An artifact is one or more files that accomplish a single task or have a well-defined purpose.
Soft evidence (e.g., algorithms, descriptions, partial artifacts, network traces, etc.)
The study of Internet attack technology, otherwise known as malicious code, or “malware”
Etc..
In computer security, the payload is the part of malware such as worms or viruses which performs the malicious action; deleting data, sending spam or encrypting data
In addition to the payload, such malware also typically has overhead code aimed at
rather than attributes, such as a hash, allowing them to identify and block altered malware
signatures based on easily changed variables like hash, file name or URLs to identify and prevent known malware from infecting systems. With this
signature, identifying threats requires essentially a one-to-one match against the specific variables the signature is looking for.
Malware authors can now easily create thousands of variants of existing malware, containing only slight changes,
As legacy signatures require a static one-to-one match for each unique file, these slight changes allow malware to go undetected.
, resulting in an entirely new hash or other small change, payload-based signatures
as a specific example of virtualization.
is frequently used to test unverified programs that may contain a virus or other malicious code, without allowing the software to harm the host device.
The concept of the sandbox (sometimes also called a working directory, a test server or development server)
into revision control software such as CVS and Subversion (SVN), in which developers "check out" a copy of the source code tree, or a branch thereof, to examine and work on. Only after the developer has (hopefully) fully tested the code changes in their own sandbox should the changes
Configuration-specific — sleep calls, time triggers, fast flux, and process hiding
http://www.drchaos.com/malware-sandbox-and-breach-detection-evasion-techniques
For example, suppose you get an email message with the virus that presents itself as an attachment called
.exe. Suppose you don't know this is a
virus. You click the attachment, and it delivers the best joke ever, but it also secretly installs malicious software.
to the sandbox. These changes will
analyze potentially malicious e-Mail attachments (any file type) in one click
Joe Sandbox Mail integrates into Microsoft Outlook as a new Ribbon, and just with a simple click of the “analyze” button, the e-Mail attachments are being sent to Joe Sandbox Cloud, Joe Sandbox Desktop, Joe Sandbox Complete or Joe Sandbox Ultimate to
.
http://www.pcadvisor.co.uk/how-to/security/test-downloads-files-with-sandbox-3407128/
https://www.websense.com/content/support/library/email/hosted/admin_guide/email_threat_analysis.aspx
Python" would let you permit or forbid modules, limit execution slices, permit or deny network traffic, constrain filesystem access to a particular directory (floated as "/"), and so on.
and noted on his blog.
are in place. After he identifies and quarantines these systems, John needs to find out how these systems became infected and whether other assets
.
https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.7/com.ibm.qradar.doc/c_qif_ug_artifact_an_ov.html
Malware analysis is a process that uses various tools and techniques to determine how malicious code
is working. Unfortunately, there is no single algorithm to
. Various
or analysis of disassembled code.
The goal of this analysis is to gather information about potential malware functionality and any characteristic file features
in a controlled environment to observe what changes it makes to the operating system
https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/documents/artifact-analysis-fundamentals-handbook
Malware analysis is a process or technique of determining the origin and potential impact of a specified malware sample.
Malware could be anything that looks malicious or acts like one like a virus, worm, bug, Trojan, spyware, adware, etc.
running the code. Static analysis
by determining the signature of the binary file which is a unique identification for the binary file and can
by calculating the cryptographic hash of the file and understanding each component.
-engineered by loading the executable into a disassembler such as IDA. The machine-executable code can
Dynamic analysis involves running the malware sample and observing its behavior on the system
to remove the infection or stop it from spreading into other systems. The system
http://www.differencebetween.net/technology/difference-between-static-malware-analysis-and-dynamic-malware-analysis/
PEiDExeinfo PE
PEview
CFF Explorer
Resource Hacker
BinText
Upx
Dynamic analysis tools
Process Explorer
Process Monitor
Regshot
GMER
Network analysis tools
Tcpdump
Wireshark
Mitmproxy
INetSim
Automatic analysis tools
Cuckoo Sandbox
https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/documents/artifact-analysis-fundamentals-handbook
- Cuckoo Sandbox is a malware analysis system.
In other words, you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.
https://cuckoosandbox.org/
- CuckooMX: Automating Email Attachments Scanning with Cuckoo
Today, classic anti-virus protections are not enough reliable to protect against modern malware. To have a better understanding and, if possible, block them, it’s best to execute the code in a safe environment and to analyze its behavior. Does it create new processes or files, are outbound connections performed via suspicious domains or IP addresses? Does it implement hooks? This method of performing malware analysis in a sandbox is more and more common.
https://blog.rootshell.be/2012/06/20/cuckoomx-automating-email-attachments-scanning-with-cuckoo/
- CuckooMX is a project to automate the analysis of files transmitted over SMTP (using the Cuckoo sandbox)
https://github.com/xme/cuckoomx
- One Flew Over the Cuckoo’s Nest
http://conference.hitb.org/hitbsecconf2012ams/materials/D1T1%20-%20Claudio%20Guarnieri%20-%20One%20Flew%20Over%20the%20Cuckoos%20Nest.pdf
- Delete VMDK Files Securely
To help prevent sensitive data in VMDK files from being read off the physical disk after it
is deleted, write zeros to the entire contents of a VMDK file ("zero out") before you delete it, overwriting the sensitive data. When you zero out a file, it is more difficult for someone to reconstruct the contents.
https://pubs.vmware.com/vsphere-51/index.jsp?topic=
%2Fcom
.vmware.vsphere.security.doc
%2FGUID-A9EA80D8-9D7A-48CB-9109-992782C88EA7.html
- The partition is deleted and space returned for the pool to be used by another virtual machine. This means the next time someone buys a virtual machine with the same host, some of the blocks that made up your filesystem could end up making up their filesystem. The metadata will be wiped clean when the filesystem is formatted of course, so they won’t just see your files listed, but the blocks can still contain your data. It depends on how they’re managing their disks. go buy a virtual machine somewhere and pipe the contents of your new disk through the strings command and look out for anything that isn’t yours (ssh root@newmachine "dd if=/dev/sda1 bs=1M | strings").
you’re probably careful and securely wipe your sensitive data before you leave. But disk space
is virtualized too. The blocks that make up your disk might not all be in order or even all be on the same disk. snapshots, your data may exist in duplicate too that you can’t even access what about if you bought extra disk space, then removed it?
All virtual machine disks are wiped at the block level when the machine
is deleted or when a new machine
is created.
if
a disk image is extended into
space that had
previously been used as a snapshot or as a disk that
was shrunk.
https://www.brightbox.com/blog/2007/12/04/secure-virtual-disk-deletion-is-your-data-safe/
- In software development, obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand.
Programmers may deliberately obfuscate code to conceal its purpose (security through obscurity) or its logic,
in order to prevent tampering, deter reverse engineering, or as a puzzle or recreational challenge for someone
reading the source code.
http://en.wikipedia.org/wiki/Obfuscation_%28software%29
- Reverse Engineering Virtual Machine Protected Binaries
it’s crucial to know how this code obfuscation technique really works behind the scenes. The virtual machine first starts by setting its “address space” in the executing process’s virtual address space.
In other words, it allocates the needed space for its memory, stack and registers then
start executing the code.
Code execution is done within
what is called a virtual machine loop. Inside this loop, the virtual machine plays the processor part by parsing each of its
predefined opcodes and their operands then using the mother architecture to execute the instructions. Iterating through the VM loop will continue until reaching a special exit opcode.
http://resources.infosecinstitute.com/reverse-engineering-virtual-machine-protected-binaries/#gref
- Code Virtualizer is a powerful code-obfuscation system for Windows, Linux, and Mac OS X applications that helps developers to protect their sensitive code areas against Reverse Engineering with very strong obfuscation code, based on code virtualization.
https://oreans.com/codevirtualizer.php
- Tigress is a diversifying virtualizer/obfuscator for the C language that supports many novel defenses against both static and dynamic reverse engineering and de-virtualization attacks.
http://tigress.cs.arizona.edu/
- According to a Friday morning tweet from the contest's organizers, members of Qihoo 360's security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware, contest organizers reported Friday morning on Twitter. The result was a "complete virtual machine escape."
"We used a JavaScript engine
bug within Microsoft Edge to achieve the code execution inside the Edge sandbox, and we used
a Windows 10 kernel bug to escape from it and fully compromise the guest machine," Qihoo 360 Executive Director Zheng Zheng wrote in an e-mail. "Then we exploited a hardware simulation bug within
VMware to escape from the guest operating system to the host one. All started from and only by a controlled a website."
https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
- Anti-VM and Anti-Sandbox Explained
Understand how malware authors detect when
malware is running in a virtual environment
Harden your security systems to reduce the odds of evasion
Identify anti-VM behavior
in order to improve detection.
Malware analysts and investigators often use isolated environments, such as virtual machines (VMs) or sandboxes, to analyze
unknown code for malware. In the same manner security products often use VM’s and sandboxes to execute potentially malicious code before
it is approved to enter the organizational network.
In an attempt to evade analysis and bypass security systems malware authors often design their code to detect isolated environments. Once such an environment
is detected the evasion mechanism may prevent the malicious code from running, or it may alter the malware’s behavior to avoid exposing malicious activity while running in a VM
multiple tactics used by malware authors for detecting sandboxes
in general, and virtual environments in specific.
Malware authors implement this in various ways such as Windows API, WMI queries or specific CPU instructions.
Some of the methods described herein can be monitored by automatic analysis systems and added as behavioral signatures
indicating potential malicious activity,
in order to improve detection.
https://www.cyberbit.net/endpoint-security/anti-vm-and-anti-sandbox-explained/
- What Happens When APTs Advance to Lateral Movement?
Lateral movement tactics used by attackers
are mainly divided into three parts: the reconnaissance period where they gather inside information to move freely in a network, the stealing of legitimate credentials, and the actual intrusion to computers using these credentials.
http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-happens-when-apts-advance-to-lateral-movement-
- An advanced persistent threat is a set of stealthy and continuous computer hacking processes, often orchestrated by a person or persons targeting a specific entity. An APT usually targets either private organizations, states or both for business or political motives. APT processes require a high degree of covertness over a long period of time. The "advanced" process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The "persistent" process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The "threat" process indicates human involvement in orchestrating the attack
Advanced
– Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques but also extend to conventional intelligence-gathering techniques such as telephone-interception technologies and satellite imaging. While individual components of the attack may not
be classed as particularly "advanced" (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily
procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques
in order to reach and compromise their target and maintain access to it
Persistent
– Operators give priority to a specific task, rather than opportunistically seeking information for financial or another gain. This distinction implies that the attackers
are guided by external entities.
The targeting is conducted through continuous monitoring and interaction
in order to achieve the defined objectives.
Mitigation strategies
While APT activities are stealthy and hard to detect,
the command and control network traffic associated with APT can be detected at the network layer level
Agents can
be used to collect logs (TCP and UDP) directly from assets into a
syslog server.
Then a Security Information and Event Management (SIEM) tool can correlate and analyze logs.
While it is challenging to separate noises from legitimate traffic,
a good log correlation tool can be used to filter out the legitimate traffic so security staff can focus on the noises.
Good asset management with documented components of the original Operation System plus software will help IT security analysts detect new files on the system.
Threat
– APTs are a threat because they have both capability and intent. APT attacks
are executed by coordinated human actions, rather than by mindless and automated pieces of code
https://en.wikipedia.org/wiki/Advanced_persistent_threat
- Lateral movement: the key to any attack or escape
real life example of this malicious lateral movement in your network is the
Destover Wiper malware which uses the SMB protocol via
Netbios API, port 139—a protocol not monitored by most
sandboxing tools—to move laterally across a network to gain access to confidential data and transport the desired data across the network where it can later
be pulled out of the network.
http://community.hpe.com/t5/Protect-Your-Assets/Lateral-movement-the-key-to-any-attack-or-escape/ba-p/6759654#
.V2J9zqLSzuh
- Lateral Movement – A Critical Opportunity to Detect an In-progress Cyber Attack
the attacker
begins to move laterally around the network, taking inventory of the resources, and looking for opportunities to collect additional credentials or upgrade the privileges they already have to gain access
http://www.countertack.com/blog/bid/124216/Lateral-Movement-A-Critical-Opportunity-to-Detect-an-In-progress-Cyber-Attack
- Criminals have strong motives to prevent their malware from being analyzed, which is a mandatory step in performing incident response. The classical model of an executable protection is that of a wrapper around a single executable. At the time of creation, the protector will compress and/or encrypt the contents of the executable’s sections. It will then append a new code section that is responsible for decompressing and/or decrypting the sections when executed, as well as for thwarting attempts at reverse engineering. The executable’s entry point is redirected into this new code (termed the ”unpacking stub”), and upon completion, execution is transferred back to the original entry point. The program will subsequently function identically to the original, unprotected executable.
Each assumes that the hidden code from the protected program will be
completely unprotected in memory
at some point during execution, and each uses various measures to guide execution until this point. Some tools additionally have the goal, beyond merely identifying hidden code and the original entry point, of producing working, unprotected executables.
http://static.usenix.org/event/woot09/tech/full_papers/rolles.pdf
- At YaraRules Project we want to offer to the Community a new online service: “YaraRules Analyzer”. It allows you to analyze your files on the cloud using the full YaraRules ruleset, so you do not need to install Yara in your local computer and you also make sure to analyze your files against the latest YaraRules ruleset.
http://yararules.com/
Yara is an open source malware attribution tool used to classify malware samples based on textual or binary patterns once they have
been analyzed in Cuckoo. Using Yara, researchers write descriptions of malware families based on patterns.
These descriptions are called rules, hence the name Yara (which stands for “Yet Another Recursive Acronym”) Rules. It allows researchers to recognize and categorize seemingly similar variants of malware and can
be integrated to use within Cuckoo.
https://www.cyberbit.net/endpoint-security/open-source-malware-analysis-tools
- Reverse Engineering involves the analysis of malicious files in depth which involves time and cost. It is considered a good practice to observe malware behavior, group them in a signature, and then identify the related infected files. To cut the costs of R.E and identifying malware families based on signatures,q we can use an open source tool known as YARA.
YARA is a popular tool that provides a robust language, which is compatible with Perl-based Regular Expressions and
is used to examine the suspected files/directories and match strings as
is defined in the YARA rules with the file.
https://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/#gref
- This project covers the need of a group of IT Security Researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and began as an open source community for collecting Yara rules.
https://github.com/Yara-Rules/rules
The pattern matching swiss knife for malware researchers
YARA is
multi-platform, running on Windows, Linux, and Mac OS X, and can
be used through its command-line interface or from your own Python scripts with the
yara-python extension.
https://virustotal.github.io/yara/
- That’s why playing “retro hunting” is also important. I like this name: it comes from a VirusTotal feature that allows the creation of YARA rules and to search backward for samples that match them. Here is an example based on MISP and Splunk. The first step is to export interesting IOC’s like IP addresses, hostnames or hashes from the last day. Export them in CSV format into your Splunk via a simple crontab
https://isc.sans.edu/diary/Retro+Hunting%21/22189
- Retrohunt: Yara back in time
Create a Yara rule and apply it back in time to the existing dataset
in order to discover early versions of new attacks
that you might have recently discovered.
https://www.virustotal.com/#/hunting-overview
- A Linux Toolkit for Reverse-Engineering and Analyzing Malware.REMnux® is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.
https://remnux.org/
- Radare is a portable reversing framework that can
Disassemble (and assemble for) many different architectures
Debug with local native and remote debuggers (gdb, rap, webui, r2pipe, winedbg, windbg)
Run on Linux, *BSD, Windows, OSX, Android, iOS, Solaris and Haiku
Perform forensics on filesystems and data carving
Be scripted in Python, Javascript, Go and more
Support collaborative analysis using the embedded webserver
Visualize data structures of several file types
Patch programs to uncover new features or fix vulnerabilities
Use powerful analysis capabilities to speed up reversing
Aid in software exploitation
https://rada.re/r/
- Medusa is a disassembler designed to be both modular and interactive. It runs on Windows and Linux, it should be the same on OSX. This project is organized as a library. To disassemble a file you have to use medusa_text or Medusa.
https://github.com/wisk/medusa
- Hopper Disassembler, the reverse engineering tool that lets you disassemble, decompile and debug your applications
https://www.hopperapp.com/
view and edit files of any length in text, hex, and decode
modes x86-64 disassembler & assembler (AVX instructions include)
physical & logical drive view & edit
support for NE, LE, LX, PE/PE32+, ELF/ELF64(little-
endian), Mach-O
(little-
endian), TE/TE64 executable formats
support for
Netware Loadable Modules like NLM, DSK, LAN,...
following direct call/
jmp instructions in any executable file with one touch
pattern search in disassembler
built-in simple 64bit decrypt/crypt system
built-in powerful 64bit calculator
block operations: read, write, fill, copy, move, insert, delete, crypt
multifile search and replace
keyboard macros
unicode/utf8 support
Hiew
Extrenal Module (HEM) support
ArmV6 disassembler
http://www.hiew.ru/
- IDA Pro is a disassembler
As a disassembler, IDA Pro explores binary programs, for which source code isn't always available,
to create maps of their execution. The real interest of a disassembler is that it shows the instructions that are
actually executed by the processor in a symbolic representation called
assembly language. If the friendly screen saver you have just installed is spying on your e-banking session or logging your e-mails, a
disassembler can reveal it. However, assembly language is hard to make sense of. That's why advanced
techniques have been implemented into IDA Pro to make that code more readable, in some cases, quite close
to the original source code that produced the binary program. The map of the program's code then be
post-processed for further investigations
IDA Pro is a debugger
Hostile code usually does not cooperate with the analyst. Viruses, worms, and trojans are often armored and obfuscated
The debugger in IDA Pro complements the static analysis capabilities of the disassembler: by allowing to
single step through the code being investigated, the debugger often bypasses the obfuscation and helps obtain
data that the more powerful static disassembler will be able to process in depth. IDA Pro can be used as a
local and as a remote debugger on various platforms, including the ubiquitous 80x86 (typically
Windows/Linux) and the ARM platform (typically Windows CE PDAs) and other platforms. Remote
debuggers are very useful when one wants to safely dissect potentially harmful programs.
Hostile Code analysis
When eEye isolated a new worm whose payload targeted the White House's website, IDA Pro was used to
analyze and understand it: it helped the talented eEye analysts deliver a prompt and accurate warning of the impending attack.
Vulnerability research
IDA Pro is the ideal tool to investigate why software breaks.
COTS validation
A lot of software is now developed outside the country where it is used
IDA provides a convenient means to check if a program really does what it claims to do
Privacy protection
https://www.hex-rays.com/products/ida/ida-executive.pdf
A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels
Worms
Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate
https://www.cisco.com/c/en/us/about/security-center/virus-differences.html
- OllyDbg is a 32-bit assembler level analyzing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where the source is unavailable. OllyDbg is a shareware, but you can download and use it for free
http://www.ollydbg.de/
OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants, and strings,
as well as locates routines from object files and libraries. It has a friendly interface, and
its functionality can be extended by third-party plugins.
OllyDbg is often used for reverse engineering of programs. It
is often used by crackers to crack software made by other developers. For cracking and reverse engineering, it is often the primary tool because of its ease of use and availability; any 32 bit executable can
be used by the debugger can
be edited in
bitcode/assembly in real-time. It is also useful for programmers to ensure that their program is running as intended.
Furthermore, it can
be used for malware analysis purposes as well
http://en.wikipedia.org/wiki/OllyDbg
WinDbg is a multipurpose debugger for Microsoft Windows, distributed on the web by Microsoft.
It can be used to debug user mode applications, drivers, and the operating system itself in kernel mode.
WinDbg can be used for debugging kernel-mode memory dumps, created after
what is commonly called the Blue Screen of Death which occurs when a bug check
is issued.
It can also be used to debug user-mode crash dumps.
This is known as post-mortem debugging.
Recent versions of WinDbg have been and are being distributed as part of the free Debugging Tools for Windows suite, which shares a common debugging back-end between WinDbg and command line debugger front-ends like KD, CDB, and NTSD.
http://en.wikipedia.org/wiki/WinDbg
- Freeware Hex Editor Neo allows you to view, modify, analyze your hexadecimal data and binary files, edit, exchange data with other applications through the clipboard, insert new data and delete existing data, as well as perform other editing actions.
http://www.hhdsoftware.com/free-hex-editor
Spyware is a software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge
"Spyware"
is mostly classified into four types: system monitors,
trojans, adware, and tracking cookies.
Spyware is mostly used for the purposes such as; tracking and storing internet users' movements on the web; serving up pop-up ads to internet users.
Whenever spyware
is used for malicious purposes,
its presence is typically hidden from the user and can be difficult to detect.
Some spyware, such as keyloggers, may be installed by the owner of a shared, corporate, or public computer intentionally in order to monitor users.
While the term spyware suggests software that monitors a user's computing, the functions of spyware can extend beyond simple monitoring. Spyware can collect almost any
type of data, including personal information like Internet surfing habits, user logins, and bank or credit account information. Spyware can also interfere with user control of a computer by installing additional software or redirecting Web browsers. Some spyware can change computer settings, which can
result in slow Internet connection speeds, un-
authorized changes in browser settings, or changes to software settings.
http://en.wikipedia.org/wiki/Spyware
- How to: Use NETSTAT.EXE to detect spyware/malware
This video just explains how to use netstat command to detect executables on established connections
"netstat -b" should be used.
http://www.mappingwireless.com/internet-security/how-to-use-netstatexe-to-detect-spywaremalware
Elicitation is a technique used to discreetly gather information. It is a conversation with a specific purpose: collect information that is not readily available and do so without raising suspicion that specific facts are being sought.
A person may never realize she was the target of elicitation or that she provided meaningful information
Many competitive business intelligence collectors and foreign intelligence officers are trained in elicitation tactics. Their job is to obtain non-public information
A business competitor may want information in order to out-compete your company, or a foreign intelligence officer may want insider information or details on US defense technologies.
Elicitors may use a cover story to account for the conversation topic and why they ask certain questions.
Elicitors may collect information about you or your colleagues that could facilitate future targeting attempts.
Elicitation can occur anywhere— at social gatherings, at conferences, over the phone, on the street, on the Internet, or in someone’s home.
For example, have you ever planned a surprise party for someone and needed to know their schedule, wish list, food likes and dislikes or other information without that person finding out you were collecting the information or for what purpose?
Why Elicitation Works
Natural tendencies an elicitor may try to exploit include:
A desire to be polite and helpful, even to strangers or new acquaintances
A desire to appear well informed, especially about our profession
A desire to feel appreciated and believe we are contributing to something important
A tendency to expand on a topic when given praise or encouragement; to show off
A tendency to gossip
A tendency to correct others
A tendency to underestimate the value of the information being sought or given, especially if we are unfamiliar with how else that information could be used
A tendency to believe others are honest; a disinclination to be suspicious of others
A tendency to answer truthfully when asked an “honest” question
A desire to convert someone to our opinion
For example, you meet someone at a public function and the natural getting-to-know-you questions eventually turn to your work. You never mention the name of your organization. The new person asks questions about job satisfaction at your company, perhaps while complaining about his job. You may think, “He has no idea where I work or what I really do. He’s just making idle chat. There’s no harm in answering.” However, he may know exactly what you do but he relies on his anonymity, your desire to be honest and appear knowledgeable, and your disinclination to be suspicious to get the information he wants. He may be hunting for a disgruntled employee who he can entice to give him insider informat
Techniques
Assumed Knowledge:
Pretend to have knowledge or associations in common with a person. “According to the computer network guys I used to work with…
Bracketing:
Provide a high and low estimate in order to entice a more specific number. “I assume rates will have to go up soon. I’d guess between five and 15 dollars.” Response: “Probably around seven dollars.
Can you top this?
Tell an extreme story in hopes the person will want to top it. “I heard Company M is developing an amazing new product that is capable of …”
Confidential Bait:
Pretend to divulge confidential information in hopes of receiving confidential information in return. “Just between you and me…” “Off the record…”
Deliberate False Statements / Denial of the Obvious:
Say something wrong
in the hopes that the person will correct your statement with true information
Feigned Ignorance:
Pretend to be ignorant of a topic
in order to exploit the person’s tendency to educate.
Flattery:
Use praise to coax a person into providing information
Good Listener:
Exploit the instinct to complain or brag, by listening patiently and validating the person’s feelings (whether positive or negative)
The Leading Question:
Ask a question to which the answer is “yes” or “no,” but which contains at least one presumption
Macro to Micro:
Start a conversation on the macro level, and then gradually guide the person toward
the topic of actual interest.
A good elicitor will then reverse the process taking the conversation back to macro topics.
Mutual Interest:
Suggest you are
similar to a person based on shared interests, hobbies, or experiences,
as a way to
obtain information or build a rapport before soliciting information.
Oblique Reference:
Discuss one topic that may provide insight into a different topic. A question about the catering of a work party may
actually be an attempt to understand the
type of access outside vendors have to the
facility.
Opposition/Feigned Incredulity:
Indicate disbelief or opposition
in order to prompt a person to offer information in defense of their position
Provocative Statement:
Entice the person to direct a question toward you,
in order to set up the rest of the conversation.
Questionnaires and Surveys:
State a benign purpose for the survey.
Quote Reported Facts:
Reference real or false information so the person believes that bit of information is in the public domain
Ruse Interviews:
Someone
pretending to be a headhunter calls and asks about your experience, qualifications, and recent projects
Volunteering Information /
Quid Pro Quo:
Give information
in hopes that the person will reciprocate
Word Repetition:
Repeat core words or concepts to encourage a person to expand on what he/she already said
Deflecting Elicitation Attempts
You can politely discourage conversation topics and deflect
possible elicitations by:
Referring them to public sources (websites, press releases)
Ignoring any question or statement you think is improper and changing the topic
Deflecting a question with one of your own
Responding with “Why do you ask?”
Giving a nondescript answer
Stating that you do not know
Stating that you would have to clear such discussions with your security office
Stating that you cannot discuss the matter
If you believe someone has tried to elicit information from you, especially about your work, report it to your security officer.
http://www.fbi.gov/about-us/investigate/counterintelligence/elicitation-techniques
An introduction to detecting and deterring an insider spy
Personal Factors
Greed or Financial Need: A belief that money can fix anything. Excessive debt or overwhelming expenses.
Anger/Revenge: Disgruntlement to the point of wanting to retaliate against the organization.
Problems at work: A lack of recognition, disagreements with co-workers or managers, dissatisfaction with the job, a pending layoff.
Ideology/Identification: A desire to help the “underdog” or a particular cause.
Divided Loyalty: Allegiance to another person or company, or to a country besides the United States.
Adventure/Thrill: Want to add excitement to their life, intrigued by the clandestine activity, “James Bond Wannabe.”
Vulnerability to blackmail: Extra-marital affairs, gambling, fraud.
Ego/Self-image: An “above the rules” attitude, or desire to repair wounds to their self-esteem. Vulnerability to flattery or the promise of a better job. Often coupled with Anger/Revenge or Adventure/Thrill.
Ingratiation: A desire to please or win the approval of someone who could
benefit from insider information with the expectation of returned favors.
Compulsive and destructive behavior: Drug or alcohol abuse, or other addictive behaviors.
Family problems: Marital conflicts or separation from
loved one
Organizational Factors
The availability and ease of
acquiring proprietary, classified, or other protected materials. Providing access privileges to those who do not need it.
Behavioral Indicators
Some behaviors may be a clue that an employee is spying and/or methodically stealing from the organization:
http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat
- Internet Social Networking Risks
http://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks
- How to Detect Spyware on a Cell Phone
There are a few subtle signs that spyware has been installed on your cell phone.
Notice if your phone lights up when you’re not using it to make or receive a call or access any of the phone’s apps. Spyware has to “call” your phone to get information.
Note any strange background noises or clicks when you’re on a call.
Notice an increase in GPRS activity. This indicates spyware is tracking your location.
Check your phone bill closely. Notice whether it lists more text messages than you remember sending or calls you did not make.
Ask anyone who may have borrowed your phone whether they installed any software, wallpapers or ringtones.
Tips & Warnings
Use an anti-virus software on your phone to detect and remove viruses or spyware
Take your phone to your service provider, who can erase the phone’s memory and restore the factory default settings.
You’ll lose all your data, but the spyware will be eliminated.
Make a hard copy of any information in your phone that you wish to retain.
Do not give your cell phone number to strangers or post it on the Internet.
Spyware can be installed on your phone from a remote location simply by calling it.
If you let a stranger borrow your phone to make an “emergency” call before you noticed any of these signs, the number they called most likely installed spyware on your phone.
This is commonly used to set up a program to send large numbers of text messages to your phone for which you are charged.
http://www.ehow.com/how_4826956_detect-spyware-cell-phone.html#ixzz2MfR4Vj46
- How to detect and remove Ramnit
Ramnit is malware that’s infecting PCs running Microsoft Windows. When a PC has been infected, the malware will disable a series of Windows security features (Windows Defender, Windows Firewall, User Account Control), Windows Update, and remove the ability to install other antivirus software
http://windows.microsoft.com/en-us/windows/detect-remove-ramnit-virus
SpyEye was written in C++ and the size of the compiled binary is of 60 KB, the operating systems supported are from Windows 2000 to the recent Windows 7, it works in ring3 mode (same as Zeus Trojan). It is sold as undetected from most Antivirus Software and it is invisible from the task managers and other user-mode applications, it hides the files from the regular explorer searches and it hides also its registry keys.
http://thehackernews.com/2011/08/spyeye-1345-download-loader-source-code.html
Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.
https://en.wikipedia.org/wiki/Zeus_(malware)
- advanced threat analytics(ATA)
Using deep packet inspection technology, Microsoft Advanced Threat Analytics analyzes all Active Directory traffic. It can also collect relevant events from SIEM and other sources.
https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics#CP_CaseStudy_2
- Crypters are computer applications which are solely used to bypass the antivirus detection of malwares. Hackers use crypters to hide viruses, Trojans, RATS, keyloggers and other hack tools into a new executable, whose sole purpose is to bypass the detection of the same from antivirus.
https://www.hackingloops.com/crypters-tutorial-for-hackers-by-hackingloops/
- A crypter is a program which is used to assist malware with evading antivirus signature-based detection. How it does this is it applies an obfuscation method onto the malware so that the antivirus cannot successfully match it with any signature. It then outputs a seemingly "harmless" file called the stub. Once the stub is opened by the victim, it will decrypt the malware and execute it.
https://null-byte.wonderhowto.com/how-to/security-oriented-c-tutorial-0xfb-simple-crypter-0168089/
- Poison Ivy: Assessing Damage and Extracting Intelligence
Here is how a typical Poison Ivy attack works:
The attacker sets up a custom PIVY server, tailoring details such as how Poison Ivy will install itself on the target computer,
what features are enabled, the encryption password, and so on.
The attacker sends the PIVY server installation file to the targeted computer. Typically, the attacker takes advantage of a zero-day flaw. The target executes the file by opening an infected email attachment, for example, or visiting a compromised website.
The server installation file
begins executing on the target machine. To avoid detection by anti-virus software, it downloads additional code as needed through an encrypted communication channel.
Once the PIVY server is up and running on the target machine, the attacker uses a Windows GUI client to control the target computer.
https://www.fireeye.com/blog/threat-research/2013/08/pivy-assessing-damage-and-extracting-intel.html
- Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into some of the most sensitive computer networks on Earth
https://en.wikipedia.org/wiki/Gh0st_RAT
- Gh0st RAT: Complete Malware Analysis – Part 1
Gh0st RAT (Remote Access Terminal) is a
trojan “
Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.
http://resources.infosecinstitute.com/gh0st-rat-complete-malware-analysis-part-1/
The preloaded Superfish adware does more than hijack website ads in a browser. It also exposes Lenovo owners to a simple but dangerous hack that could spell disaster.
http://www.cnet.com/news/superfish-torments-lenovo-owners-with-more-than-adware/
- The company has been preloading Superfish, a "visual search" tool that includes adware that fakes the encryption certificates for every HTTPS-protected site you visit, on its PCs since at least the middle of 2014. Essentially, the software conducts a man-in-the-middle attack to fill the websites you visit with ads, and leaves you vulnerable to hackers in its wake.
http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html
Exploit kits are toolkits used to exploit security holes primarily to spread malware. These toolkits come packaged with exploit codes. These exploit
kits target software such as Adobe Flash, Java, Microsoft Silverlight, Internet Explorer - software that
are commonly installed and used in most PCs. Computers using outdated software/applications are at high risk.
https://www.trendmicro.com/vinfo/us/security/definition/Exploit-Kit
- to lure users into clicking a URL that points to sites hosting Blackhole Exploit Kit.
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/128/blackhole-exploit-kit-spam-runs-a-threat-vortex
- An exploit kit, sometimes called an exploit pack, is a toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser. Common exploit targets have been vulnerabilities in Adobe Reader, Java Runtime Environment and Adobe Flash Player.
https://zeltser.com/what-are-exploit-kits
- Trojan:JS/Kilim is a family of malicious browser extensions that post unauthorized content to the user's Facebook Wall.
Kilim is distributed in executable files that use names such as "flashplayer", "video installer", "premium installer" or similar, in order to lure an unsuspecting user into installing the program.
https://www.f-secure.com/v-descs/trojan_js_kilim.shtml
- SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.
http://www.securityweek.com/hackers-used-sophisticated-smb-worm-tool-attack-sony
- In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS, /'s?fs/),[1][2] operates as an application-layer network protocol[3] mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network.
https://en.wikipedia.org/wiki/Server_Message_Block
- Hack windows xp with metasploit
Metasploit does this by exploiting a vulnerability in windows samba service called ms08-67. This exploit works on windows xp
upto version xp sp3.
http://www.binarytides.com/hack-windows-xp-metasploit
- Remote Access Trojans (RATs) provide cybercriminals with unlimited access to infected endpoints.
https://www.trusteer.com/glossary/remote-access-trojan-rat
- A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. RATs are usually downloaded invisibly with a user-requested program -- such as a game -- or sent as an email attachment
http://searchsecurity.techtarget.com/definition/RAT-remote-access-Trojan
- Watering Hole is a computer attack strategy identified in 2012 by RSA Security, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware.
https://en.wikipedia.org/wiki/Watering_Hole
- In a watering hole attack scenario, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection.
http://www.trendmicro.com.au/vinfo/au/threat-encyclopedia/web-attack/137/watering-hole-101
- Detecting malware through static and dynamic techniques
Malware analysis involves two key techniques: static analysis and dynamic analysis.
Static analysis examines malware without actually running it. Dynamic analysis (also known as behavior analysis) executes malware in a controlled and monitored environment to observe its behavior
Basic Static Analysis
Basic static analysis examines malware without viewing the actual code or instructions. It employs different tools and techniques to quickly determine whether a file is malicious or not, provide information about its functionality and collect technical indicators to produce simple signatures. Technical indicators gathered with basic static analysis can include file name, MD5 checksums or hashes, file type, file size and recognition by antivirus detection tools.
Basic Dynamic Analysis
Basic dynamic analysis actually runs malware to observe its behavior, understand its functionality and identify technical indicators which can be used in detection signatures. Technical indicators revealed with basic dynamic analysis can include domain names, IP addresses, file path locations, registry keys, additional files located on the system or network.
Additionally, it will identify communication with an attacker-controlled external server for command and control purposes or in an attempt to download additional malware files.
Basic analysis can be thought of as what most automated sandboxes or dynamic malware analysis engines do today
https://technical.nttsecurity.com/post/102efk4/detecting-malware-through-static-and-dynamic-techniques
