Social Icons

Showing posts with label trojan. Show all posts
Showing posts with label trojan. Show all posts

Sunday, September 20, 2015

Online Malware Analysis Tools : Listed with links

1.   Typically analyzing malware requires a great deal of knowledge in computers and expects basic knowledge of terminal commands,configuring the tool correct and right usage of advanced tools. As seen in my last post about Cuckoo usage and configuration,it is actually complex and confusing at times,now what if one can use Cuckoo without doing anything like that..no installation,no configuration,no testing and bugging...one can directly use Cuckoo directly for a sample file analysis.As we realize the power online tools,its becomes actually easier for anyone to analyze a file’s behavior by simply uploading the file to the free on-line services for automated analysis and review the detailed and yet easy to understand report.This way not only the analyst gets a quick report and analysis but more importantly he gets a variety of reports which can be compared and analyzed further leading to expedited pace of understanding and clarity of the malware architecture and working.Here I list out my choices of best on-line file/malware analyzers that can be used for free with address and screenshots of sample usage....

ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.In only a few minutes ThreatExpert can process a sample and generate a highly detailed threat report with the level of technical detail that matches or exceeds antivirus industry standards such as those normally found in online virus encyclopedias. 


3.   Wepawet at http://wepawet.iseclab.org/

Wepawet is a free service, for non-commercial organizations, to detect and analyze web-based threats. It currently handles Flash, JavaScript, and PDF files.But the upload size of the file is limited to 2 Mb and below.

4.   IObit Cloud at http://cloud.iobit.com/

IObit Cloud is an advanced automated threat analysis system. It uses the latest Cloud Computing technology and Heuristic Analyzing mechanic to analyze the behavior of spyware, adware, trojans, keyloggers, bots, worms, hijackers and other security-related risks in a fully automated mode


5.   Comodo Instant Malware Analysis at http://camas.comodo.com/

Comodo Instant Malware Analysis is one of the easier to use and understand online sandbox service wherein no submission form is required nor an email address nor solving a CAPTCHA code. Simply browse the file that you want to analyze in Comodo sandbox, tick the box to agree with their terms and click the Upload file button. The file will then be analyzed in real time and the report page will continuously refresh by itself until the analysis has been completed.




6.     ViCheck at https://vicheck.ca/

Vicheck.ca is an advanced malware detection engine designed to decrypt and extract malicious executables from common document formats such as MS Office Word, Powerpoint, Excel, Access, or Adobe PDF documents. ViCheck will detect the majority of embedded executables in documents as well as common exploits which download malware from the internet.ViCheck is a free service designed to help the public detect new sophisticated malware which is often difficult to detect with common commercial anti-virus programs.


  7.   Anubis at https://anubis.iseclab.org/

Anubis is another popular online service to analyze unknown Windows executable files. Four report formats (HTML, XML, PDF and Text) are available to download once the analysis has been complete.



8.   GFI Threattrack at http://www.threattracksecurity.com/

GFI SandBox is meant for OEM or cloud providers and fortunately they’ve created a webpage that offers free analysis called ThreatTrack which uses their sandbox technology. ThreatTrack supports analyzing any Windows executable file, office documents, PDF files and even flash ads that is mostly not accepted by other online sandboxes.


 9.   Joe sandbox cloud at https://www.file-analyzer.net/

Joe Sandbox is the automated malware analysis system which implements any state of the art program analysis technology from coarse to fine grained including dynamic, static and hybrid. Joe Sandbox’s analysis spectrum enables to discover any behavior including hidden or obfuscated parts.


10.   EUREKA:An Automated Malware Binary Analysis Service at http://eureka.cyber-ta.org/

Eureka is a binary static analysis preparation framework. It implements a novel binary unpacking strategy based on statistical  bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API deobfuscation capabilities to facilitate the structural analysis of the underlying malware logic.


11.   XecScan   at http://scan.xecure-lab.com/

The Xecure Lab Scanner (XecScan) gives the security community and general public on-demand analysis of any suspicious document file where no installation or registration is required to enjoy the service. Though it’s free, XecScan is capable of finding advanced malware, zero-day, and targeted APT attacks embedded in common file formats.

12.    Malwr at https://malwr.com/submission/ [Based on Cuckoo]

Malwr is a free malware analysis service and community launched in January 2011. One can submit files to it and receive the results of a complete dynamic analysis back.Malwr is operated by volunteer security professionals with the exclusive intent to help the community. It's not associated or influenced by any commercial or government organization of any sort.Malwr is mainly based on an open source malware analysis tool called Cuckoo Sandbox as explained in my last post at http://anupriti.blogspot.in/2015/09/cuckoo-sandboxautomatic-malware.html



In fact as you google,you will find thousands of links and websites offering free online malware analysis but one has to be careful too while submitting any file to such sites.......so happy analyzing for now.....

Monday, May 04, 2015

Hardware Trojans : Do we have a Solution or Clue to resolve?

1.    IT Security is an ever interesting field and those passionate about this field will always find surplus to read about so many happening things in the field.In the already chaotic environs of Cyber Security there comes another GIGANTIC issue...by the name of HARDWARE TROJANS and I use this word Gigantic not just to reflect my reaction on the subject...but for any first time reader on the subject this will be a huge issue in times to come and is already in for majors.The issue is yet unattended because no one has clue where to detect,how to detect and what to do to resolve?

2.   Electronic systems have proliferated over the past few decades to the point that most aspects of daily life are aided or affected by the automation, control, monitoring, or computational power provided by Integrated Circuits (ICs). The ability to trust these ICs to perform their specified operation (and only their specified operation) has always been a security concern and has recently become a more active topic of research. Without trust in these ICs, the systems they support cannot necessarily be trusted to perform as specified and may even be susceptible to attack by a malicious adversary.A new disruptive threat has surfaced over the past five years  , a hardware-based security threat known as the Hardware Trojan.Hardware Trojans are intentional,malicious modifications to electronic circuitry designed to disrupt operation or compromise security including circuitry added into Integrated Circuits (ICs). These ICs underpin the information infrastructure of many critical sectors including the financial, military, and industrial sectors.Consequently, hardware trojans pose a security risk to organisations due to the broad attack surface and specific organisations’ reliance on ICT infrastructure. Hardware trojans can be difficult to prevent and even more difficult to detect. Most of the current security protection mechanisms implicitly trust the hardware, allowing hardware trojans to bypass software or firmware security measures .Hardware trojans inserted during fabrication or design stages can become widely dispersed within an organisation and pose a systemic threat.

3.   Hardware Trojans are usually composed of a Trigger and a Payload.The trigger is the activation mechanism and the payload generates the effect. Prior to triggering, a hardware trojan lies dormant without interfering with the operation of any electronics.The trigger mechanism for our network hardware trojan is based on a communication channel in network packet timing, while the payload is an adjustable degradation level of the ethernet channel through noise injection into the ethernet controller’s clock.
4.  The ease with which Hardware Trojans can make their way into modern ICs and electronic designs is concerning. Modifications to hardware can occur at any stage during the design and manufacturing process, including the specification, design, verification and manufacturing stages. Hardware Trojans may even be retro-fitted to existing ICs post manufacture.

5.   With above as a preview it makes any one wonder upto what extents would one require to go for a 100 % secure IT attribute.Imagine the risk stake this would put on a typical country who is entirely dependent on global vendors for its own Defence and Consumer goods....or for that matter even developing countries would feel the pinch....no clue as to where to start from...or even if a frame work is desired to setup a standard for controlling this menace it would be prudent to only get dependent off shores since in most of the cases expertise would not exist only.......

Thanks to these two papers for giving me an over view on the subject.

Hardware Trojans – A Systemic Threat by John Shield, Bradley Hopkins, Mark Beaumont, Chris North

Hardware Trojans – Prevention, Detection,Countermeasures by Mark Beaumont, Bradley Hopkins and Tristan Newby

Tuesday, December 09, 2014

DeathRing: Non-removable Pre-installed Malware@Androids

The smart-phones penetration in our country and for that matter any country has been seeing explosion like never before...from cheap mobiles with luring specs to high end smart-phones by Apple,Samsung,Sony etc.The growing and already a subject matter of concern in IT ie SECURITY is majoring as a serious threat in the mobile world too...like the Microsoft b70 case few years back(click here for details)....As evidenced by the latest pre-loaded malware identified called DeathRing that’s  a Chinese Trojan that is pre-installed on a number of smart-phones most popular in Asian and African countries.
as evidenced by the latest pre-loaded malware Lookout identified called DeathRing.

Read more: DeathRing: Pre-loaded malware hits smartphones for the second time in 2014 (https://blog.lookout.com/?p=15835)
as evidenced by the latest pre-loaded malware Lookout identified called DeathRing.

Read more: DeathRing: Pre-loaded malware hits smartphones for the second time in 2014 (https://blog.lookout.com/?p=15835)
as evidenced by the latest pre-loaded malware Lookout identified called DeathRing.

Read more: DeathRing: Pre-loaded malware hits smartphones for the second time in 2014 (https://blog.lookout.com/?p=15835)

Tuesday, January 31, 2012

BACTERIA in COMPUTERS

1.  I had heard for so long about Virus'es,worms,trojans................but never heard and read about BACTERIA till recently.....even googled...could not find much except at http://docstore.mik.ua/orelly/networking/

2. Few points about BACTERIA :


- Makes copies of themselves to overwhelm a computer system's resources.

- Also known as rabbits, are programs that do not explicitly damage any files.

- Sole purpose is to replicate themselves.

- May do nothing more than execute two copies of itself simultaneously both of which may copy themselves twice, and so on.

- Reproduce exponentially, eventually taking up all the processor capacity, memory, or disk space, denying the user access to those resources.

- One of the oldest forms of programmed threats.

Sunday, October 30, 2011

DUQU : FROM THE GEN STUXNET????


1.  Do u remember the gr8 STUXNET...who hit the cyber theatres about a year back?....i call it gr8 since that was the first piece of trojan which the experts called with words like marvelous,the world's first 'open source weapon'.....the code which shocked the experts...though it was meant to target Siemens industrial software and equipment running Microsoft Windows....but the percentage affected was enough to do the early damage and show the trailor of what  can come ahead....now comes another in the offering which Researchers from Symantec say is likely written by the same authors and based on the same code.This is known as DUQU.....also coming to be known as “Son of Stuxnet” and a “precursor to a future Stuxnet-like attack.”

2. But another analyses by security researchers from Dell suggest Duqu and Stuxnet may not be closely related after all. That’s not to say Duqu isn’t serious, as attacks have been reported in Sudan and Iran. But Duqu may be an entirely new breed, with an ultimate objective that is still unknown.“Both Duqu and Stuxnet are highly complex programs with multiple components,” Dell says. “All of the similarities from a software point of view are in the ‘injection’ component implemented by the kernel driver. The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated. 

3. The security vendor Bitdefender has also cast doubt on the supposed Duqu/Stuxnet link in its Malwarecity blog. “We believe that the team behind the Duqu incident are not related to the ones that released Stuxnet in 2010, for a number of reasons,” BitDefender’s Bogdan Botezatu writes. While a rootkit driver used in Duqu is similar to one identified in Stuxnet, that doesn’t mean it’s based on the Stuxnet source code.

4. Now till date,DUQU was reportedly seen infecting machines in and around IRAN......but now the Symantec version reported is that a server machine in aamchi Mumbai is effected by this new VIRUS!!!!!!!Indian authorities seized computer equipment from a data center in Mumbai as part of an investigation into the Duqu malicious software that some security experts warned could be the next big cyber threat. Two workers at a web-hosting company called Web Werks told Reuters that officials from India's Department of Information Technology last week took several hard drives and other components from a server that security firm Symantec Corp told them was communicating with computers infected with Duqu. 

5. So DUQU is here in INDIA.......and I m sure with the high percentage of pirated software users in India....we r the most vulnerable to such kinds of threat.....be updated...buy genuine....keep taking updates to avoid being EXPLOITED by EXPLOITS..................

Monday, June 13, 2011

SYMANTEC SPOTS ONE INTERESTING E-MAIL CAMPAIGN


1. A fresh spam outbreak has been detected online that's drawing attention widely and effects users with e-mails laced with malicious software. Reportedly, there's one web-link embedded in the spam messages supposedly providing details, while the same messages try to pull down a .zip file attachment.The interesting aspect regarding the new spam mail relates to the inclusion of a password that the recipient earlier used.Now if I see a passowrd which at one point of my cyber surfing I had used it is bound to stirr up doubts of it being actually genuine.Once i donwload this zip file ,the eventual aim is achieved ie downloading the inevitably malware.

2. Reportedly, the malware as mentioned above has been identified as Trojan.Zbot or Zeus a Trojan which tries to grab secret data after compromising an end-user's PC. Further, it may take down updates and configuration files online, according to Symantec.

3. Additionally the e-mail ids and their corresponding passwords within the above unsolicited electronic mails, arrive from one prominent social gaming website, known internationally and currently being most widespread inside Asia.

4. Hence, Symantec advises all those who think they've fallen prey to compromised accounts to scan their PCs with an AV program followed with resetting all vital passwords, particularly online banking passwords. Additionally, they must also keep a watch over their accounts should they suspect any fraudulent operation.

Sunday, February 06, 2011

Win32.Hlux : January 2011 " King of worms"


1.   Email-Worm.Win32.Hlux was talk of the E-town in January across the webosphere. This mail worm spreads via emails containing malicious links that prompt users to install a bogus Flash Player, supposedly to view an e-card. The link leads to a dialog window that asks if the user agrees to download a file. Irrespective of the response, the worm sets about to penetrate the system. In addition to propagating via email, Hlux also has bot functionality and adds infected computers to a botnet before connecting to its command center and executing its commands, which are primarily directed at sending pharmaceutical spam.

2.   Kaspersky Lab also detected a Trojan dropper masquerading as a key generator for the company's products. The old adage "There's no such thing as a free lunch" is particularly fitting here as the dropper goes on to install and launch two malicious programs. One of them steals program registration data and passwords for online games. The second is a backdoor that also has keylogger functionality.

3.   Kaspersky Lab also found the mass distribution of malicious short links on Twitter. After a number of redirects, the attention-grabbing links led users to a page promoting a rogue AV program.

4.   Apart from these two hardworkers(?????..i mean mal hardworkers) in january,the other shining star in the E-crime world is AdWare.Win32.WhiteSmoke.a which if clicked, will download a program that demands payment to rectify errors it supposedly detects on the system.

5.   More detailed report on http://www.kaspersky.com

Saturday, September 18, 2010

Root Kits : Hidden Undetected Threats

1. Malwares,trojans,adwares,spywares,virus,wormwares etc etc....protection vide Internet security editions by so many OEMs...and now rootkits(its not actually a recent development....)...has been in the threat making for about 10-12 years..but now the term is getting serious....so what actually are rootkits?


2. Rootkit is the term given to a group of utilities that hackers can misrepresent to keep access into a computer system once they have hacked into it. It gives them admission rights to find out usernames and passwords, allow strike against remote systems, remain hidden by erasing history from the system logs, and overabundance of various surreptitious tools.Rootkit is a combination of two words, “root” and “kit”. Root means supreme & Kit means a group of programs or utilities providing access to a user to retain a constant root-level contact to a terminal. The presence of rootkit ideally remains untraceable.

3. So more simply,they are a set of programs that can hide not only themselves but also other viruses, spyware, keyloggers and network traffic from normal antivirus and spyware removal software! Yes, a rootkit can infect your computer and take full control of it! You look inside a folder which contains rootkit files but you will see nothing. Why? Because the rootkit has told it to tell the user there are no files here. That is why, they are so dangerous and hard to detect......

4. BlackLight,RKDetector 2.0,RootkitBuster 1.6,RootkitRevealer 1.71 & Rootkit Unhooker 3.0A are few of the rootkit removal tools available...google for further details

Friday, August 13, 2010

TROJANs & BANK: Another story

1. Hard working hackers have recieved more then 700,000 pounds from thousands of bank accounts in Britain using a malicious software which claimants say is the deadliest,brutaliest(whats this???)trojan attack ever seen....

2. More then 4,000 online banking customers have found themselves as unwanted customers of this deal by hackers which empties their accounts while showing them fake statements so the crime goes undetected.This trojan is being termed and guessed as a variant of the Zeus trojan banking virus called Zeus v3. This is capable of collecting data such as passwords and even transfers money out of accounts automatically.

3. Beware ...nothing of this scale has happened till date in INDIA...why....because poor dont have much money and the rich keep and talk cash

Thursday, February 18, 2010

SVCHOST.EXE vs SCVHOST.EXE

1. Two approximately similar names but with poles apart function and reason to exist.If ever you have tried cleaning or accessing an infected pen drive you must have come across these names in the file names list.I would just try and make the difference clear in brief below.

2. SCVHOST.EXE is a process which is registered as W32/Agobot-S virus. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

3. SVCHOST.EXE is located in the System32 folder and is an built-in part of Windows OS. It cannot be stopped or restarted manually. This process manages 32-bit DLLs and other services. At startup, Svchost.exe checks the services portion of the registry and constructs a list of services that it needs to load. Under normal conditions, multiple instances of Svchost.exe will be running simultaneously. Each Svchost.exe session can contain a grouping of services, so that many services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

4. I hope this amply makes the difference clear
Powered By Blogger