Category: Malware

All about Malware!

Hacking, Malware

Some notes on rootkits – Part 1

Rootkit major features Maintain access Conceal existence through stealth Rootkit types User-mode Kernel-mode User-mode rootkit main injection techniques Windows hooks CreateRemoteThread + LoadLibrary() CreateRemoteThread + WriteProcessMemory() Hooking techniques Import Address Table hooking Inline function hooking Rings Ring 3 – user-mode Ring 0 – kernel-mode Ring -1 – hypervisor Bridging the rings SYSENTER System call Interrupt …

Hacking, Malware

Some notes on malware – Part 2

Keyloggers Software based. Hardware based. User/Kernel based. Windows/Linux based. Hook based. Typical install locations This is rather a long list, a few examples follow: Windows Application Data\Microsoft\ System\filename.dll Program Files\Internet Explorer\filename.dll Program Files\Movie Maker\filename.dll All Users Application Data\filename.dll Temp\filename.dll Linux /bin/login /bin/.login /bin/ps /etc/ /etc/rc.d/ /tmp/ /usr/bin/.ps /usr/lib/ /usr/sbin/ /usr/spool/ /usr/scr/ Local Drives installation Malware …

Hacking, Malware

Some notes on malware – Part 1

The Motivation Behind Malware these days This is rather a long list but it can be narrowed down to the following: Steal sensitive data (identity theft, illegal immigration, terrorism, drug trafficking, blackmail, etc). Banking fraud (credit card fraud, etc). Spamming. Espionage. Advertisements/Click fraud. Medical insurance fraud. Money. Propagation Techniques Social Engineering (emails, spamming, phishing, office …

Malware

VirusTotal Uploader for Debian

VirusTotal API Dependencies sudo apt-get install automake autoconf libtool libjansson-dev libcurl4-openssl-devsudo apt-get install automake autoconf libtool libjansson-dev libcurl4-openssl-dev Download git clone https://github.com/VirusTotal/c-vtapi.gitgit clone https://github.com/VirusTotal/c-vtapi.git cd c-vtapicd c-vtapi Compile autoreconf -fiautoreconf -fi ./configure./configure makemake sudo make installsudo make install Configure sudo sh -c ‘echo "/usr/local/lib" > /etc/ld.so.conf.d/usr-local-lib.conf’sudo sh -c ‘echo "/usr/local/lib" > /etc/ld.so.conf.d/usr-local-lib.conf’ sudo ldconfigsudo ldconfig …

Malware, Malware Analysis

Extract patterns of interest from suspicious files

Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns. Balbuzard tools balbuzard is a tool to extract patterns …

Malware, Reversing

Open source .NET deobfuscator and unpacker

de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren’t (usually) part …

Malware, Reversing

Automatically extract obfuscated strings from malware

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plaintext in output of the strings.exe utility …

Malware, Malware Analysis

Analyze multi-byte xor cipher

A tool to do some xor analysis guess the key length (based on count of equal chars) guess the key (base on knowledge of most frequent char) Download https://github.com/hellman/xortool git clone https://github.com/hellman/xortool.gitgit clone https://github.com/hellman/xortool.git Usage xortool [-h|–help] [OPTIONS] [filename] Options: -l,–key-length length of the key (integer) -c,–char most possible char (one char or hex code) …

Honeypot

Honeypot Linux distribution

HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients …

Honeypot

Targeted geolocation and tracking

HoneyBadger is a framework for targeted geolocation. HoneyBadger is used to identify the physical location of a web user using a combination of geolocation techniques using a browser’s share location feature, the visible WIFI networks, and the IP address. The associated Metasploit Framework modules can be found here. Prerequisites — PHP — Python — SQLite3 …