malware

malware threats::
malware::
s/w perform malicious action
botnets(remotely control)

how does malware get in:::
virus:human assistants
worms:automatically

concelment::
rootkit::modify the os to hide
trojen::code hidden inside the desired files

inside attacks::

backdoor::
hidden features
easter egg

logic bomb::
based on logical condition

omega bomb::


trojen::
harmfull code (payload)
it contains:
keylogger,rootkit,spyware or other executable code

trojen lifecycle:::
payload(find info)
legitimate program(inject payload to lagimate prog)
spread(like in torrent,website etc)
infect(install,permission in same level)

goals::
disable firewall
replace or delete os files:
open a backdoor
disable anti virus
turn target into proxy
add to a botnet
generate bogus traffic for dos
download and install spyware,adware etc
grab screen shots
record video from camera
use target for spamming

clue for trojen::
antivirus disabled
ctrl+alt+del stops working
random restart
screen saver
task bars disabled
start disapperar
dvd drive eject randomly
hard drive activiy
heavy network traffic
isp complaints


trojen infecton:::
infect the target::
combine multiple files
click on file
email attachement
social engineering
setookit(tools)

different ways to enter::

evading antivirus::
changing checksum
write your trojen
google project:::
prescramber
use hex editor
break the trojan into multiple files
modify the syntex
avoid id's trojen

types of trojens::
top 10::
notfication trojen
 IRC
 PHP
 net send
 ICQ
Botnet trojen
proxy server trojen
FTP server
VNC trojen
HTTP/HTTPS trojen
 create a tunnel
 port 80//443
 traffic convert into base 64
comman shell trojen
 netcat
  tellnet into shell
  full dns checking
  use any local port and slowmo
Document trojen
Email based trojen
RAT trojen(remote access trojen)
 back orifice /net bus


Beast(tools) not run into origin machine

virus and worms::
difference::
virus::
attache iteself into file/program
replace system files
cannt be spread withoud human interacton

worms::
attached 
copy iteself and replicate itself
does't require human interacton
enter via vulnarablity
usess standard file trasport feature

SQL slammer 2003(worm sexample):::
based on proof of conecept
create denial of service in network
routers are failed
 

types of viruses and worms:::
file virus
cluster virus
boot sector virus
macro virus
polymorphic virus
meta morphic ::modify iteself in alll devices(skynet)
cavity virus::file overrride (space filler) modify host files
encryption virus
camoflage virus
.com,.exe,.batch name.extinsion run .com first thien .exe and .batch
shell virus
file extension
tunnel virus(hide themself into system sector)
itrusive virus


life cycle:::
creation-->replicate-->discovery-->resolution-->purging--
^-------------------------------------------------------!

phase ::
infection phase::
replicate and attached
needs an events
setup files
start up
TSR

Attack phase::
corruption begin
delete
alter files
execute tasks
camoflauge


sign and why:::


deployments virus and worms::
downld files
pirate s/w

real fake does it matter::
email headers
delete legitmate files


detecting malwares::
create a virus
terabit virus maker(tools)
IWMT(internet worm maker theme)(tools)

ivestigations::
where to start
sheep dip
clean system
super dale virutalizatoin
monitor every things
setup:
install virtualization
Quarantine the n/w
disabled shared folder
copy malware
collect string values inside binerie
bintxt(tools)
UPX(tools)
port monitoring s/w

online malware testing
virus total(website)
malware protection center(website)

tools and utility belt::
tcpview(tools)
autoruns(tools)
driver view(tools)
SFC (system file checker)(tools)

counter measuers::

virus discovery methods::
scanning:
integrity checking
interception


masterlist::
3 level 
server
antivirus
create a policyies
watch downloading
update s/w
attachement issues
what's source
keep informed
scan system daily
check media
popups
chat files
firwall and UAC