Home
 Break PWD
 Security Advisory
 IT Security Questions
 SIEM
 Booting Slow
 The Registry
 Interview Questions
 Malware
 Q-radar SIEM
 DNS
 Imp-Link
 Download


login

     

OMWINDOWS

OMPRAKASH SINGH PRASTE  



 

   'Malware' is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software.

        Malware is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.

 

Purpose of Malware

       Started with experiments or pranks, including the first Internet Worm

       To gather guarded information like personal, financial or business

       To disrupt operation of system, application or device.

       To monitor user activity

       To earn money

       To play with reputation of some company or individual etc.

Type of Malware

       Virus: Designed to self-replicate or make copies of itself and distribute the copies to other files, programs, or computers. VITAL INFORMATION RESOURCE UNDER SIEGE

       Trojan horse: Named after the wooden horse from Greek mythology, Trojan horses are non-replicating programs that appear to be benign but actually have a hidden malicious purpose.

       Worm - self-replicating and self-propagating programs that are completely self-contained, they do not require a host program to infect a victim. Worms take advantage of known vulnerabilities and configuration weaknesses, such as unsecured Windows shares.

       Blended Attacks is an instance of malware that uses multiple infection or transmission    methods. The well-known Nimda worm is actually an example of a blended attack. It used email, windows Shares and web Servers and Clients to spread the exploit.

 

       A marketing firm could place advertisements on many Web sites and use a single cookie on a user’s machine to track the user’s activity on all of those Web sites, creating a detailed profile of the user’s behavior. Cookies used in this way are known as tracking cookies. 

       Backdoor malicious program that listens for commands on a certain Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port, consist of a client component and a server component. It performs the tasks as transferring files, acquiring passwords, or executing arbitrary commands. Zombies remote administration tool (RAT) are known as backdoor.

       Keystroke Loggers monitors and records keyboard users, which might include the content of e-mails, usernames and passwords for local or remote systems and applications, and financial information (e.g., credit card number, social security number, personal identification number [PIN]) and transfer to the attacker.

       Rootkits is installed on a system to alter the standard functionality of the system in a malicious and stealthy way. It may modify or replace files or may reside in memory only and modify the use of the OS’s built-in system calls.

       Exploit Toolkits: An exploit kit is software system designed to run on web servers, with the purpose of identifying software vulnerabilities in client machines communicating with it and exploiting discovered vulnerabilities to upload and execute malicious code on the client.

       Packet Sniffers - Packet sniffers are designed to monitor network traffic on wired or wireless networks and capture packets.

       Port Scanners. A port scanner is a program that attempts to determine remotely which ports on systems are open

 

       Vulnerability Scanners - A vulnerability scanner is a program that looks for vulnerabilities on either the local system or on remote systems. 

Purpose of Malware Analysis

       To Assess damage from an intrusion

       Discover indicators of compromise that will reveals other machines affected with same malwares

       Vulnerability that exploited to allow the malware to het there in first place

       Io identify intruder responsible for it

       How does it spread.

 

                 How to prevent this from happening.

 

Incident Response Process

Preparation - Establish policies to identify who is responsible for responding to incidents.

Identification - when the Incident Response team must identify what is causing the incident.

Containment - The containment step of the Incident Handling Plan is when we begin to deal with the incident. Containment can be as simple as disconnecting the affected system from the network or more complex solutions such as removing an infected server from the network and activating the corresponding disaster recovery plans.

Eradication - Once the affected system(s) are identified and contained, the next step is to eliminate the infection . it could be as simple as reinstalling (or installing) an updated antimalware solution and performing a scan or as complex as having to manually remove registry entries or protected files.

Recovery - During this step, the system will be placed back in production and monitored for any signs of possible reinfection.

 

Lessons Learned – Do documentation of the incident occurred.


Triage Phase

       Check the status of the installed antivirus solution.

       Check for suspicious or unknown processes running in the system.(For Windows systems, Process Explorer, McAfee’s GetsUSP are very powerful task manager that can show processes that try to mask themselves as ordinary system processes.)

       To determine the source of suspicious network connections, the netstat utility andProcess Monitor are an excellent combination to help track down malware that is attempting to "call home" or attempting to spread.

       Once identify the suspicious file on the path, upload it to virustotal to be checked against multiple antimalware engines.

       Check how wild spread is malware detected or behaviour detected on internet to know trend of it.

       Review security event logs to identify suspicious activities such as failed access attempts.

       Look at DNS logs to identify internal systems that attempt to resolve known malicious domain names.

       System Configuration Utility (msconfig)- The easy way to find out where processes are started from is the system configuration utility.

 

Services - Bringing up the services list from either computer management, typing services.msc in the run dialog box or services in the find utility