Malwares Demystified and Simplified

Everything you need to know about malwares.

Get Started. It's Free
or sign up with your email address
Rocket clouds
Malwares Demystified and Simplified by Mind Map: Malwares Demystified and Simplified

1. Detection, Prevention & Response

1.1. AV/Firewall/OS regularly updated & patched

1.1.1. Anti- Virus

1.1.1.1. Les différentes détections ajoutées sont mentionnés par une suite de lettre ou des chiffres. ou bien la taille du fichier

1.1.1.2. Antivirus Naming Scheme

1.1.1.2.1. Exploit.HTML

1.1.1.2.2. Exploit.PDF

1.1.1.2.3. Exploit.SWF

1.1.1.2.4. IM-Worm.xxx Vers se propage par messagerie instannée.

1.1.1.2.5. HTML.IFrame

1.1.1.2.6. Sdbot / Rbot / Spybot : : Désigne un type de malware se propageant via des failles systèmes à distance RPC etc. (comme le faisait Blaster dans le temps).

1.1.1.2.7. Trojan-Spy.Win32.Banker

1.1.1.2.8. Trojan.DNSChanger

1.1.1.2.9. Trojan.Clicker

1.1.1.2.10. Trojan.Downloader

1.1.1.2.11. Trojan.Delf

1.1.1.2.12. Trojan.Dropper

1.1.1.2.13. Trojan.FakeAV

1.1.1.2.14. Trojan.Inject

1.1.1.2.15. Trojan.RogueSecurity

1.1.1.2.16. Trojan.PWS

1.1.1.2.17. Trojan.Small

1.1.1.2.18. Trojan.Tiny

1.1.1.2.19. Trojan.VB

1.1.1.2.20. Trojan.WinUnlock

1.1.1.2.21. Worms.Autorun

1.2. DMZ/Restrictions

1.3. Antis

1.3.1. Spam

1.3.2. Fishing

1.4. Honeywall

1.4.1. is a proof of concept of network security hardware device capable of translate and forward packets. Designed for high availability, Honeywall is able to provide load balancing and anti flooding. Unlike a firewall, it does not block packets. Features Building — All you need to deploy centralized services on remote Honeywalls. Managing — Create and allow administrators to manage system on the fly. Monitoring — Open source hypervisor technology over network.

1.5. IDPS

1.5.1. Network-based intrusion prevention (NIPS):

1.5.2. Wireless intrusion prevention systems (WIPS):

1.5.3. Network behavior analysis (NBA):

1.5.4. Host-based intrusion prevention (HIPS):

1.5.5. Rate-based intrusion prevention systems implemebted with specialized hardware

1.5.6. Global Correlated

1.5.7. Anomaly based detection systems

1.6. Application Execution Blockers

1.7. Web/email filtering

1.8. DNS Revooked

1.9. Education/Research/Social awareness about online security & privacy trends

1.10. Following the best practices for managing and using online host

1.11. Reword for reporting/Information exchange

1.12. Nullrouting DNS Entries

1.13. Greylisting (anti-smap)

1.14. Traffic Control (Firewalls, NAC, Proxis)

1.15. Detection

1.15.1. Traffic Monitoring

1.15.1.1. Signature Based Detection

1.15.1.2. Anomaly Based Detection

1.15.1.3. DNS Based Detection

1.15.1.4. Data Mining Based Detection

1.15.2. Anti-Malware Software

1.16. Tracking

1.16.1. Honeypot

1.16.1.1. Malware Collection

1.16.1.2. Vulnerability Emulation

1.16.2. Sandbox

1.16.3. Infiltration

1.17. Mitigation

1.17.1. Security Researchers

1.17.2. ISP, Domain registrars

1.17.3. Law Inforcement

1.17.4. (Collaboration and Cooperation)

1.18. How do botnets get taken down?

1.18.1. ● Common methods include ● Hosting provider de-peered – ● Example: McColo, Troyak Server hosting botnet cleans up/kicks off – Public IRC servers, free web hosting ● Compromised host cleaned up/rebuilt ● DNS Revoked ● IP of C&C server banned – Because Metus pwnz and I open a port on my router at home just like the tutorial told me!

1.19. New node

1.20. detection methods

1.21. Advanced Response

1.22. Roadmap to Botnet Prevention

1.23. You’ve detected it, now what?

1.23.1.  Begin incident response  Treat it like a virus infection  First priority is removal of malware  If possible, determine how it got on  This will help prevent further infections  Prevent it from happening again  Patch, user awareness, etc.

1.24. Why should you care?

1.25. High level of activity by botmaster makes them easier to detect than their bots

1.26. Network signatures can becreated without malware analysis, but signatures created with the help of malware analysis are usually far more effective, offering a higher detection rate and fewer false positives.

1.27. Hunting the ecosystem

1.27.1. Education

1.27.1.1. Computer Security Basics

1.27.1.1.1. Antivirus Update

1.27.1.1.2. Apply vendors Security updates

1.27.1.1.3. Relatively efficient

1.27.1.2. Good Usage of IT

1.27.1.2.1. Do not click on everything !

1.27.1.2.2. Avoid suspicisous sites

1.27.1.2.3. Only use legal software and licenses

1.27.1.2.4. No illegal download of MP3, DivX

1.27.1.2.5. Stop believing everyobody wants to give you money !

1.27.1.2.6. Merely useless: humans will be humans

1.27.2. Laws

1.27.2.1. Financial

1.27.2.1.1. Common laws against crime money

1.27.2.1.2. Increses risks and reduce interest for criminals

1.27.2.1.3. Falls into organized crime prevention methods

1.27.2.1.4. Efficient for 'big' business not for 10.000$ exploits

1.27.2.2. IT Specefic

1.27.2.2.1. Illegal behavior repression

1.27.2.2.2. Prevention of ressearch

1.27.3. Technologies

1.27.4. Preventing technologies

1.28. Defending against Bots & Botnets

1.28.1. Home User: Prevention

1.28.2. Home User: Detection

1.28.3. Home User: Response

1.28.4. Sys-Admin: Prevention

1.28.5. Sys-Admin: Detection

1.28.6. Sys-Admin: Response

1.29. Botnets are moviong targets

1.30. No technique is perfect

1.31. All networks are not the same

2. Malware Taxonomy and Evolution

2.1. Remote Access Tools

2.1.1. Cybergate

2.1.2. Bifrost

2.1.3. DarkComet

2.1.4. ProRAT

2.1.5. Sub7

2.1.6. Permanent Connexion Between the Client and each server

2.1.7. Commun Features

2.1.7.1. File Manager

2.1.7.2. KeyLogger

2.1.7.3. Cam Capture

2.1.7.4. Reverse Shell

2.2. Auto-Routers

2.3. Botnets

2.3.1. Architecture

2.3.1.1. Centralized

2.3.1.1.1. IRC-Based

2.3.1.1.2. HTTP/HTTPs-Based

2.3.1.1.3. VoIP-Based

2.3.1.1.4. SMS-Based in Mobiles

2.3.1.1.5. Propriety channels

2.3.1.2. Decentralized

2.3.1.2.1. P2P-Based

2.3.1.2.2. Different Types

2.3.1.3. Randomized (Hybrid or Mix)

2.3.1.3.1. Commnication betwwen the bot client and C&C server using HTTP

2.3.1.3.2. Communication betwwen bots using TCP or encrypted ICMP

2.3.1.3.3. Command transmission using P2P

2.3.1.3.4. The detection of a single bot would never compromise the full botnet

2.3.1.3.5. The message latency would be exteremely high, with no gurantee of delivery

2.3.1.4. Cutsom

2.3.1.4.1. TCP / IP

2.3.1.5. Classification can be done: Based on the architecture of the botnet OR its communication protocols with the bots.

2.3.2. Internal Strucutre

2.3.2.1. Monolithic

2.3.2.1.1. Coherent, all features in one binary

2.3.2.1.2. Evolution may not be trivial

2.3.2.1.3. Kaiten, SDBot, Spybot

2.3.2.2. Modular

2.3.2.2.1. Evolution voluntarily made easy

2.3.2.2.2. Choice of appropriate language (C++)

2.3.2.2.3. AgoBot

2.3.2.3. Barnum

2.3.2.3.1. Set of heterogenous scripts

2.3.2.3.2. Often relies on local interpreters

2.3.2.3.3. PHP Bots, GTBot

2.3.3. Lifecycle

2.3.3.1. Spread/Propagation Phase

2.3.3.2. Activation

2.3.3.2.1. I'm active, you can take control of me !

2.3.3.3. Update

2.3.3.3.1. Add new features

2.3.3.4. Auto-Protection

2.3.3.4.1. Code Mutation / Self-Modifying Code

2.3.3.4.2. Bypass and Block or Kill AntiVirus / Firewalls

2.3.3.4.3. Managed crypting services

2.3.3.4.4. System Hardening

2.3.3.4.5. System FIle Protection Hiding

2.3.3.4.6. DDNS - Dynamic DNS Domain Name (Fast Fluxing)

2.3.3.4.7. Quality Assurance

2.3.3.4.8. Server side polymorphism

2.3.3.4.9. File Extension Manipulation / Double Extention

2.3.3.4.10. Rallying mechanisms

2.3.3.4.11. Modification du système (changeùment de regle de filtrage réseau, désactivation d'outils de sécurité.

2.3.3.5. Action

2.3.3.5.1. Attack

2.3.3.5.2. Spam

2.3.4. Motivation

2.3.4.1. Financial Gain

2.3.4.1.1. Whos has the most of Bots ?

2.3.4.1.2. The most resilient ?

2.3.4.1.3. How easy is-it to control it ?

2.3.4.1.4. The highest overall bandwith ?

2.3.4.1.5. The most high quality infected machine ?

2.3.4.2. Ideological

2.3.4.2.1. Retorsion

2.3.4.2.2. Counter-Attack

2.3.4.2.3. Challenge

2.3.4.3. Personal

2.3.4.3.1. Blackmail

2.3.4.3.2. Extortion

2.3.5. Taxonomy & Evolution

2.3.5.1. 1999

2.3.5.1.1. Sub7 / PrettyPark

2.3.5.2. 2000

2.3.5.2.1. GTbot

2.3.5.3. 2002

2.3.5.3.1. SDBot

2.3.5.3.2. AgoBot

2.3.5.4. 2003

2.3.5.4.1. SpyBot

2.3.5.4.2. rBot

2.3.5.4.3. Sinit

2.3.5.4.4. PolyBot

2.3.5.4.5. Bagle

2.3.5.4.6. Bobax

2.3.5.4.7. SoBig

2.3.5.4.8. MyTob

2.3.5.5. 2004

2.3.5.5.1. PhatBot

2.3.5.6. 2006

2.3.5.6.1. Rustock

2.3.5.6.2. ZeuS

2.3.5.7. 2007

2.3.5.7.1. Storm

2.3.5.7.2. Cutwail

2.3.5.7.3. Srizbi

2.3.5.8. 2008

2.3.5.8.1. Mega-D

2.3.5.8.2. Koobface

2.3.5.8.3. Conficker

2.3.5.8.4. ASprox

2.3.5.9. 2009

2.3.5.9.1. BredoLab

2.3.5.9.2. Waledac

2.3.5.10. 2010

2.3.5.10.1. TDSS

2.3.5.11. Armageddon

2.3.5.12. Artro

2.3.5.13. Aurora

2.3.5.14. BlackEnergy

2.3.5.15. Carberp

2.3.5.16. ClickBot

2.3.5.17. DSNX Bots

2.3.5.18. Donbot

2.3.5.19. DopeBot

2.3.5.20. EggDrop

2.3.5.20.1. 1993

2.3.5.20.2. IRC-Based

2.3.5.21. Festi

2.3.5.22. Forbot

2.3.5.23. Gaobot

2.3.5.24. Gheg

2.3.5.25. Gozi

2.3.5.26. Grum

2.3.5.26.1. Tedroo

2.3.5.27. Hodprot

2.3.5.28. Kaiten

2.3.5.29. Kelihos

2.3.5.30. Kraken

2.3.5.31. Lurk

2.3.5.32. Lethic

2.3.5.33. Maazben

2.3.5.34. MayDay

2.3.5.35. NuCrypt

2.3.5.36. Perl Based bots

2.3.5.37. Phatbot

2.3.5.38. Ponmocup

2.3.5.39. Q8 Bots

2.3.5.40. Qhost

2.3.5.41. Sality

2.3.5.42. Shiz

2.3.5.43. Spamthru

2.3.5.44. Spy.Ranbyus

2.3.5.45. SpyEye

2.3.5.46. SpyRanbus

2.3.5.47. Waledac

2.3.5.48. Xarvester

2.3.5.49. XtremBot

2.3.5.50. odprot

2.3.5.51. Pony

2.3.5.52. Andromeda

2.3.6. Terminology

2.3.6.1. Bot Master

2.3.6.2. Bot

2.3.6.3. Botnet Army

2.3.6.4. Bot Binary

2.3.6.5. Command and Control

2.3.6.5.1. C&C Channel

2.3.6.5.2. C&C Server

2.3.6.5.3. C&C Infrastructure

2.3.7. Topology

2.3.7.1. Star

2.3.7.2. Multi-server

2.3.7.3. Hierrarchical

2.3.7.4. Random

2.3.8. Usage

2.3.8.1. Legetimate

2.3.8.1.1. Web crawler

2.3.8.1.2. Game Managing

2.3.8.1.3. Managing Databases

2.3.8.1.4. Maintaining access lists

2.3.8.1.5. Protect Channel, Carry out Conversations

2.3.8.2. Malicious

2.3.8.2.1. BitCoin

2.3.8.2.2. Log Keystores

2.3.8.2.3. Sniffing Traffic

2.3.8.2.4. Online Fraud

2.3.8.2.5. Host Illegal Data

2.3.8.2.6. Spam/Spamdexing

2.3.8.2.7. Information Theft

2.3.8.2.8. Source Code Infection

2.3.8.2.9. Spread new malwares

2.3.8.2.10. Disabling Existing Security

2.3.8.2.11. Selling infected Computers

2.3.8.2.12. Access Number Replacement

2.3.8.2.13. Manipulating Online Polls/Games

2.3.8.2.14. DDoS (Distributed Denial of Service)

2.3.8.2.15. Buy/Rent out the service of the bot to third parties

2.3.8.2.16. Trade Bandwidth of high speed bots / Sale of Traffic

2.3.8.2.17. Act as a proxy server to conceal the attacker's identity / provide anonymity

2.3.8.2.18. Brute-forcing Remote Machines/Distributed Password Cracking (Computing Power / Scurmping)

2.3.8.2.19. Gov CYber aTTACK

2.3.8.2.20. Sold on the black market !

2.3.8.2.21. Result

2.4. Browser Hijackers

2.4.1. SpamBot

2.4.2. ClickBot

2.4.3. Browser Helper Object Malicious Plugins

2.5. Dialers

2.6. Downloaders

2.7. Droppers

2.7.1. Injectors

2.8. Exploits

2.8.1. Exploit Kits

2.9. Flooders

2.10. Germs

2.11. HackTool/RiskTool

2.12. Hoaxes: Chain Letters

2.13. Joke Programs

2.14. Kits (Virus Generators)

2.15. Logic Bombs

2.16. Potential Unwanted Program

2.16.1. Installing via

2.16.1.1. Web Banners

2.16.1.2. Google Sponsored Links

2.16.1.3. Fake VLC/Activix Plugins

2.16.1.3.1. VLC Plugins in Steaming

2.16.2. How it works ?

2.16.2.1. SMS Rip-Off

2.16.2.2. Repack GNU Free Software

2.16.2.2.1. Add Affiliate Program (Toolbars)

2.16.3. To Clean

2.16.3.1. HijackThis

2.16.3.1.1. Submit Report to PPoint

2.16.3.2. Configure your AV to block PUP

2.16.3.3. AdwCleaner

2.16.4. Some examples

2.16.4.1. Babylon Toolbar

2.16.4.2. Boxore

2.16.4.3. Complitly

2.16.4.4. Ezlooker

2.16.4.5. Eorezo

2.16.4.6. Incredimail Toolbar

2.16.4.7. SweetIM / SweetPack

2.16.4.8. Searchqu / Searchnu

2.16.4.9. Savings / SideKick

2.16.4.10. PCTuto / Tuto4PC

2.16.4.11. Wagram

2.16.4.12. Yontoo

2.16.5. Download from Trusted Sources : Clubic / 01.net

2.17. Ransomeware

2.17.1. Winlockers

2.17.2. MBR Lockers

2.17.3. Exemples

2.17.3.1. Gimemo

2.17.3.2. Reveton

2.17.3.3. Tobfy

2.17.3.4. Lock Em All

2.18. Rootkits

2.18.1. Bootkits

2.18.2. Loading a driver

2.18.2.1. Using an undocumented API

2.18.2.1.1. The only time when this loading method is really safe is when it's specifically designed around the paging problem.

2.18.2.2. Using the Service Control Manager

2.18.2.2.1. When a driver is loaded using the SCM, it is non-pageable. This means your callback functions, IRP-handling functions, and other important code will not vanish from memory, be paged out, or cause Blue Screens of Death. This is a Good Thing.

2.18.3. Surviving Reboot

2.18.3.1. Using the run key ("old reliable")

2.18.3.2. Using a Trojan or infected file

2.18.3.3. Using .ini files

2.18.3.4. Registering as a driver

2.18.3.5. Registering as an add-on to an existing application

2.18.3.6. Modifying the on-disk kernel

2.18.3.7. Modifying the boot-loader

2.18.4. API-Hooking

2.18.4.1. IAT-Hooking

2.18.4.1.1. asy to discover these types of hooks. On the other hand, hooks like these are used frequently, even by the operating system itself in a process called DLL forwarding. Even if someone is trying to detect a rootkit hook, determining what is a benign hook as opposed to a malicious hook is difficult.

2.18.4.1.2. Another problem with this technique has to do with the binding time. Some applications do late-demand binding. With late-demand binding, function addresses are not resolved until the function is called. This reduces the amount of memory the application will use. These functions may not have addresses in the IAT when your rootkit attempts to hook them. Also, if the application uses LoadLibrary and GetProcAddress to find the addresses of functions, your IAT hook will not work.

2.18.5. Kernel Hooks

2.18.5.1. As a general rule, processes cannot access kernel memory. The exception to this rule is when a process has debug privileges and goes through certain debugging APIs, or when a call gate has been installed. We will not cover these exceptions here. For more information on call gates refer to the Intel Architecture Manuals.[4]

2.18.6. Code / DLL Injection into a userland process

2.18.6.1. The code cave method

2.18.7. The Problem with Hooking

2.18.7.1. There are anti-rootkit applications that can rebuild the system call table. This can be done by reinitializing kernel memory from the original file, ntoskrnl.exe.

2.18.7.1.1. If the system call table is rebuilt after your rootkit is installed, all hooks will be lost.

2.18.8. Virtual Rootkit ( ring 1)

2.18.8.1. BluePill (supports AMD-V and recently VT-X) SubVirt (supports VT-X) VM aware malwares. (Not a root kit, but related.)

2.19. Scareware (Rogue) or (Blackmailwaire)

2.19.1. Antimalware Doctor

2.19.2. Spyware Guard 2009

2.19.3. Security Suite

2.19.4. HDD Defragmenter

2.19.5. Security essentials 2011

2.19.6. Advanced Virus Remover

2.19.7. type

2.19.7.1. System Defragmenter

2.19.7.2. Anti-Spyware

2.19.8. Infected Users need to send a text call to get a valid serial number to remove the Trojan.

2.19.9. Displays a lot of warning messages, change the desktop background, detects fake infections and blocks softwares execution. It comes from fake online scanners, malicious porn sites, fake cracks and exploits.

2.19.10. Windows Problems Protector is a fake security application from the same family as: Windows Problems Remover, Windows Health Center, Windows Shield Center, Windows Antispyware Solution, Windows Risk Eliminator, Windows Universal Tool, Windows Utility Tool, Windows Security & Control, Windows Optimization & Security, Windows System Optimizator, Windows Optimization Center, Privacy Corrector, Privacy Guard 2010.

2.19.11. A new version of the multi-rogue scareware has been released. This malware is looking for the OS version (XP, Vista, Seven) and changes its name and skin: XP Anti-Spyware, XP Home Security 2011, XP Anti-Virus 2011 (...). It belongs to the Braviax family. As usual it displays fake warning messages to push users into buying a license.

2.19.12. WindowsTool is a fake Defragmenter tool (rogue) from the same family as: WinScan, Disk Recovery, WinDisk, Windows Disk, Windows Scan, Memory Optimizer, Disk Optimizer, Good Memory, Fast Disk, Disk OK, My Disk, Memory Fixer, HDD Fix, HDD Low, Scanner, Disk Repair, Defragmenter, HDD Tools, Smart HDD, HDD Rescue, HDD Plus, HDDDiagnostic, Hard Drive Diagnostic, HDD Scan, Win Defragmenter, Win Defrag, Win HDD, Check Disk, Ultra Defragger, Quick Defragmenter, HDD Defragmenter, System Defragmenter

2.19.13. Malware will modify the registry key for go into safe mode on the next reboot, and will queue your antivirus for unistallation.

2.20. Spammer Programs

2.20.1. Mail Bombers

2.20.2. How it works?

2.20.2.1. Bullet proof Servers

2.20.2.2. Hacked servers

2.20.2.3. Botnets

2.20.2.3.1. The bot received the template of the spam message

2.20.2.3.2. Mailing list

2.20.2.4. Webmails

2.20.2.4.1. Gmail, Hotmail, ...

2.20.3. Anti Spam

2.20.3.1. SpamPal Spamihilator SpamFighter

2.20.3.2. PharmaIncome

2.20.3.3. Drugstore

2.21. Spywares

2.22. Trojan Horses

2.22.1. Backdoors (Trapdoors)

2.22.2. Password-Stealing Trojans (PWS)

2.22.3. Banking Trojans

2.23. Worms

2.23.1. Mailers and Mass-Mailer Worms

2.23.2. Octopus

2.23.3. Rabbits

2.24. Malware often spans multiple categories. For example, a program might have a keylogger that collects passwords and a worm component that sends spam. Don’t get too caught up inclassifying malware according to its functionality.

3. Malware Analysis

3.1. What is Malware Analysis ?

3.1.1. The action of taking the malware apart to study it in a Malware Laboratory

3.2. What is a Malware Lab ?

3.2.1. Controlled Environnement

3.2.1.1. All the information must be recorded for later usage

3.2.2. Isolmated

3.2.2.1. The malware must not be allowed to contact with any external source , but…

3.2.3. Full Simulated

3.2.3.1. The laboratory must provide all the resources needed by the malware

3.3. Why Malware Analysis ?

3.3.1. Analysis of unknown/suscpious files

3.3.2. Public information from antivirus & Security Companies is not complete

3.3.3. Private information about the malware required an expensive paid service

3.3.4. To determine the sophistication level of the malware author

3.3.5. To identify the intruder or insider that is responsible for installing the malware

3.3.6. Questions broken down into

3.3.6.1. Business

3.3.6.1.1. What is the purpose of the malware ?

3.3.6.1.2. How did it get here ?

3.3.6.1.3. Who is targetting us and how good are they ?

3.3.6.1.4. It is a customized malware that target small/particular organization ?

3.3.6.1.5. What are the risks and the consequences ?

3.3.6.1.6. What did they steal ?

3.3.6.1.7. How can I get rid of it ?

3.3.6.1.8. How long has it been here ?

3.3.6.1.9. Does it spread on its own ? How does the malware propagate ?

3.3.6.1.10. How can I find it in other machines ?

3.3.6.1.11. How can you make sure I've deleted the entire malware package and not just one part of it?

3.3.6.1.12. How do I prevent this from happening in the in the futur ?

3.3.6.1.13. If you were a virus writer, how might you improve it ?

3.3.6.2. Technicals

3.3.6.2.1. What are the network-based indicators that reveal the precense and activity of the malware ?

3.3.6.2.2. What are the host-based indicators that reveal the precense and activity of the malware ?

3.3.6.2.3. Is it based on any other well-known tool ?

3.3.6.2.4. Is it persistent ? If so, what mechanism does it use to ensure that it keeps running after a machine is rebooted ?

3.3.6.2.5. What affects does the malware on the Windows Registry ?

3.3.6.2.6. Does the malware create/tamper any files?

3.3.6.2.7. When was the program written, compiled, and installed ?

3.3.6.2.8. What languages was used to write the program ?

3.3.6.2.9. Is it packed ? What packer was used ? It is a customized or a well-known packer ?

3.3.6.2.10. Does it have any anti-reverse engineering functionality ?

3.3.6.2.11. Does it include any rootkit/worm/trojan functionality ?

3.3.6.2.12. What was the vulnerabilities that was exploited to allow the malware to get there in the first place

3.3.6.3. or, to learn and have fun

3.4. How can we get the malware ?

3.4.1. From Online Sandboxes & Anti virus

3.4.2. Spamtrap

3.4.3. From honeypots

3.4.3.1. Recovered from complete machines

3.4.3.2. Automated capture systems.

3.4.3.2.1. Nepenthes, http://nepenthes.mwcollect.org

3.4.3.2.2. Vulnerable service simulation (Ex: MS-RPC)

3.4.3.3. ...and the good news are...

3.4.3.3.1.  Do NOT execute the buffer overflow code

3.4.3.3.2.  Parse the attack and simulate an infected system

3.4.3.3.3.  Download and store those interesting payloads

3.4.3.4. Untitled

3.4.4. Received from another CSIRT or group

3.4.5. From our costumer, when handling an incident

3.5. Lab Elements

3.5.1. Victim machines

3.5.1.1. In which the malware can be run.

3.5.1.1.1. OS-Unpached

3.5.1.1.2. Firewall/AV disabled

3.5.1.1.3. Applications unpatched (Microsoft Office, Browser, ...)

3.5.1.1.4. Consider leaving some intentional traces of normal usage, such as browsing history, cookies, documents, images etc. If a malware is designed to operate, manipulate or steal such files you’ll be able to notice it.

3.5.2. Support Tools for building the lab

3.5.2.1. VMTools-like

3.5.3. Analysis Tools

3.5.3.1. that can be used to analyze the malware

3.5.3.1.1. Static Analysis Tools

3.5.3.1.2. Dynamic Analysis Tools

3.5.3.1.3. Remote Analysis Tools

3.5.3.1.4. File Exploration Tools

3.5.4. Network Simulation

3.5.4.1. Internet connection

3.5.4.2. DNS server

3.5.4.3. DHCP server

3.5.4.4. IRC server

3.5.4.5. SMTP server

3.5.4.6. Proxy

3.5.4.7. Web server

3.5.4.8. • Use a free address range

3.5.4.9. We can configure a linux/Unix box that

3.5.4.9.1.  Accept traffic like a router

3.5.4.9.2.  Respond to the DNS queries

3.5.4.9.3.  Accept traffic to some services

3.5.5. How many machines do we need for our lab ?

3.5.5.1. Hardware is not only expense, but

3.5.5.1.1. Difficult to maintain

3.5.5.1.2. Too much space ..

3.5.5.2. Virtualization software can be used to reduce this cost.

3.5.5.2.1. Run different virtual machines at the same time

3.5.5.2.2. Run unmodified version of most operating system

3.5.5.2.3. Provide configurable resources, advanced disaster recovery, and isolation.

3.5.5.2.4. Allow to have different, isolated networks for the machines

3.5.5.2.5. Machines can be connected to the real interfaces

3.5.5.2.6. Examples

3.5.5.3. But ....

3.5.5.3.1. Your virtualisation software is not perfect, and may allow information to leak from the virtual machine to your host machine in a way you didn't expect

3.5.5.3.2. Malware is incorporing code to detect virtualization environment and may modify its behavior

3.5.5.3.3. Sometimes we need to try with another virtualization software or use real machines or use real machines connected to the virtual lab

3.5.5.4. Or, if you have a budget

3.5.5.4.1. Use Norton Ghost for quickly restoring system images or any re-imaging machines softwares

3.5.5.4.2. Updcast, Truman

3.5.5.4.3. CoreProtect Card

3.6. Lab hardware

3.6.1. Intel based:

3.6.2. • Machine with

3.6.3.  Memory for running three virtual machines

3.6.4. ~2gb

3.6.5.  Network interfaces

3.6.6.  Disk space for storing virtual machines ~

3.6.7. 3Gb.

3.6.8. • Additional hardware/software

3.6.9.  Emulator of other hardware

3.6.10.  Real machines

3.6.11. Only two machines:

3.6.12.  One to simulate the net

3.6.13.  Another to execute & analyze the tool

3.6.14. Subtopic 14

3.6.14.1. Windows machine

3.6.14.1.1. Unpatched Windows machine.

3.6.14.1.2.  To execute the malware

3.6.14.1.3.  To analyze the malware

3.6.14.2. Tools installed in the machine

3.6.14.2.1. Regshot

3.6.14.2.2. http://regshot.blog.googlepages.com/regshot

3.6.14.2.3.  LordPE

3.6.14.2.4. http://scifi.pages.at/yoda9k/LordPE/info.htm

3.6.14.2.5.  Binhex , from foundstone tools

3.6.14.2.6.  Ollydbg , http://www.ollydbg.de

3.6.14.2.7. http://ollydbg.ispana.es

3.6.14.2.8.  Idapro , http://www.datarescue.com/idapro

3.7. Build the lab

3.7.1. Caution before executing the malware

3.7.2. Check that all the machines are in the correct network

3.7.3. Check that the lab is not connected to any other network.

3.7.4. Check that you are executing the malware in the correct machine

3.8. Malware Analysis Methodology/Process

3.8.1. Preparation

3.8.1.1. File Fingerprinting / Hashing

3.8.1.2. Filtering (AntiVirus Scanning)

3.8.1.3. Online Sandbox Services

3.8.1.4. Weeding

3.8.1.5. Quick Examination of Virus Code

3.8.1.5.1. Inside the PE format (header/functions/IAT)

3.8.1.6. String Dump

3.8.1.7. Packer Detection

3.8.1.8. Crypto Routines

3.8.1.9. Disassembling

3.8.1.10. Black-Boxing

3.8.2. Unpacking

3.8.2.1. How do you know if a file is packed

3.8.2.1.1. no import table

3.8.2.1.2. sometime, in the start function, there are some xor eax, eax

3.8.2.1.3. no strings

3.8.2.1.4. a big portion of code is inside .data section

3.8.2.1.5. high entropy

3.8.2.2. The general way by using ESP registerHD BP on ESP register change

3.8.2.3. OllyDBG SFX Features

3.8.2.4. BP on access on the code section of the program.

3.8.2.5. Tracing the program till Retn / jmp

3.8.2.6. Exceptions generated by the packer

3.8.2.7. File is packed? moddify the JMP to OEP to our own code ( code cave), patch the target, then jmp back to OEP < Inline Patching

3.8.2.8. POSHAD/POPAD method

3.8.2.9. Always verifi base of code and base of data after unpacking, so OLly won't caplain with EP outside code section

3.8.2.10. insert unexisting addresses to distract the reverse ( IAT rebuilding)

3.8.2.11. To unpack it, the easier way is to put a breakpoint on WriteProcessMemory. At this breakpoint, the packer writes the unpacked binary in a new process.

3.8.2.12. Most Visual Basic packers are packers on the “heap”, so we can directly recover the binary by setting breakpoints on functions like VirtualAllocEx and WriteProcessMemory,

3.8.2.12.1. Also LoadLibrary, LocalFree

3.8.2.13. Packers Theory

3.8.2.13.1. The Imports Table has been removed, the packer saves only (in a secure place) the hashes of the API names and their addresses at the IAT.

3.8.2.13.2. The algorithm is well obfuscated and has lots of anti-debug, anti-trace...

3.8.2.13.3. The packer doesn’t use GetProcAddress. Instead, it implements its own algorithm to find the APIs at the exports table of the DLLs.

3.8.2.13.4. The IAT has been redirected

3.8.2.14. Packers Theory 2

3.8.2.14.1. PE Packers compress the PE sections or some other data using some compression algorithms like LZMA ,LZSS,APLIB etc. So to before the running the actual malicious code the packer would

3.8.2.14.2. How to unpack

3.8.3. Disassembling and Decryption

3.8.4. Dynamic Analysis Techniques

3.8.4.1. File-change monitoring

3.8.4.2. Goat file-based analysis

3.8.4.3. Registry change tracking

3.8.4.4. Process and thread monitoring

3.8.4.4.1. CPU in use

3.8.4.4.2. Memory in use

3.8.4.4.3. Drivers/DLLs used

3.8.4.5. Network port monitoring

3.8.4.6. Network sniffing and capturing

3.8.4.6.1. NetBIOS

3.8.4.6.2. NetStat

3.8.4.7. System call tracing

3.8.4.8. Debugging

3.8.4.9. Code emulation

3.8.5. Automation ?

3.8.5.1. Processus manuel, fastidieux, erreurs possibles

3.8.5.1.1. Scripts –Reboot / Snapshots automatisés:

3.8.6. You don't have to follow the process as it is. Most are done because of either lack of time, skills or understanding of how to reverse malware. Some may think, why reinvent the wheel? This is all OK.

3.8.7. Note down your finding so you will be able to see trends or recognize similar behaviors of samples that could help in reversing future samples that exhibit similar characteristics.

3.8.8. Methodology of Reverse Engineering Code

3.8.8.1. Do always some investigation about the app you're reversing : EXE/DLLs + Configuration Files, Compiler

3.8.8.2. Call Stack

3.8.8.2.1. RET TO DISASSASEMBMER

3.8.8.3. Stack Window / Pane Window

3.8.8.4. Ressource Identifiers

3.8.8.4.1. Search for commands -> Push (ID number)

3.8.8.5. Magic Byte / Half Byte

3.8.8.6. BP Particular APIs

3.8.8.6.1. KillTimer ()

3.8.8.6.2. RegQueryKey ()

3.8.8.6.3. GetLastError ()

3.8.8.6.4. GetDlgItemText ()

3.8.8.6.5. .....

3.8.8.7. Find references to @ contstant

3.8.8.8. Esthetical Patching

3.8.8.9. Protections

3.8.8.9.1. Server Check

3.8.8.9.2. KeyFile

3.8.8.9.3. Registry Key

3.8.8.9.4. Time Limit

3.8.8.10. Keygenning Routines

3.8.8.10.1. ADD, SUB, ROR, ROL, SHL, SHR

3.8.8.10.2. XOR, OR, AND, NOT

3.8.8.10.3. BTSWAP, MODULO, SIGMA

3.8.8.10.4. Simple Ciphers: Ceaser, Base64, ..

3.8.8.10.5. Standard Ciphers

3.8.8.10.6. Custom Encodin Algos

3.8.8.10.7. Insert / replace a char between a stringcode

3.8.8.10.8. Generate a stringcode and use it somewhere

3.8.8.10.9. Algo/Math tricks: NUmber THeory, Prefect Numbers

3.8.8.10.10. FPU instructions : Arctan, sin, cos, puissance, ..., PI

3.8.8.10.11. Equations

3.8.8.10.12. GetComputerName() / GetLocalTime ()

3.8.9. Done ?

3.9. Malware Analysis Report

3.9.1. Supporting Figures

3.9.1.1. Logs

3.9.1.2. Strings

3.9.1.3. Function listings

3.9.1.4. Screenshots

3.9.2. Observations

3.9.2.1. Behavioral analysis

3.9.2.2. Static code analysis

3.9.2.3. Dynamic code analysis

3.9.2.4. Memory analysis

3.9.3. Dependencies

3.9.3.1. Targeted Archiecture / OS

3.9.3.2. Targeted Format

3.9.3.3. Patch level

3.9.3.4. Required libraries

3.9.3.5. Configuration files

3.9.3.6. Scripts and executables

3.9.3.7. URLs

3.9.4. Sample's Characteristics

3.9.4.1. Infection capabilities

3.9.4.2. Self-preservation capacity

3.9.4.3. Spreading mechanics

3.9.4.4. Payload

3.9.4.4.1. Data leakage abilities

3.9.4.4.2. Performance degradation

3.9.4.4.3. Destruction of personal data to bot infection,

3.9.4.5. Remote attacker interactions

3.9.5. Sample's Identification

3.9.5.1. File name, type, size

3.9.5.2. File hashes

3.9.5.3. Anti-virus identifiers

3.9.6. Summary of the analysis

3.9.6.1. Key observations

3.9.6.2. Recommendations

3.9.6.3. Limitations

3.9.6.4. Report date and authors

3.10. Malware Analysis Tools

3.11. General Rules for Malware Analysis

3.11.1. don’t get too caught up in the details. Most malware programs are large and complex, and you can’t possibly understand every detail. Focus instead on the key features. When you run into difficult and complex sec-tions, try to get a general overview before you get stuck in the weeds.

3.11.2. remember that different tools and approaches are available for different jobs. There is no one approach. Every situation is different, and the various tools and techniques that you’lllearn will have similar and sometimes overlapping functionality. If you’re not having luck with one tool, try another. If you get stuck, don’t spend too long on any one issue; move on to some-thing else. Try analyzing the malware from a different angle, or just try a dif-ferent approach.

3.11.3. remember that malware analysisis like a cat-and-mouse game. As new malware analysis techniques are developed, malware authors respond with new techniques to thwart analysis. To succeed as a malware analyst, you must be able to recognize, understand, and defeat these techniques, and respond to changes in the art of malware analysis.

4. Infection Vectors and Spreading Mechanisms

4.1. Malvertising

4.2. SPAM / eMail-Attach

4.2.1. Target users with – Fake delivery notices – Fake IRS notices – Fake orders from online retailers

4.3. Freeware

4.4. Instant Messaging

4.4.1. MSN Messenger

4.4.2. Yahoo Messenger

4.4.3. ...

4.5. Social Networks

4.5.1. Clickjacking

4.5.2. Likejacking

4.5.3. Likejacking

4.6. Warez/P2P Networks

4.6.1. Cracks, Keygens, .. flagged as maliciours

4.6.1.1. Users think it's false positives To prevent illegal content

4.6.1.1.1. but they are maliciours

4.7. Trojan Horses/Backdoors

4.8. Drive-by Download/Install

4.8.1. Fake Codecs

4.8.2. Fake ActiviX

4.8.3. Java Applet

4.8.4. ...

4.9. Exploits / Exploit Kits

4.9.1. Exploiting One Specific vulnerability / Known multiple Vulnerabilities / 0-days

4.9.1.1. Browsers

4.9.1.1.1. Firefox

4.9.1.1.2. Chrome

4.9.1.1.3. IE

4.9.1.1.4. ...

4.9.1.2. Software

4.9.1.2.1. Java

4.9.1.2.2. Adobe

4.9.1.2.3. ...

4.9.1.3. OS

4.9.1.3.1. MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise

4.9.1.3.2. MS03-026 Buffer Overrun In RPC Interface Could Allow Code Execution

4.9.1.3.3. MS04-011 Vulnerabiility in LSASS

4.9.1.3.4. MS04_007 Microsoft ASN.1 Library Bitstring Heap Overflow

4.9.1.3.5. MS04-045 Vulnerability in WINS Could Allow Remote Code Execution

4.9.1.3.6. ms05017-

4.9.1.3.7. ms05039

4.9.1.3.8. WebDAV, NETBIOS, DCOM

4.9.1.3.9. LSAAS, VNC

4.9.1.4. Exploit-kits

4.9.1.4.1. Blackhole

4.9.1.4.2. Bleeding Life

4.9.1.4.3. BestPack

4.9.1.4.4. CritXPack (Previously Vintage Pack)

4.9.1.4.5. CoolPack

4.9.1.4.6. Fiesta

4.9.1.4.7. ICEPack

4.9.1.4.8. MPack

4.9.1.4.9. NeoSploit

4.9.1.4.10. Nuclear Pack

4.9.1.4.11. PhenixPack

4.9.1.4.12. ProPack

4.9.1.4.13. RedKit

4.9.1.4.14. Sakura

4.9.1.4.15. Styx

4.9.1.4.16. Sweet Orange

4.9.1.4.17. Yang Pack

4.9.1.4.18. Sweet Orange

4.9.1.4.19. Upas

4.10. Trusted Products/Services

4.10.1. Cacao web

4.10.2. BlackHat Forums

4.10.2.1. People who install whatever they asked to

4.10.2.1.1. To Earn Income

4.10.3. Profit for famous personalities/events

4.10.3.1. spread becomes easy

4.11. Links in Social Networks / Blogs that leads to Malicious Web Pages

4.12. Combined with Social-Engineering Attacks

5. References/Resources

5.1. Certifications

5.1.1. Forensics 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

5.1.2. Security 569: Combating Malware in the Enterprise courses

5.2. eBooks

5.2.1. Rootkits: Subverting the Windows Kernel

5.2.2. Professional Rootkits

5.2.3. The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System

5.2.4. Hacking Exposed: Malware & Rootkits

5.2.5. The Art of Computer Virus Research and Defense

5.3. Links

5.3.1. Malware Database & Repositiries

5.4. Forums

5.4.1. www.ic0de.org

5.4.2. www.ubers.og

6. Some Notes ...

6.1. Malware is tricky, and creators of it are trickier. 

6.2. Malware can be detected from user PCs / Mail traffic

6.3. Click fraud appears to be comparatively easy to manipulate with the further advantage of drawing little attention from law enforcement, unlike banking trojans.

6.4. Spam-botnet

6.4.1. the number of messages sent

6.4.2. the number of bytes-sent

6.4.3. the number of bot members

6.5. According to the MSDN, WNet* functions are used to enumerate networks resources and connections.

6.5.1. The most interesting is the import table from MPR.dll.

6.6. To sum up: Rob a bank and face a one-in-four or one-in-five chance of doing hard time. Steal someone's identity and your odds of being caught are almost infinitesimal. Consider, too, that identity theft comprises only 9.8 percent of all Internet crime, not including the likes of intellectual property theft. Factor in all Internet crime, and the numbers are likely to be far, far worse -- which is saying a lot.

6.7. Why botnets owners stop making money

6.7.1. Because security guys found it

6.7.1.1. how did they found it ?

6.7.1.1.1. maybe coz they advertise it

6.7.1.1.2. qomeone leak it

6.7.1.1.3. Honeypotd captured the sample and analyzed it

6.7.1.1.4. making so much noise

6.7.1.1.5. people are complaining about their data

6.8. Type of people

6.8.1. Normal Internet USer

6.8.1.1. Surf Internet, facebook, social network

6.8.1.2. Listen to music

6.8.1.3. Watch youtube

6.8.1.4. Check News

6.8.1.5. Work in Office

6.8.1.6. Protection is done by AV chiefly !

6.8.2. Advanced User

6.8.2.1. Have some CS knowledge

6.8.2.2. Some Security Background

6.8.2.3. ScanFiles, Update Antivirus

6.8.2.4. Remove entries from registre

6.8.2.5. Protection is done by AV chiefly !

6.8.3. Malware Analyst

6.8.3.1. Avanced User +

6.8.3.2. Know how malware infection happen, and how it spreads

6.8.3.3. Know how to reverse / analyse classical malware but not advanced

6.8.3.4. He chould manage to delete it from the system if found

6.8.3.5. Protection is done by User knowledge then AV / IDS come second

6.8.4. Virus Expert

6.8.4.1. Antivirus Companies

6.8.4.2. Have advanced tools for monitoring § capuring malwares

6.8.4.3. Just a question of time to demystify the malicious code and write a desinfector for it !

6.8.4.4. The knowledge pure & dure !

6.9. steal gauss data

7. Defense mechanisms of Malware

7.1. Anti-Reversing Tools

7.1.1. Blacklisting some processes

7.1.1.1. Process Monitor

7.1.1.2. Process Explorer

7.1.1.3. Total Commander

7.2. Anti-Sandbox / Anti-VM

7.2.1. Generic or Specific

7.2.2. Advapi32.RegOpenKeyExW” API and looks for keys present in “System\ControlSet001\Services\Disk\Enum”. Enum key stores values for the various drives present in the system. The malware checks for the presence of emulators through strings like vmware, vbox, virtual, qemu etc

7.2.3. Advapi32.RegOpenKeyExW” API and looks for keys present in “System\ControlSet001\Services\Disk\Enum”. Enum key stores values for the various drives present in the system. The malware checks for the presence of emulators through strings like vmware, vbox, virtual, qemu etc

7.3. Anti-Dumping

7.3.1. SizeOfImage

7.3.2. Erasing the header

7.3.3. Nanomites

7.3.4. Page Guard

7.3.5. Stolen Bytes

7.3.6. IAT Elimination / API Redirection

7.4. Anti-Intercepting

7.4.1. Write -> Execute

7.4.1.1. Some interceptors watch for write-then-exec Executing dummy just-written instruction can fool them Used by ASPack, but probably for multi-processor support

7.4.2. Write^Execute

7.4.2.1. Change can be detected indirectly Kernel functions return error when writing to read-only pages VirtualQuery() and VirtualProtect() return old page attributes

7.5. Anti-Emulating

7.5.1. Interrupt 3

7.5.2. Time-locks

7.5.3. Invalid API parameters

7.5.4. GetProcAddress

7.5.5. "Modern" CPU instructions

7.5.6. Undocumented instructions

7.5.7. Selector verification

7.5.8. Memory Layout

7.5.9. File Format Tricks

7.5.9.1. Non-aligned SizeOfImage Windows will silently round up the value Overlapping structures Tools such as IDA have a problem with this Non-standard NumberOfRvaAndSizes SoftICE and OllyDbg have a problem with this Non-aligned SizeOfRawData Windows will silently round up the value Non-aligned PointerToRawData Windows will silently round down the value No section table Allowed when SectionAlignment is less than 4kb Header becomes writable and executable

7.6. Anti-Breakpoint

7.6.1. Hardware Breakpoint

7.6.1.1. Context Structure

7.6.2. Memory Breakpoints

7.6.3. Software Breakpoints

7.7. Anti-Tampering

7.7.1. Self-Checking / Self-Validation or Integrity checking : CRC

7.7.1.1. Static : Verity only on startup

7.7.1.2. Dynamic : Repeatedly verifies its integrity as it is running

7.7.2. rolling checksum, CRC32, md5, sha1, adler, md4

7.8. Anti-Attaching/Debugging

7.8.1. NtGlobalFlag

7.8.2. Heap Flags

7.8.3. Heap

7.8.4. IsDebuggerPresent()

7.8.5. CheckRemoteDebuggerPresent()

7.8.6. Debug Objects

7.8.6.1. NtQueryInformationProcess()

7.8.6.1.1. ProcessDebugObjectHandle class

7.8.6.1.2. ProcessDebugFlags class

7.8.6.1.3. SystemKernelDebuggerInformation class (kernel)

7.8.6.2. NtQueryObject (kernel)

7.8.7. Thread hiding

7.8.7.1. NtSetInformationThread()

7.8.7.1.1. HideThreadFromDebugger class

7.8.8. OpenProcess() & SeDebugPrivilege

7.8.9. CloseHandle()

7.8.10. ReadFile()

7.8.11. WriteProcessMemory()

7.8.12. UnhandledExceptionFilter()

7.8.12.1. SetUnhandledExceptionFilter ()

7.8.13. BlockInput()

7.8.14. SuspendThread()

7.8.15. Guard pages / CopyMem2

7.8.16. Multi-Threads Packing

7.8.17. Heap Flags

7.8.18. Alternative Desktop

7.8.19. Prefetch queue

7.8.20. Execution timing

7.8.20.1. GetTickAccount, TimeGetTime() or QueryPerformanceCounter()

7.8.20.2. RDTSC

7.8.21. Instruction counting

7.8.21.1. Count Hardware Breakpoint

7.8.22. Parent Process

7.8.23. Exceptions

7.8.23.1. Move EIP around

7.8.24. Header Entrypoint

7.8.25. Self-Execution

7.8.26. Process Name

7.8.26.1. CreateToolhelp32Snapshot, Process32First/Next

7.8.27. Threads

7.8.28. Self-Debugging

7.8.29. TLS Callback

7.8.30. Disassembly

7.8.31. Device Names

7.8.31.1. SoftIce

7.8.31.2. Filemon

7.8.31.3. Regmon

7.8.31.4. Product and copyright strings can be compared to "watch list"

7.8.32. EventPairsHandle

7.8.33. Soft-ICE Specific

7.8.33.1. Interrupt 1 is normally not invokable from ring 3 SoftICE hooks interrupt 1 and allows ring 3 access So wrong exception when SoftICE is running Used by SafeDisc

7.8.34. OllyDbg Specific

7.8.34.1. Cannot handle unusual NumberOfRvaAndSizes value Some unchecked fields allow memory allocation DoS Initial ESI register value is -1 on Windows XP Looks like a detection method It's just a coincidence

7.8.34.2. Passes user-defined data directly to _vsprintf() Leads to DoS condition Debugger window can be found by calling FindWindow("OLLYDBG")

7.8.34.3. Hide-Debug Specific :Plug-in for OllyDbg Detectable by far jump at OpenProcess()+6

7.8.34.4. OllyDBG API Redirection

7.8.34.5. http://board.flatassembler.net/topic.php?t=5820

7.8.35. ImmunityDebug Specific

7.8.35.1. Based on OllyDbg Shares many of the same vulnerabilities

7.8.36. WinDBG Specific

7.8.36.1. Debugger window can be found by calling FindWindow("WinDbgFrameClass")

7.9. Self-Modifying Code

7.9.1. Oligomorphism

7.9.2. Polymorphism

7.9.3. Metamorphism

7.10. Garbage/Junk Code Insertion and Permutation

7.10.1. Opaque Predicates are false branches, where the branch appears to be conditional, but is not. For example, if( 1==1) is an unconditional jump, but because of the way decompilers like Olly work, the fact that this is not really a conditional is not known.

7.11. Rootkitting

7.11.1. hide files, directories, drivers, processes, and registry entries and config files.

7.12. Malformed PE Header

7.12.1. Fooling OllyDBG :)

7.13. Erase PE header if reversing detected

7.14. System FIle Protection Hiding

7.15. System Hardening

7.16. Bypass, Block, Blacklist or Kill AntiVirus / Firewalls / Desinfinctinf Forums

7.16.1. Dumphive, The Avenger, Gmer, IceSword, ComboFix, SDFix

7.17. DDNS - Dynamic DNS Domain Name (Fast Fluxing)

7.17.1. Single

7.17.1.1. Utilisateur d'un ou de plusieurs domaines

7.17.1.2. Bot : Choix de l'url destination en fonction du type de requete

7.17.1.3. Changement régulièr des IP associés au nom du domaine (NDS)

7.17.1.4. Utilisatation des machines zombies en Reverse Proxy ( Trasfert des reqêtes de la victime vers le serveur réel)

7.17.1.5. +

7.17.1.5.1. Camouflage de l'IP du serveur réél

7.17.1.6. -

7.17.1.6.1. @ du serveur de noms compromis

7.17.2. Double

7.17.2.1. +

7.17.2.1.1. disponibilité quasi optimale

7.17.2.1.2. résiste à l'arrêt d'un serveur DNS

7.17.3. Double évolué

7.17.3.1. Botnets run own DNS service to resolve the C&C servers.

7.17.3.2. Use high port numbers to avoid detection by security devices and gateways

7.18. Managed malware crypting services

7.19. Quality Assurance

7.19.1. Cybercriminals aren't solppy about their work !

7.20. windows native API in NTDLL.DLL and NTFS ADSs, Alternate Data Streams. Malware will frequently  abuse these rather helpful tools to keep itself from being discovered. 

7.21. DDos Whos Studying it

7.22. Quality Assurance

7.23. Server side polymorphism

7.24. File Extension Manipulation / Double Extention

7.24.1. Ghost RAT

7.25. Rallying mechanisms

7.25.1. Hard-Coded IP address

7.25.1.1. The bot communicates using C&C ip addresses that are hard-coded in it’s binary files.

7.25.1.2. Easy to defend against, as ip addresses are easily detectable and blocked, which makes the bot useless.

7.25.2. Dynamic DNS Domain Name

7.25.2.1. - Hard-coded C&C domains assigned by dynamical DNS providers. - Detection harder when botmaster randomly changes the location - Easier to resume attack with new, unblocked Domain Name - If connection fails the bot performs DNS queries to obtain the new C&C address for redirection.

7.25.3. Distributed DNS Service

7.25.3.1. Hardest to detect & destroy. Newest mechanism. Sophisticated. Botnets run own DNS service out of reach of authorities Bots use the DNS addresses to resolve the C&C servers Use high port numbers to avoid detection by security devices and gateways

7.26. Modification du système (changeùment de regle de filtrage réseau, désactivation d'outils de sécurité.

7.27. To evade signature-based detection systems, it appends some randomly generated bytes to the end of the file.

7.28. Double Checks in separate places / on each startup

7.29. Do-it-yourself malwares cryptors

7.30. Hijack HOSTS file to point to the local host120.0.0.1

7.31. Delete SafeBoot Key to make access to the Safe Mode impossible

7.32. Disable CMD / Regedit / TaskManager / SystemRestore

7.33. Hide Folder Options in the explorer Menu to prevent show hidden files

7.34. Hook Mouse event to check if it is an automated system

7.35. SLeep for evading automated systems : NtDelayExecution() or SLeepEx ()

7.36. In order to hide itself, the bot duplicates the Modification, Access, and Creation times (MAC times) information from Ntdll.dll library, and applies them to the sdra64.exe. The intent of this is to make sdra64.exe appears to be a system file that has been around since Windows was first installed

7.37. In another level of hiding the created file, it sets the sdra64.exe file attributes to system and hidden, so that the user cannot see the file using the standard file explorer

7.38. Anti Cracking

7.38.1. Checks for good or bad serial should be as much far as possible

7.39. malware drop another malware than load VBS script from its ressources then inject it to another process

7.40. Throw BSOD

8. Known malwares techniques

8.1. persistence to reboot

8.1.1. adding an entry to the well-known "Run key" in the user's registry base, or creating a Windows service if the necessary privileges are available. Malware can also use Scheduled Tasks, Winlogon, AppInit, ActiveSetup