Threat Listing By Category. Rules for naming detected objects. All objects detected by Kaspersky antivirus products are named according to the following system: The prefix identifies the sub-system which detected the object. The prefix “HEUR:” is used to denote objects detected by the heuristic analyzer, and the prefix “PDM:” is used to denote objects detected by the proactive defense module. The prefix is not an obligatory part of the full name and may not be present. The behaviour specifies what the detected object does. For Viruses and Worms, the behaviour is chosen according to the propagation method used.
The platform is the environment in which the program code is executed. For detected objects that can run on more than one platform, the platform is defined as “Multi.” At the time of writing, there are two platforms that support the heuristic analyzer: Win32 and Script (a generalized platform for a variety of scripts). The name is the official name given to the detected object, which defines the family of detected objects. MAEC - Use Cases. Introduction Typical MAEC Usage Scenario At its highest level, MAEC is a domain-specific language for non-signature based malware characterization. Since languages serve to provide a vocabulary and grammar for the encoding and decoding of information, it follows that the majority of the six use cases for MAEC are motivated by the unambiguous and accurate communication of malware attributes that MAEC enables.
As shown in the illustration, MAEC will typically be utilized to encode the data garnered from malware analysis. In such a scenario, malware would be analyzed using some dynamic analysis/sandbox-based method. While there are a number of ways that MAEC-encoded information can be utilized in some automated form, the majority of MAEC’s use cases are human-oriented. Uniform Malware Reporting Format Current malware reporting, while useful for determining the general type and nature of a malware instance, is inherently ambiguous due to the lack of a common structure and vocabulary.
Malware « Veiled Shadows. An exploration into the potential power of collaborative, mission-focused APT research groups This post will be one of several that will reveal the origins of the investigation, research, and analysis group effort behind what has been revealed as Operation Starlight. The formation, vision, and strategy behind Starlight was a direct result of the compromise and Intellectual Property data theft of vital technical information from RSA that forms the underpinnings of Authentication Frameworks used in thousands of companies and Government organizations worldwide. 2-factor authentication (something you have TOKEN, something you know PIN/PASSWORD) attempts to increase the attackers work effort when they want to exploit access controls in order to compromise protected data.
This data can be in the form of content portals, or even access to entire Internal sensitive networks. When the RSA intrusion was first revealed in the press, it shell-shocked the industry. Future postings will cover: Malware Hash Registry. The whois daemon acts like a standard whois server would, but a MD5 or SHA-1 hash value instead of a name or address is passed as an argument. It accepts arguments on the command-line for single whois queries and it also supports BULK hash submissions when combined with GNU's netcat for those who wish to optimize their queries. When issuing requests for two or more hashes we strongly suggest you use netcat for BULK submissions since there is less overhead.
WARNING: Source addresses or networks that are seen abusing the whois server with large numbers of individual queries instead of using the bulk netcat interface may be null routed. Sources issuing an abnormally large number of queries may be automatically rate-limited. There is presently one whois server available with round robin IP addresses: hash.cymru.com The syntax for whois and netcat whois IP queries is as follows: An example use of the command-line arguments on a single malware hash query: $ whois -h hash.cymru.com help. Back to Stuxnet: the missing link. Two weeks ago, when we announced the discovery of the Flame malware we said that we saw no strong similarity between its code and programming style with that of the Tilded platform which Stuxnet and Duqu are based on.
Flame and Tilded are completely different projects based on different architectures and each with their own distinct characteristics. For instance, Flame never uses system drivers, while Stuxnet and Duqu’s main method of loading modules for execution is via a kernel driver. But it turns out we were wrong. Wrong, in that we believed Flame and Stuxnet were two unrelated projects. Our research unearthed some previously unknown facts that completely transform the current view of how Stuxnet was created and its link with Flame. The Flame inside Stuxnet First of all, let’s recap the Stuxnet story. List of resources in the March 2010 variant of Stuxnet List of resources in the 2009 variant of Stuxnet The Tocy story Resource 207 Information about the date of the module’s creation.
Advanced malware analysis and forensics using virtualization and free tools. Here are a few quick steps for performing malware analysis on various badware (viruses, works, trojans, rootkits) that you may find in the course of a computer forensics investigation. In this case, I'm analyzing a variant of Sohanad, a Instant Messaging Worm, also known as "the cool pics worm". Tools of the trade: We're going to setup VirtualBox (or any other virtualization product) with a copy of Windows XP SP2, update it and take a snapshot so we can easily move back to a clean system. Use VirtualBox to install WindowsXP SP2 in a Virtual Machine.
Take a snapshot of the Virtual Machine - Initial Install. Uncompress the file: upx -d "New Folder.exe"Parse the file again with "file" and "strings" - this time we can see a lot more information. Use PE Explorer and "File Analyzer" to get even more information about PE Headers, dependencies and so on.Fire up OllyDbg, IDA Pro Freeware, Immunity Debugger, WinDBG or your favourite debugger / disassembler and analyze the file.
O4 - HKLM\..