendency to educate.
Flattery:
Use praise to coax a person into providing information
Good Listener:
Exploit the instinct to complain or brag, by listening patiently and validating the person’s feelings (whether positive or negative)
The Leading Question:
Ask a question to which the answer is “yes” or “no,” but which contains at least one presumption
Macro to Micro:
Start a conversation on the macro level, and then gradually guide the person towardthe topic of actual interest.
A good elicitor will then reverse the process taking the conversation back to macro topics.
Mutual Interest:
Suggest you aresimilar to a person based on shared interests, hobbies, or experiences, as a way to obtain information or build a rapport before soliciting information.
Oblique Reference:
Discuss one topic that may provide insight into a different topic. A question about the catering of a work party mayactually be an attempt to understand the type of access outside vendors have to the
facility.
Opposition/Feigned Incredulity:
Indicate disbelief or opposition in order to prompt a person to offer information in defense of their position
Provocative Statement:
Entice the person to direct a question toward you,in order to set up the rest of the conversation.
Questionnaires and Surveys:
State a benign purpose for the survey.
Quote Reported Facts:
Reference real or false information so the person believes that bit of information is in the public domain
Ruse Interviews:
Someonepretending to be a headhunter calls and asks about your experience, qualifications, and recent projects
Volunteering Information /Quid Pro Quo :
Give informationin hopes that the person will reciprocate
Word Repetition:
Repeat core words or concepts to encourage a person to expand on what he/she already said
Deflecting Elicitation Attempts
You can politely discourage conversation topics and deflectpossible elicitations by:
Referring them to public sources (websites, press releases)
Ignoring any question or statement you think is improper and changing the topic
Deflecting a question with one of your own
Responding with “Why do you ask?”
Giving a nondescript answer
Stating that you do not know
Stating that you would have to clear such discussions with your security office
Stating that you cannot discuss the matter
If you believe someone has tried to elicit information from you, especially about your work, report it to your security officer.
http://www.fbi.gov/about-us/investigate/counterintelligence/elicitation-techniques
An introduction to detecting and deterring an insider spy
Personal Factors
Greed or Financial Need: A belief that money can fix anything. Excessive debt or overwhelming expenses.
Anger/Revenge: Disgruntlement to the point of wanting to retaliate against the organization.
Problems at work: A lack of recognition, disagreements with co-workers or managers, dissatisfaction with the job, a pending layoff.
Ideology/Identification: A desire to help the “underdog” or a particular cause.
Divided Loyalty: Allegiance to another person or company, or to a country besides the United States.
Adventure/Thrill: Want to add excitement to their life, intrigued by the clandestine activity, “James Bond Wannabe.”
Vulnerability to blackmail: Extra-marital affairs, gambling, fraud.
Ego/Self-image: An “above the rules” attitude, or desire to repair wounds to their self-esteem. Vulnerability to flattery or the promise of a better job. Often coupled with Anger/Revenge or Adventure/Thrill.
Ingratiation: A desire to please or win the approval of someone who couldbenefit from insider information with the expectation of returned favors.
Compulsive and destructive behavior: Drug or alcohol abuse, or other addictive behaviors.
Family problems: Marital conflicts or separation fromloved one
Organizational Factors
The availability and ease ofacquiring proprietary, classified, or other protected materials. Providing access privileges to those who do not need it.
Behavioral Indicators
Some behaviors may be a clue that an employee is spying and/or methodically stealing from the organization:
http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat
http://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks
There are a few subtle signs thatspyware has been installed on your cell phone.
Notice if your phone lights up when you’re not using it to make or receive a call or access any of the phone’s apps. Spyware has to “call” your phone to get information.
Note any strange background noises or clicks when you’re on a call.
Notice an increase in GPRS activity. Thisindicates spyware is tracking your location.
Check your phone bill closely. Notice whether it lists more text messages than you remember sending or calls you did not make.
Ask anyone who may have borrowed your phone whether they installed any software, wallpapers or ringtones.
Tips & Warnings
Use an anti-virus software on your phone to detect and remove viruses or spyware
Take your phone to your service provider, who can erase the phone’s memory and restore the factory default settings.
You’ll lose all your data, butthe spyware will be eliminated .
Make a hard copy of any information in your phonethat you wish to retain .
Do not give your cell phone numberto strangers or post it on the Internet.
Spyware canbe installed on your phone from a remote location simply by calling it.
If you let a stranger borrow your phone to make an “emergency” call before you noticed any of these signs, the number they called most likely installed spyware on your phone.
This is commonly used to set up a program to send large numbers of text messages to your phone for which you are charged .
http://www.ehow.com/how_4826956_detect-spyware-cell-phone.html#ixzz2MfR4Vj46
Ramnit is malware that’s infecting PCs running Microsoft Windows. When a PC has been infected , the malware will disable a series of Windows security features (Windows Defender, Windows Firewall, User Account Control), Windows Update, and remove the ability to install other antivirus software
http://windows.microsoft.com/en-us/windows/detect-remove-ramnit-virus
SpyEye was written in C++ and the size of the compiled binary is of 60 KB, the operating systems supported are from Windows 2000 to the recent Windows 7, it works in ring3 mode (same as Zeus Trojan). It is sold as undetected from most Antivirus Software and it is invisible from the task managers and other user-mode applications, it hides the files from the regular explorer searches and it hides also its registry keys.
http://thehackernews.com/2011/08/spyeye-1345-download-loader-source-code.html
ZeuS , or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.
https://en.wikipedia.org/wiki/Zeus_(malware )
https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics#CP_CaseStudy_2
https://null-byte.wonderhowto.com/how-to/security-oriented-c-tutorial-0xfb-simple-crypter-0168089/
The attacker sets up a custom PIVY server, tailoring details such as how Poison Ivy will install itself on the target computer,what features are enabled , the encryption password, and so on.
The attacker sends the PIVY server installation file to the targeted computer. Typically, the attacker takes advantage of a zero-day flaw. The target executes the file by opening an infected email attachment, for example, or visiting a compromised website.
The server installation filebegins executing on the target machine. To avoid detection by anti-virus software, it downloads additional code as needed through an encrypted communication channel.
Once the PIVY server is up and running on the target machine, the attacker uses a Windows GUI client to control the target computer.
https://www.fireeye.com/blog/threat-research/2013/08/pivy-assessing-damage-and-extracting-intel.html
trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.
http://resources.infosecinstitute.com/gh0st-rat-complete-malware-analysis-part-1/
http://www.cnet.com/news/superfish-torments-lenovo-owners-with-more-than-adware/
http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html
kits target software such as Adobe Flash, Java, Microsoft Silverlight, Internet Explorer - software that are commonly installed and used in most PCs. Computers using outdated software/applications are at high risk.
https://www.trendmicro.com/vinfo/us/security/definition/Exploit-Kit
Kilim is distributed in executable files that use names such as "flashplayer ", "video installer", "premium installer" or similar, in order to lure an unsuspecting user into installing the program.
https://www.f-secure .com/v-descs/trojan_js_kilim.shtml
upto version xp sp3.
http://www.binarytides.com/hack-windows-xp-metasploit
http://www.trendmicro.com.au/vinfo/au/threat-encyclopedia/web-attack/137/watering-hole-101
Malware analysis involves two key techniques: static analysis and dynamic analysis.
Static analysis examines malware without actually running it. Dynamic analysis (also known as behavior analysis) executes malware in a controlled and monitored environment to observe its behavior
Basic Static Analysis
Basic static analysis examines malware without viewing the actual code or instructions. It employs different tools and techniques to quickly determine whether a file is malicious or not, provide information about its functionality and collect technical indicators to produce simple signatures. Technical indicators gathered with basic static analysis can include file name, MD5 checksums or hashes, file type, file size and recognition by antivirus detection tools.
Basic Dynamic Analysis
Basic dynamic analysis actually runs malware to observe its behavior, understand its functionality and identify technical indicators which can be used in detection signatures. Technical indicators revealed with basic dynamic analysis can include domain names, IP addresses, file path locations, registry keys, additional files located on the system or network.
Additionally, it will identify communication with an attacker-controlled external server for command and control purposes or in an attempt to download additional malware files.
Basic analysis can be thought of as what most automated sandboxes or dynamic malware analysis engines do today
https://technical.nttsecurity.com/post/102efk4/detecting-malware-through-static-and-dynamic-techniques
"Spyware"
Whenever spyware
While the term spyware suggests software that monitors a user's computing, the functions of spyware can extend beyond simple monitoring. Spyware can collect almost any
http://en.wikipedia.org/wiki/Spyware
- How to: Use NETSTAT
EXE to detect spyware/malware.
This video just explains how to use
"
- Elicitation Techniques
Elicitation is a technique used
A person may never realize she was the target of elicitation or that she provided meaningful information
A business competitor may want information
Elicitors may use a cover story to account for the conversation topic and why they ask certain questions.
Elicitors may collect information about you or your colleagues that could facilitate future targeting attempts.
Elicitation can occur anywhere
For example, have you ever planned a surprise party for someone and needed to know their schedule,
Why Elicitation Works
Natural tendencies an elicitor may try to exploit include:
A desire to be polite and helpful, even to strangers or new acquaintances
A desire to appear well informed, especially about our profession
A desire to feel appreciated and believe we are contributing to something important
A tendency to expand on a topic when given praise or encouragement; to show off
A tendency to gossip
A tendency to correct others
A tendency to underestimate the value of the information being sought or given, especially if we are unfamiliar with how else that information could
A tendency to believe others are honest; a disinclination to
A tendency to answer truthfully when asked an “honest” question
A desire to convert someone to our opinion
For example, you meet someone at a public function and the natural getting-to-know-you
Techniques
Assumed Knowledge:
Pretend to have knowledge or associations in common with a person.
Bracketing:
Provide a high and low estimate
Tell an extreme story in hopes the person will want to top it. “I heard Company M is developing an amazing new product
Confidential Bait:
Pretend to divulge confidential information
Deliberate False Statements / Denial of the Obvious:
Say something wrong
Feigned Ignorance:
Pretend to be ignorant of a topic
Flattery:
Use praise to coax a person into providing information
Good Listener:
Exploit the instinct to complain or brag, by listening patiently and validating the person’s feelings (whether positive or negative)
The Leading Question:
Ask a question to which the answer is “yes” or “no,” but which contains at least one presumption
Macro to Micro:
Start a conversation on the macro level, and then gradually guide the person toward
A good elicitor will then reverse the process taking the conversation back to macro topics.
Mutual Interest:
Suggest you are
Oblique Reference:
Discuss one topic that may provide insight into a different topic. A question about the catering of a work party may
facility.
Opposition/Feigned Incredulity:
Provocative Statement:
Entice the person to direct a question toward you,
Questionnaires and Surveys:
State a benign purpose for the survey.
Quote Reported Facts:
Reference real or false information so the person believes that bit of information is in the public domain
Ruse Interviews:
Someone
Volunteering Information /
Give information
Word Repetition:
Repeat core words or concepts to encourage a person to expand on what he/she already said
Deflecting Elicitation Attempts
You can politely discourage conversation topics and deflect
Referring them to public sources (websites, press releases)
Ignoring any question or statement you think is improper and changing the topic
Deflecting a question with one of your own
Responding with “Why do you ask?”
Giving a nondescript answer
Stating that you do not know
Stating that you would have to clear such discussions with your security office
Stating that you cannot discuss the matter
If you believe someone has tried to elicit information from you, especially about your work, report it to your security officer.
http://www.fbi.gov/about-us/investigate/counterintelligence/elicitation-techniques
- The Insider Threat
An introduction to detecting and deterring an insider spy
Personal Factors
Greed or Financial Need: A belief that money can fix anything. Excessive debt or overwhelming expenses.
Anger/Revenge: Disgruntlement to the point of wanting to retaliate against the organization.
Problems at work: A lack of recognition, disagreements with co-workers or managers, dissatisfaction with the job, a pending layoff.
Ideology/Identification: A desire to help the “underdog” or a particular cause.
Divided Loyalty: Allegiance to another person or company, or to a country besides the United States.
Adventure/Thrill: Want to add excitement to their life, intrigued by the clandestine activity, “James Bond Wannabe.”
Vulnerability to blackmail: Extra-marital affairs, gambling, fraud.
Ego/Self-image: An “above the rules” attitude, or desire to repair wounds to their self-esteem. Vulnerability to flattery or the promise of a better job. Often coupled with Anger/Revenge or Adventure/Thrill.
Ingratiation: A desire to please or win the approval of someone who could
Compulsive and destructive behavior: Drug or alcohol abuse, or other addictive behaviors.
Family problems: Marital conflicts or separation from
Organizational Factors
The availability and ease of
Behavioral Indicators
Some behaviors may be a clue that an employee is spying and/or methodically stealing from the organization:
http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat
- Internet Social Networking Risks
http://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks
- How to Detect Spyware on a Cell Phone
There are a few subtle signs that
Notice if your phone lights up when you’re not using it to make or receive a call or access any of the phone’s apps. Spyware has to “call” your phone to get information.
Note any strange background noises or clicks when you’re on a call.
Notice an increase in GPRS activity. This
Check your phone bill closely. Notice whether it lists more text messages than you remember sending or calls you did not make.
Ask anyone who may have borrowed your phone whether they installed any software, wallpapers or ringtones.
Tips & Warnings
Use an anti-virus software on your phone to detect and remove viruses or spyware
Take your phone to your service provider, who can erase the phone’s memory and restore the factory default settings.
You’ll lose all your data, but
Make a hard copy of any information in your phone
Do not give your cell phone number
Spyware can
If you let a stranger borrow your phone to make an “emergency” call before you noticed any of these signs, the number they called most likely installed spyware on your phone.
http://www.ehow.com/how_4826956_detect-spyware-cell-phone.html#ixzz2MfR4Vj46
- How to detect and remove
Ramnit
http://windows.microsoft.com/en-us/windows/detect-remove-ramnit-virus
spyeye
http://thehackernews.com/2011/08/spyeye-1345-download-loader-source-code.html
- Zeus
- advanced threat analytics
ATA)(
https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics#CP_CaseStudy_2
are computer applications whichCrypters are solely used to bypass the antivirus detection of . Hackers usemalwares to hide viruses, Trojans, RATS,crypters keyloggers and other hack tools into a new executable, whose sole purpose is to bypass the detection of the same from antivirus.
- A
is a programcrypter which is used to assist malware with evading antivirus signature-based detection. How it does this is it applies an obfuscation method onto the malware so that the antivirus cannot successfully match it with any signature. It then outputs a seemingly "harmless" file called the stub. Once the stub by the victim, it will decrypt the malware and execute it.is opened
https://null-byte.wonderhowto.com/how-to/security-oriented-c-tutorial-0xfb-simple-crypter-0168089/
- Poison Ivy: Assessing Damage and Extracting Intelligence
The attacker sets up a custom PIVY server, tailoring details such as how Poison Ivy will install itself on the target computer,
The attacker sends the PIVY server installation file to the targeted computer. Typically, the attacker takes advantage of a zero-day flaw. The target executes the file by opening an infected email attachment, for example, or visiting a compromised website.
The server installation file
Once the PIVY server is up and running on the target machine, the attacker uses a Windows GUI client to control the target computer.
https://www.fireeye.com/blog/threat-research/2013/08/pivy-assessing-damage-and-extracting-intel.html
- Gh0st RAT is a Trojan horse for the Windows platform that the operators of
used to hack into some of the most sensitive computer networks on EarthGhostNet
- Gh0st RAT: Complete Malware Analysis
Part 1–
http://resources.infosecinstitute.com/gh0st-rat-complete-malware-analysis-part-1/
- Superfish
http://www.cnet.com/news/superfish-torments-lenovo-owners-with-more-than-adware/
- The company has been preloading Superfish, a "visual search" tool that includes adware that fakes the encryption certificates for every HTTPS-protected site you visit, on its PCs since at least the middle of 2014. Essentially, the software conducts a man-in-the-middle attack to fill the websites you visit with ads, and leaves you vulnerable to hackers in its wake.
http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html
- Exploit Kit
https://www.trendmicro.com/vinfo/us/security/definition/Exploit-Kit
- to lure users into clicking a URL that points to sites hosting Blackhole Exploit Kit.
- An exploit kit, sometimes called an exploit pack, is a toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser. Common exploit targets have been vulnerabilities in Adobe Reader, Java
Runtime Environment and Adobe Flash Player.
/Kilim is a family of malicious browser extensions that post unauthorized content to the user's Facebook Wall.Trojan:JS
https://www.
- SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If
, a file sharethe password is correctly guessed andis established file and run on theis copied host.newly-infected
- In computer networking, Server Message Block (SMB),
one version of which as Common Internet File System (CIFS, /'was also known /),s?fs 1][ 2] operates as an application-layer network protocol[ 3] mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network.[
- Hack windows xp with
metasploit
http://www.binarytides.com/hack-windows-xp-metasploit
- Remote Access Trojans (RATs) provide
cybercriminals with unlimited access to infected endpoints.
- A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. RATs
invisibly with a user-requested programare usually downloaded such as a game-- or sent as an email attachment--
- Watering Hole is a computer attack strategy identified in 2012 by RSA Security, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with
.malware
- In a watering hole attack scenario, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection.
http://www.trendmicro.com.au/vinfo/au/threat-encyclopedia/web-attack/137/watering-hole-101
- Detecting malware through static and dynamic techniques
Malware analysis involves two key techniques: static analysis and dynamic analysis.
Static analysis examines malware without actually running it. Dynamic analysis (also known as behavior analysis) executes malware in a controlled and monitored environment to observe its behavior
Basic Static Analysis
Basic static analysis examines malware without viewing the actual code or instructions. It employs different tools and techniques to quickly determine whether a file is malicious or not, provide information about its functionality and collect technical indicators to produce simple signatures. Technical indicators gathered with basic static analysis can include file name, MD5 checksums or hashes, file type, file size and recognition by antivirus detection tools.
Basic Dynamic Analysis
Basic dynamic analysis actually runs malware to observe its behavior, understand its functionality and identify technical indicators which can be used in detection signatures. Technical indicators revealed with basic dynamic analysis can include domain names, IP addresses, file path locations, registry keys, additional files located on the system or network.
Additionally, it will identify communication with an attacker-controlled external server for command and control purposes or in an attempt to download additional malware files.
Basic analysis can be thought of as what most automated sandboxes or dynamic malware analysis engines do today
https://technical.nttsecurity.com/post/102efk4/detecting-malware-through-static-and-dynamic-techniques