Tuesday, 1 May 2018

Key Concept about Malware Analysis.



The method by which malware analysis is performed typically falls under one of two types:
Static malware analysis: Static or Code Analysis is usually performed by dissecting the different resources of the binary file without executing it and studying each component. The binary file can also be disassembled (or reverse engineered) using a disassembler such as IDA. The machine code can sometimes be translated into assembly code which can be read and understood by humans: the malware analyst can then make sense of the assembly instructions and have an image of what the program is supposed to perform. Some modern malware is authored using evasive techniques to defeat this type of analysis, for example by embedding syntactic code errors that will confuse disassemblers but that will still function during actual execution.
Dynamic malware analysis: Dynamic or Behavioral analysis is performed by observing the behavior of the malware while it is actually running on a host system. This form of analysis is often performed in a sandbox environment to prevent the malware from actually infecting production systems; many such sandboxes are virtual systems that can easily be rolled back to a clean state after the analysis is complete. The malware may also be debugged while running using a debugger such as GDB or WinDbg to watch the behavior and effects on the host system of the malware step by step while its instructions are being processed. Modern malware can exhibit a wide variety of evasive techniques designed to defeat dynamic analysis including testing for virtual environments or active debuggers, delaying execution of malicious payloads, or requiring some form of interactive user input.


Stages

Examining malicious software involves several stages, including, but not limited to the following:
  1. Manual Code Reversing
  2. Interactive Behavior Analysis
  3. Static Properties Analysis
  4. Fully-Automated Analysis

Binary analysis tools

  • pestudio
  • peid
  • exeinfope
  • PEView
  • Resource hacker : free resource extraction utility and resource compiler for Windows by Angus Johnson
  • HxD : hex editor for Windows by Mael Horz

Disassemblers

  • IDA Pro: Disassembler by Hex-Rays
  • Radare2 : Disassembler by pancake
  • BinaryNinja : Disassembler by Vector 35

Debuggers

  • GNU Debugger: Debugger by GNU
  • WinDbg: Debugger by Microsoft
  • OllyDbg: Debugger by OllyDbg
  • x64Dbg: Debugger by x64Dbg

Malware Analysys Tools:

Threat intelligence and IOC resources.

Detection and Classification

Antivirus and other malware identification tools
  • AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
  • Assemblyline – A scalable distributed file analysis framework.
  • BinaryAlert – An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
  • chkrootkit – Local Linux rootkit detection.
  • ClamAV – Open source antivirus engine.
  • Detect-It-Easy – A program for determining types of files.
  • ExifTool – Read, write and edit file metadata.
  • File Scanning Framework – Modular, recursive file scanning solution.
  • hashdeep – Compute digest hashes with a variety of algorithms.
  • Loki – Host based scanner for IOCs.
  • Malfunction – Catalog and compare malware at a function level.
  • MASTIFF – Static analysis framework.
  • MultiScanner – Modular file scanning/analysis framework
  • nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
  • packerid – A cross-platform Python alternative to PEiD.
  • PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  • Rootkit Hunter – Detect Linux rootkits.
  • ssdeep – Compute fuzzy hashes.
  • totalhash.py – Python script for easy searching of the TotalHash.cymru.com database.
  • TrID – File identifier.
  • YARA – Pattern matching tool for analysts.
  • Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.
    • anlyz.io – Online sandbox.
    • AndroTotal – Free online analysis of APKs against multiple mobile antivirus apps.
    • AVCaesar – Malware.lu online scanner and malware repository.
    • Cryptam – Analyze suspicious office documents.
    • Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
    • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
    • cuckoo-modified-api – A Python API used to control a cuckoo-modified sandbox.
    • DeepViz – Multi-format file analyzer with machine-learning classification.
    • detux – A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
    • DRAKVUF – Dynamic malware analysis system.
    • firmware.re – Unpacks, scans and analyzes almost any firmware package.
    • HaboMalHunter – An Automated Malware Analysis Tool for Linux ELF Files.
    • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
    • Intezer – Detect, analyze, and categorize malware by identifying code reuse and code similarities.
    • IRMA – An asynchronous and customizable analysis platform for suspicious files.
    • Joe Sandbox – Deep malware analysis with Joe Sandbox.
    • Jotti – Free online multi-AV scanner.
    • Limon – Sandbox for Analyzing Linux Malware.
    • Malheur – Automatic sandboxed analysis of malware behavior.
    • malsub – A Python RESTful API framework for online malware and URL analysis services.
    • Malware config – Extract, decode and display online the configuration settings from common malwares.
    • Malwr – Free analysis with an online Cuckoo Sandbox instance.
    • Metadefender – Scan a file, hash or IP address for malware (free).
    • NetworkTotal – A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
    • Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
    • PacketTotal – PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
    • PDF Examiner – Analyse suspicious PDF files.
    • ProcDot – A graphical malware analysis tool kit.
    • Recomposer – A helper script for safely uploading binaries to sandbox sites.
    • SEE – Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
    • SEKOIA Dropper Analysis – Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
    • VirusTotal – Free online analysis of malware samples and URLs
    • Visualize_Logs – Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come…)
    • Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.
  • badips.com – Community based IP blacklist service.
  • boomerang – A tool designed for consistent and safe capture of off network web resources.
  • Cymon – Threat intelligence tracker, with IP/domain/hash search.
  • Desenmascara.me – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • Dig – Free online dig and other network tools.
  • dnstwist – Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
  • IPinfo – Gather information about an IP or domain by searching online resources.
  • Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
  • mailchecker – Cross-language temporary email detection library.
  • MaltegoVT – Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
  • Multi rbl – Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
  • NormShield Services – Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
  • SpamCop – IP based spam block list.
  • SpamHaus – Block list based on domains and IPs.
  • Sucuri SiteCheck – Free Website Malware and Security Scanner.
  • Talos Intelligence – Search for IP, domain or network owner. (Previously SenderBase.)
  • TekDefense Automater – OSINT tool for gathering information about URLs, IPs, or hashes.
  • URLQuery – Free URL Scanner.
  • Whois – DomainTools free online whois search.
  • Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
  • ZScalar Zulu – Zulu URL Risk Analyzer.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.
  • Firebug – Firefox extension for web development.
  • Java Decompiler – Decompile and inspect Java apps.
  • Java IDX Parser – Parses Java IDX cache files.
  • JSDetox – JavaScript malware analysis tool.
  • jsunpack-n – A javascript unpacker that emulates browser functionality.
  • Krakatau – Java decompiler, assembler, and disassembler.
  • Malzilla – Analyze malicious web pages.
  • RABCDAsm – A “Robust ActionScript Bytecode Disassembler.”
  • swftools – Tools for working with Adobe Flash files.
  • xxxswf – A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.
  • AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • box-js – A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
  • diStorm – Disassembler for analyzing malicious shellcode.
  • JS Beautifier – JavaScript unpacking and deobfuscation.
  • JS Deobfuscator – Deobfuscate simple Javascript that use eval or document.write to conceal its code.
  • libemu – Library and tools for x86 shellcode emulation.
  • malpdfobj – Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner – Scan for malicious traces in MS Office documents.
  • olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF – A tool for analyzing malicious PDFs, and more.
  • PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf – Python tool for exploring possibly malicious PDFs.
  • QuickSand – QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
  • Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.
  • bulk_extractor – Fast file carving tool.
  • EVTXtract – Carve Windows Event Log files from raw binary data.
  • Foremost – File carving tool designed by the US Air Force.
  • hachoir3 – Hachoir is a Python library to view and edit a binary stream field by field.
  • Scalpel – Another data carving tool.
  • SFlock – Nested archive extraction/unpacking (used in Cuckoo Sandbox).

Deobfuscation

Reverse XOR and other code obfuscation methods.
  • Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot – .NET deobfuscator and unpacker.
  • ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
  • NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
  • PackerAttacker – A generic hidden code extractor for Windows malware.
  • unpacker – Automated malware unpacker for Windows malware based on WinAppDbg.
  • unxor – Guess XOR keys using known-plaintext attacks.
  • VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
  • XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
  • xortool – Guess XOR key length, as well as the key itself.

Memory Forensics

Tools for dissecting malware in memory images or running systems.
  • BlackLight – Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
  • DAMM – Differential Analysis of Malware in Memory, built on Volatility.
  • evolve – Web interface for the Volatility Memory Forensics Framework.
  • FindAES – Find AES encryption keys in memory.
  • inVtero.net – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
  • Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall – Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall – Script based on Volatility for automating various malware analysis tasks.
  • VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility – Advanced memory forensics framework.
  • VolUtility – Web Interface for Volatility Memory Analysis framework.
  • WDBGARK – WinDBG Anti-RootKit Extension.
  • WinDbg – Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir – A live incident response script for gathering Windows artifacts.
  • python-evt – Python library for parsing Windows Event Logs.
  • python-registry – Python library for parsing registry files.
  • RegRipper (GitHub) – Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph – Open Source Malware Analysis Pipeline System.
  • CRITs – Collaborative Research Into Threats, a malware and threat repository.
  • FAME – A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
  • Malwarehouse – Store, tag, and search malware.
  • Polichombr – A malware analysis platform designed to help analysts to reverse malwares collaboratively.
  • stoQ – Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
  • Viper – A binary management and analysis framework for analysts and researchers.
oda
ODA stands for Online DisAssembler. ODA is a general purpose machine code disassembler that supports a myriad of machine architectures.
Built on the shoulders of libbfd and libopcodes (part of binutils), ODA allows you to explore an executable by dissecting its sections, strings, symbols, raw hex, and machine level instructions.
ODA is an online Web Based Disassembler for when you don’t have time or space for a thick client. ODA is a BETA release that is limited by the resource constraints of the server on which it is hosted and the spare time of its creators.
Features:
  • Malware analysis
  • Vulnerability research
  • Visualizing the control flow of a group of instructions
  • Disassembling a few bytes of an exception handler that is going off into the weeds
  • Reversing the first few bytes of a Master Boot Record (MBR) that may be corrupt
  • Debugging an embedded systems device driver
So thats it. Hope you guys like it. If yes then please .. comment down below and do not forgot to like follow and share our social media platforms. 

Facebook Page:- https://www.facebook.com/theprogrammer.harshit/ 

Saturday, 28 April 2018

Concept of Serverless Computing

Technology is changing at breakneck speed. New concepts are coming in and old concepts are transforming. As a result, there is a lot of shift in the way people work with these technological advancements. And there is one technology that every developer should look is serverless computing. It is a buzz now, all Information technology firms are looking to cram into their organizations. Because it offers plenty of advantages that clearly bring a new set of opportunities.
Serverless will fundamentally change how we build a business around technology and how you code – Simon Wardley

What is Serverless computing?

Everyone thinks the term ‘Serverless’ means not having servers, but it is not like that. The serverless computing means that everyone can build and run application and services without thinking about servers and its implementation and management. So, it is clear that serverless computing has servers but users and developers are unaware of it.
With this fascinating technology, you can build and maintain any type of application and scale it with high availability. Whereas, Serverless computing is implemented on the Serverless architectures which are provided by different vendors such as AWS Lambda, Google Cloud Functions, OpenWhisk, etc.

How Serverless architecture works?

Serverless architecture mainly consists of applications that depend on the services provided by vendors. There are two different serverless services used by vendors:

1.Back-end as a service

Back-end as a service is the cloud computing model works that provide developers to connect web and mobile applications to cloud via Application Programming Interface. This acts as a middleware connect between the front-end to cloud back-end. Here developers don’t require to think about back-end, because it is served as service by the provider.

2.Functions as a service

Building an application using this model is one way of achieving a serverless architecture that is mainly used when building microservice applications. Here developers only depend on a block of code or business logic that is executed when it is required. This service totally avoids the complexity of building and maintaining the infrastructure. This service also costs as ‘Pay-as-you-go’.

Why Serverless computing?

The prior technology offers many drawbacks compared to the new serverless technology.
  • The applications were written and run on servers that are fixed resources, due to this it cannot handle the on-demand traffic when the requests heavily poured in.
  • Most of the time CPU remains idle because the server is busy with networking and I/O requests.

Serverless Computing vendors

AWS Lambda, introduced by Amazon in 2014, was the first public cloud vendor with an abstract serverless computing offering. AWS Lambda initially supported only Node.js. It now supports Python, Java, C# and Go, and code written in other languages can be invoked indirectly via Node.js.
Google Cloud Platform offers Google Cloud Functions, which supports Node.js by now.
IBM has published OpenWhisk as an open source serverless platform. OpenWhisk includes native support for Node.js, Python, Java, and Swift, and supports other languages and runtime via Docker containers.
Microsoft Azure offers Azure Functions, which is offered both in the Azure public cloud or on-premises via Azure Stack.

How developers benefit from serverless computing?

Developers can choose freedom with the serverless computing, it has a lot of benefits for coders and programmers. They can build an application without worrying about the infrastructure of the platforms. Developers can focus on their core product and spent time on producing better quality products. They can absolutely avoid worrying about managing and operating servers or runtimes on cloud or on-premises. It is the duty of the providers to automate the infrastructure tasks from the context of the developers.
So thats it. Hope you guys like it. If yes then please .. comment down below and do not forgot to like follow and share our social media platforms. 

Facebook Page:- https://www.facebook.com/theprogrammer.harshit/ 

Friday, 27 April 2018

What are Botnets ? How do they works.?

Botnets have become one of the biggest threats to security systems today. Their growing popularity among cybercriminals comes from their ability to infiltrate almost any internet-connected device, from DVR players to corporate mainframes.
Botnets are also becoming a larger part of cultural discussions around cyber security. Facebook’s fake ad controversy and the Twitter bot fiasco during the 2016 presidential election worry many politicians and citizens about the disruptive potential of botnets. Recently published studies from MIT have concluded that social media bots and automated accounts play a major role in spreading fake news.
The use of botnets to mine cryptocurrencies like Bitcoin is a growing business for cyber criminals. It’s predicted the trend will continue, resulting in more computers infected with mining software and more digital wallets stolen.
Aside from being tools for influencing elections and mining cryptocurrencies, botnets are also dangerous to corporations and consumers because they’re used to deploy malware, initiate attacks on websites, steal personal information, and defraud advertisers.
It’s clear botnets are bad, but what are they exactly? And how can you protect your personal information and devices? Step one is understanding how bots work. Step two is taking preventative actions.

How Do Botnets Work?

To better understand how botnets function, consider that the name itself is a blending of the words “robot” and “network”. In a broad sense, that’s exactly what botnets are: a network of robots used to commit cyber crime. The cyber criminals controlling them are called botmasters or bot herders.

Size Matters

To build a botnet, botmasters need as many infected online devices or “bots” under their command as possible. The more bots connected, the bigger the botnet. The bigger the botnet, the bigger the impact. So size matters. The criminal’s ultimate goal is often financial gain, malware propagation, or just general disruption of the internet.
Imagine the following: You’ve enlisted ten of your friends to call the Department of Motor Vehicles at the same time on the same day. Aside from the deafening sounds of ringing phones and the scurrying of State employees, not much else would happen. Now, imagine you wrangled 100 of your friends, to do the same thing. The simultaneous influx of such a large number of signals, pings, and requests would overload the DMV’s phone system, likely shutting it down completely.
Cybercriminals use botnets to create a similar disruption on the internet. They command their infected bot army to overload a website to the point that it stops functioning and/or access is denied. Such an attack is called a denial of service or DDoS

So thats it. Hope you guys like it. If yes then please .. comment down below and do not forgot to like follow and share our social media platforms. 

Facebook Page:- https://www.facebook.com/theprogrammer.harshit/ 

Thursday, 26 April 2018

Capacitive V/S Resistive Touchscreens .


Around some years the craze of using a touchscreen smartphones and tablets had increased rapidly due to it many companies had started making many types of touchscreen for customers to use the smartphones easily. But sometimes people get confused on which screen should they opt for either the Capacitive one or the Resistive one today we are going to tell some key difference between both the screen and,  How those screen works.?

Capacitive



Although the capacitive screen had come in 1960s but, it boosts the market in 2007 with Apple iPhone. Now  most of the devices such as Apple's iPad, some of the Samsung Galaxy Series smartphones and Amazon Kidle Fire. The Capacitive screens are based on the principle of Capacitance, a measure of electric charge.


  • How it Works  ....?
               Capacitive Screen sense the tiny amount of electric charge on your skin that is produced when your finger interacts with the screen's electric field.  The glass screen often has an oil-resistance coating. When you touch the top glass of the capacitive touch screen the capacitance of the area you touched increases. Grids of wires and electrodes below the top glass detects precisely where that increases if. Super speedy microcontrollers translate the location into inner workings and the device to make it response appropriately.

There is an advantage of using the capacitive touch screen is It registers multiple touches at once.
And there is a disadvantage also of using a capacitive screen is that, It doesn't work with gloves, fingernails or other objects that don't have a charge similiar to a finger.

Resistive

Most of the screen now a days use this technology in  screens, like ATMs, hand-held video games, in-car screen and smartphones still do. Its easy to tell by just seeing the image below.

                        

  • How it works..??

Two thin layers usually made of tough plastics are held apart by tiny transparent spacers. Electricity run across the two layers . When the screen is pressed, it forced the top layer against the bottom layer, and the sensor detects where the two meets.

Some advantage of using resistive screen is that It can be pressed with anything like, gloves, nails fingers anything.
And there is also one disadvantages of using resistive screen is It is less responsive that capacitive screen as it requires pressure rather than just proximity , It cant recognize multiple touches, and sliding and dragging aren't as smooth.


So thats it. Hope you guys like it. If yes then please .. comment down below and do not forgot to like follow and share our social media platforms. 

Facebook Page:- https://www.facebook.com/theprogrammer.harshit/