Malicious programs - Malware

[Carding]

The name "malware" refers to the English term "malware", formed from two words: "malicious" and "software". There are other, more rare options - "badware", "computer contaminant", "crimeware". In the lexicon of some specialists, there are slang names "malicious", "malware". In everyday life, all malicious programs are often called computer viruses, although this is terminologically incorrect.

Malicious programs include any software that unauthorizedly penetrates computer equipment. Such applications cause direct or indirect damage - for example, disrupt computer operation or steal user's personal data.

Pests are created to achieve two main groups of goals. One of them boils down to gaining benefits from the injection into the victim's computer. For example, an attacker gains control over a computer, steals classified information, and carries out extortion. The second group of goals is not related to material gain. Writing malicious code can be a manifestation of the desire of the author who created the program to assert his skills, ordinary hooliganism or a joke.

According to Article 273 of the Criminal Code of the Russian Federation, computer programs or other information that are deliberately intended for unauthorized destruction, blocking, modification, copying of data or for neutralizing their protection should be considered as malicious objects.

Microsoft believes that malware is any piece of software designed to harm an individual computer or an entire network, a server. It does not matter at all whether such software is a virus, a trojan or a kind of spyware.

Classification of malware

The main types of malware are listed below.
1. Botnet agents. A botnet is a group of infected computers that receive commands from an attacker; the corresponding malicious program is responsible for receiving and executing these commands. Such a network can number from a few units to millions of computers, it is also called a zombie network.
2. Exploits - hacker utilities designed to exploit vulnerabilities in software.
3. Backdoors - programs for remotely connecting to a computer and managing it.
4. Computer viruses. It is customary to call a virus a program that injects its code into other applications (“infects” them), so that every time an infected object is launched, this code is executed.
5. Rootkits - means of hiding malicious activity (for example, other applications will not be able to detect files belonging to unwanted software).
6. Network worms are malicious programs with a wide variety of functional loads, which are capable of independently spreading over computer networks.
7. "Trojan horses" ("Trojans") - a wide class of malicious objects for various purposes, which usually do not have their own propagation mechanism (that is, they cannot infect files or replicate their copies over the network). The name comes from the early tactics of their infiltration - under the guise of a legitimate program or as a hidden addition to it.

Ransomware can be distinguished into a special group. The scenario of such malicious programs is that they in any way block the user's access to his data and demand a ransom for unblocking.

Objects of influence

Malware attacks spread to almost all Internet users. The purpose of the impact depends on the type of attacker: a bully, a petty thief or a cybercriminal. The consequences differ accordingly: one infection simply interferes with the normal operation of the computer, the other leads to financial losses, the third ends with the leakage of information constituting a commercial secret.

In recent years, various companies and organizations have often suffered from malware - primarily because of their ability to pay. A typical attack is to encrypt, for example, an accounting database and then demand payment to recover this business-critical information. Website servers are attacked by exploits, trojans and worms, from where cybercriminals steal information about customers and users, including bank card data, which threatens to lose finances, databases, and other corporate information.

Ordinary Internet users are also targets of malware injection. Of interest are personal data, information about bank accounts, email, passwords to access social networks. Quite often, the target of infections are gamers who have a large amount of game currency and rare artifacts.

Source of threat

The most dangerous and sophisticated malware programs are custom-built by government intelligence agencies or their associated cybercriminal groups. Such objects have a pronounced specificity and are aimed at a specific victim or group of victims. The purpose of their work can be the collection and theft of classified data or direct sabotage.

However, most malicious programs are created by common attackers not affiliated with organized cybercrime or intelligence agencies. By introducing their developments on a victim's computer, they can steal data to access bank accounts, carry out network attacks from an infected device, extort ransoms, advertise dubious products, or send spam. The source of the spread of pests is petty criminals who steal logins, passwords and other personal information (for example, the accounts of participants in online games) for the purpose of unauthorized use or sale.

Researchers who are in the process of inventing other methods of infection and countering anti-virus products can introduce malicious programs. The purpose of these programmers is not to gain profit, but to study the computer environment and test their ideas.

Risk analysis

Malware is often not viewed as a serious threat by PC users, although it is often the victim of credential theft or ransom lockdowns. Business, on the contrary, speaks of infections as a significant threat to their activities.

The spread is received by malicious programs that enter the devices of the Internet of Things. For example, a British company created a ransomware virus for a thermostat connected to Wi-Fi. Having gained control over the equipment, he is able to lower the temperature to a critical level and demand money. You can read more about the new malicious program in the article “Ransomware viruses got to the thermostats”.

There is no absolute protection against infections, but you can reduce the risk of a threat being realized. To do this, you need to install new versions of operating systems, monitor the update of all programs, use antivirus solutions from reliable manufacturers, prevent unauthorized persons from accessing the PC, do not open suspicious links, letters and files, and take a number of other protective measures.

 

[Carding]

How to detect the presence of malicious code in a file if the antivirus is silent​

The article describes the initial methods and techniques for detecting malicious code in files, and in what conditions it is worth examining the malware.

The first thing we have to do to avoid malware infection of the infrastructure is:

• Isolate potentially infectious PCs from other networks
• Make a lady ram
• Take a disk image

Disk image and main memory dump can be executed by FTK Imager software.

The toolkit with which the snapshot of the RAM will be taken is best run from an external medium, in order to avoid leaving unnecessary traces on the hard disk (data from the hard disk must be saved unchanged).

It is important to remember the following:

• If a PC is infected with a ransomware virus, there is a chance that if the network connection is lost, the malware will start encrypting all data on the PC, you must first assess the importance and criticality of the information located on the infected PC.
• To prevent malware from reacting to system shutdown, the easiest way is to pull out the power cable.

Before starting to investigate malware with static and dynamic analysis, it is necessary to prepare a secure environment, which should include the following:

1. Prepare a virtual machine using Virtual Box or VMware (Important for the current version), or a separate dedicated PC, preferably with Windows 7.

Next is the following software, which must be installed for a favorable execution environment for malicious code:

• Microsoft Office
• .NET Framework
• Microsoft Visual C++ Redistributable
• DirectX
• Python 2.7 Python 3.5
• Java Version 8
• Chrome, Firefox, Opera
• Adobe Acrobat Reader
• Enable PowerShell Scripting Support

It is also necessary to isolate the virtual environment from the main OS:

• Disabling Drag & Drop
• Disable Shared Folders
• Disable clipboard
• Disconnecting from the network. If you need the Internet, set up a VPN.
• Remove VMware Tools, virtualbox guest additions (malware can detect these add-ons and stop executing, since the execution of malicious code in a virtual environment is one of the signs of its investigation)

2. You need to configure Internet access using a VPN in order to communicate with the malware control server. 3. To be able to roll back to the initial state of the test environment, you need to take a snapshot. And so, static analysis: 1. Scanning a potentially malicious file with anti-virus software. 2. Uploading a potentially malicious file to VirusTotal, in this case, be careful with potentially confidential / private information, since after the upload it will be available to everyone. Or, search for the generated hash sum.

File metadata analysis:

1. The presence of a digital signature, we wish about it from well-known vendors. You can use the Sign Tool to verify your digital signature.

2. Pay attention to the compilation date, if the software was compiled in the near future this is a reason to think (compilation date is easy to fake).

You can use the CFF Explorer utility to view the compilation date.

3. Often the time of file compilation coincides with the time of uploading the file (sample) to VirusTotal (because the "hacker" checks how many antiviruses his malware detects).

4. Comparison of the hash sum of files, you need to find the original file on the developer's website and compare the hashes with the potentially malicious one.

5. When launching a potentially malicious file, pay attention to the abnormal load of CP, HDD, Network interface resources, you can use Resource Hacker. (also, this utility has many capabilities to track abnormal activity).

Parsing strings:

1.Binary file cannot be opened (notepad ++, ms word, browser) may contain exploits.

2. Binary files need to be viewed by HEX editors.

3.It is worth paying attention when viewing a file in a HEX editor, it is added to the PDB line by the automatic compiler, if it is not there, then someone deleted it (PDB line is the path to debug symbols, you can find the name of the software family or its functionality). We also pay attention to the ip-addresses, url and send it to VirusTotal. It is worth turning your attention to fragments of meaningful text.

4.Fragments of a file with a high density of null characters are a sign of a packer.

Entropy Analysis:

1. A high level of entropy corresponds to the fact that the file is compressed or encrypted.

2. Fragments of a file with a high level of entropy close to 8.

3. Fragments of files where the level of entropy does not change.

DIE software can be used to analyze entropy.

Semi-dynamic analysis:

1. Interaction of the file with the registry. (pay attention to startup branches)

The RegShot utility takes a snapshot of the registry before and after . (compares created and deleted branches in the registry)

2. Network activity.

2.1. Recording a dump of traffic originating from the utility files at the time of launch.

2.2. View on Virus Total: url, ip-addr being accessed.

2.3 Pay attention to the use of non-standard ports.

codeby.net

 

[Teacher]

? Malware Reverse Engineering ?

What Is Malware Reverse Engineering?
Reverse engineering malware is the process of taking a captured executable (a stand-alone executable or a library file, such as a DLL) and doing the computer equivalent of an MRI. You can exploit test conditions that may have been designed to make the malware appear benign under certain conditions.

Total Course, Video Tutorials Available In Link

Link: https://mega.nz/folder/HeojDIyb#tkYrLenpPZ5za7vMPFbdNg

 

[Mutt]

Top 3 Best Free Malware Removal Tools for Windows 10


? Bitdefender Malware Removal Tool

? It is the best malware removal tool that gives you additional security to shield your computer from any threats out there. Essentially, this software is fit for filtering every single document that might be harmful to your PC. In this way, Bitdefender encourages you to eliminate the malware that could damage your computer.

?Adware Antivirus Free Edition

?This one is a little bit different compared to all others. It follows the IP based filtering system to block spam traffic. That means it scans the root file of the downloads and tells you beforehand whether the file has malware or not.

? Malwarebytes Anti-Malware Tool

? For those who don’t know, Malwarebytes is right now the leading Anti-malware tool available out there for computers/laptops. Millions of users use the malware removal tool to safeguard their computers against potential threats like malware, virus, spyware, adware etc

Security Is very much important in Hacking field so, protect yourself from malwares with these free softwares

Keep supporting us