Introduction to malwares
•
1 like•825 views
Introduction to Malwares by Abdessabour Arous - tunCERT Presented at: - INIT 2014 - ESPRIT Cryptoparty event 2013 - University of Jendouba 2013 Malware samples and source codes for the demos: https://github.com/AbMaster/IntroductionToMalwareTalk
Report
Share
Report
Share
![AbdessabourAROUSCritical InfrastructionsMonitoring Team -tunCERT
abdessabour.arous[x40]ansi.tn](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
End of Studies project: Malware Repsonse Center
(Beta version) My End of Studies Project presentation to get an Engineer degree in Computer Science.
Abdessabour Arous - ESPRIT 2014
Hunting Lateral Movement in Windows Infrastructure
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
Ceh v8 labs module 05 system hacking
LCP is a password cracking tool that can extract administrator passwords remotely. In this lab, LCP was used to crack the administrator password of a Windows Server 2012 system with IP address WIN-039MR5HL9E4. It retrieved the usernames and passwords of various accounts, including the administrator account. NTFS streams allow files to be hidden by associating them with the main file or directory as an alternate data stream. This lab demonstrates how to hide the calc.exe file in the C:\magic folder using NTFS streams so it is not visible normally.
Black Energy18 - Russian botnet package analysis
From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.
MNSEC 2018 - Windows forensics
This document discusses forensic analysis on Windows systems. It provides an overview of important Windows artifacts for forensic investigation including the registry, event logs, file system metadata and memory analysis. Specific tools are also mentioned for acquiring disk and memory images, parsing timelines, analyzing the registry and memory, including FTK Imager, SIFT, Redline, Volatility and REGRIPPER. An example case is described where crypto-mining malware was found running on a system through analysis of process listings, file system metadata and logs.
A Stuxnet for Mainframes
You say SCADA, I say … mainframes. There are some remarkable - and scary - parallels between the worlds of SCADA ICS and mainframes. Each system is critical to our lives. Their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. Extrapolate the future of security for mainframes based on the challenges and failures of SCADA ICS as it has evolved from sequestered to connected. SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man in this scenario of a Stuxnet for Mainframes.
Finfisher- Nguyễn Chấn Việt
FinFisher is cyber espionage software sold by Gamma Group to law enforcement and intelligence agencies. It can infect Windows, iOS, Android, Blackberry, Symbian, and other mobile devices to monitor users. The malware disguises itself using various techniques and communicates with command and control servers located around the world. It has extensive surveillance capabilities including recording calls, intercepting messages, and tracking locations.
Ceh v8 labs module 03 scanning networks
Vulnerability scanning evaluates an organization's systems and network to identify vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. The document discusses using the Advanced IP Scanner tool to perform a network scan on a target Windows Server 2008 system from a Windows 8 attacker system to check for live systems, open ports, and gather information about computers on the local network. It provides instructions on launching Advanced IP Scanner, entering an IP address range to scan, and viewing the scan results.
Recommended
End of Studies project: Malware Repsonse Center
(Beta version) My End of Studies Project presentation to get an Engineer degree in Computer Science.
Abdessabour Arous - ESPRIT 2014
Hunting Lateral Movement in Windows Infrastructure
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
Ceh v8 labs module 05 system hacking
LCP is a password cracking tool that can extract administrator passwords remotely. In this lab, LCP was used to crack the administrator password of a Windows Server 2012 system with IP address WIN-039MR5HL9E4. It retrieved the usernames and passwords of various accounts, including the administrator account. NTFS streams allow files to be hidden by associating them with the main file or directory as an alternate data stream. This lab demonstrates how to hide the calc.exe file in the C:\magic folder using NTFS streams so it is not visible normally.
Black Energy18 - Russian botnet package analysis
From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.
MNSEC 2018 - Windows forensics
This document discusses forensic analysis on Windows systems. It provides an overview of important Windows artifacts for forensic investigation including the registry, event logs, file system metadata and memory analysis. Specific tools are also mentioned for acquiring disk and memory images, parsing timelines, analyzing the registry and memory, including FTK Imager, SIFT, Redline, Volatility and REGRIPPER. An example case is described where crypto-mining malware was found running on a system through analysis of process listings, file system metadata and logs.
A Stuxnet for Mainframes
You say SCADA, I say … mainframes. There are some remarkable - and scary - parallels between the worlds of SCADA ICS and mainframes. Each system is critical to our lives. Their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. Extrapolate the future of security for mainframes based on the challenges and failures of SCADA ICS as it has evolved from sequestered to connected. SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man in this scenario of a Stuxnet for Mainframes.
Finfisher- Nguyễn Chấn Việt
FinFisher is cyber espionage software sold by Gamma Group to law enforcement and intelligence agencies. It can infect Windows, iOS, Android, Blackberry, Symbian, and other mobile devices to monitor users. The malware disguises itself using various techniques and communicates with command and control servers located around the world. It has extensive surveillance capabilities including recording calls, intercepting messages, and tracking locations.
Ceh v8 labs module 03 scanning networks
Vulnerability scanning evaluates an organization's systems and network to identify vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. The document discusses using the Advanced IP Scanner tool to perform a network scan on a target Windows Server 2008 system from a Windows 8 attacker system to check for live systems, open ports, and gather information about computers on the local network. It provides instructions on launching Advanced IP Scanner, entering an IP address range to scan, and viewing the scan results.
Malware Analysis and Defeating using Virtual Machines
The document discusses techniques used by malware to detect virtual machines and strategies to prevent such detection. It outlines several techniques malware uses to detect virtual machines, including hardware fingerprinting, registry checks, process/file checks, memory checks, timing analysis, and communication channel checks. It then discusses approaches used by popular virtual machines like VMware, VirtualBox, and VirtualPC. The document proposes developing a tool called VMDetectGuard that would monitor for calls and instructions used in detection and mask the virtual machine's identity by providing false information to tricks malware.
Indicators of compromise: From malware analysis to eradication
This document discusses detecting and analyzing indicators of compromise from a malware infection. It describes collecting data from firewalls, IDS/IPS, proxies, DNS logs, and system logs to detect suspicious activity. Once a potential malware sample is acquired, static and dynamic analysis techniques are used to analyze its behavior and identify indicators that can be used to detect infected machines, like created files, registry keys, and network traffic. These indicators are expressed using tools like Yara rules and Snort signatures to enable detection of the compromise across an environment.
Hunting malware via memory forensics
This presentation at a broad level covers steal techniques adopted by malware authors to push malicious code to the victim without detection.
Building HMI with VB Tutorial [1998]
"Building HMI with Visual Basic Technologies - 1998". Though they are old slides but still worth having a look especially for those who are new to HMI and SCADA technologies.
Malware analysis - What to learn from your invaders
This document outlines a presentation on malware analysis. It discusses analyzing samples of phishing emails to learn about malware behavior. The speaker will demonstrate using tools like VirtualBox, Remnux, Regshot and Wireshark to perform static and behavioral analysis of malware samples. Network and host-based analysis will be used to observe a sample's network activity and changes it makes to the system. Resources for continuing malware research are also provided.
Kheirkhabarov24052017_phdays7
The document discusses various methods attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes techniques like copying files over SMB, using WMI, WinRM, PowerShell remoting, scheduled tasks, and others. For each technique, it outlines the required network access and system privileges, and provides the most relevant event log entries that could be used for detection. The goal is to help analysts understand lateral movement techniques and know what to look for when hunting for suspicious remote executions in Windows logs and environments.
Living off the land and fileless attack techniques
Living off the land tactics involve attackers using only pre-installed software and tools on a system to carry out an attack without installing additional binaries. This allows attacks to be harder to detect and trace since it does not involve new files being placed on a system. Attackers make use of techniques like memory-only attacks, scripts hidden in locations like the registry rather than files, and abusing legitimate dual-use tools to blend in and carry out lateral movement, credential theft, and other objectives. Defending against these tactics requires advanced detection methods that can analyze behaviors rather than just files to identify potentially malicious activity and abuse of system tools.
Shusei tomonaga pac_sec_20171026
Remove unnecessary data
Remove ping commands
Remove IP addresses
Remove drive letters
40
Data Cleansing
Copyright ©2017 JPCERT/CC All rights reserved.
Collection of training data
Data cleansing
Data analysis with Machine Learning
Evaluate and select the best
algorithm
41
Flow of Algorithm Selection for Machine Learning
Data analysis with Machine Learning algorithms:
- Decision Tree
- Naive Bayes
- k-Nearest Neighbors
- Logistic Regression
- Support Vector Machine
Evaluate based on:
- Accuracy
- Recall
- Precision
- F1 Score
Select algorithm with best performance
Basic malware analysis
The document discusses Monnappa, a security investigator at Cisco who focuses on threat intelligence and malware analysis. It provides an overview of static analysis, dynamic analysis, and memory analysis techniques for analyzing malware. It includes steps for each technique and screenshots demonstrating running analysis on a Zeus bot sample, including using tools like PEiD, Dependency Walker, Volatility, and VirusTotal. The analysis uncovered the malware creating registry runs keys for persistence and injecting itself into the explorer.exe process.
Ch0 1
This document provides an overview of basic static malware analysis techniques. It discusses using antivirus scanners, hashing files, and analyzing strings to identify malware without executing it. It also covers examining the Portable Executable (PE) file format used in Windows executables, including analyzing the PE header, imported and exported functions, linked libraries, and important sections like .text and .rsrc. Detecting packed files and analyzing the PE dynamically at runtime is also mentioned. The goal is to gain an initial understanding of unknown files through static inspection before dynamic analysis.
Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...
HOME LAND alert for a probable attack
"A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence."
A walk through Windows firewall and Netsh commands
Presentation slides explores various options of windows firewall and Netsh command line utility.
It explains about enabling logging feature for allowed/blocked logs, understanding different options for inbound and outbound connection and interpretation of logs for detecting anomalies in Windows O.S.
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
Malware analysis
- Malware analysis involves both static and dynamic analysis techniques to understand malware behavior and assess potential damage. Static analysis involves disassembling and reviewing malware code and structure without executing it. Dynamic analysis observes malware behavior when executed in an isolated virtual environment.
- Tools for static analysis include file hashing, string extraction, and PE header examination. Dynamic analysis tools monitor the registry, file system, processes, and network traffic created by malware runtime behavior. These include Process Monitor, Wireshark, Process Explorer, and network sniffers.
- To safely conduct malware analysis, one should create an isolated virtual lab separated from production networks, and install behavioral monitoring and code analysis tools like OllyDbg, Process Monitor, and Wiresh
Атаки на платформу Java Card с использованием вредоносных апплетов
Докладчик расскажет об атаках на защищенные контейнеры смарт-карт на базе Java, позволяющих злоумышленнику украсть криптографические ключи и PIN-коды других установленных на карте апплетов.
Горизонтальные перемещения в инфраструктуре Windows
Язык докладаРусскийЗанимается «бумажной» и практической информационной безопасностью более 6 лет. Аналитик SOC в «Лаборатории Касперского». В прошлом руководитель подразделения ИБ на одном из промышленных предприятий. Закончил специалитет и магистратуру СибГАУ им. академика М. Ф. Решетнева (в котором в дальнейшем читал курсы по ИБ). Участник ряда CTF. Выступал на ZeroNights.Теймур Хеирхабаров Теймур Хеирхабаров Управление рисками: как перестать верить в иллюзииFast Track
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesCysinfo Cyber Security Community
The document provides information about an advanced malware analysis training program. It begins with disclaimers about the content being provided as-is without warranty. It then acknowledges those who supported and contributed to the training. It states that the presentation is part of an advanced malware analysis training program currently only delivered locally for free. It introduces the speaker, Swapnil Pathak, and provides an outline of the topics to be covered, including anti-reversing techniques, anti-debugging, anti-VM, and anti-anti-reversing, followed by a question and answer section.Top 10 Latest Viruses
This document summarizes the top 10 latest viruses as of November 2013, including Exploit.CVE-2011-3402.Gen, Trojan.Ransom.IcePol, Trojan.Flame.A, Trojan.OlympicGames, Trojan.Startpage.AABI, Trojan.FakeAV, Rootkit.MBR.TDSS, Rootkit.Sirefef.Gen, PDF:Exploit.CVE-2013-5065.A, and Exploit.CVE-2013-5065.A. Each virus is briefly described, and its spreading ability and potential damage are rated.
How to drive a malware analyst crazy
This document discusses techniques that malware authors use to frustrate malware analysts, including inserting breakpoints, manipulating timing functions, exploiting Windows internals like debug flags and objects, anti-dumping methods, VM detection, and debugger-specific tricks. The author also announces a public malware repository and API called VXCage for sharing samples.
Assingment 5 - ENSA
ENISA is the EU's cybersecurity agency that works with EU members, private sector, and citizens to develop cybersecurity best practices. It assists EU members in implementing legislation and improving critical infrastructure resilience. ENISA seeks to enhance member state expertise by supporting cross-border cybersecurity communities throughout Europe.
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
Stuxnet is analyzed in detail, including its architecture, functionality, and propagation methods. It is described as a highly advanced persistent threat that targeted Iran's nuclear facilities. The document outlines how Stuxnet used zero-day exploits and a digital certificate to inject code into industrial control systems and spread via removable drives and network shares. Stuxnet's command and control infrastructure and ability to infect project files for industrial software are also summarized.
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
The document summarizes a seminar on the Stuxnet cyber attack. It discusses Stuxnet as a sophisticated cyber weapon targeting Iranian nuclear facilities. It provides an overview of Stuxnet's architecture and propagation methods, describing how it exploited Windows vulnerabilities to infect industrial control systems and spread via removable drives. The document analyzes Stuxnet's command-and-control infrastructure and rootkit functionality used to hide its files and remain undetected on systems.
More Related Content
What's hot
Malware Analysis and Defeating using Virtual Machines
The document discusses techniques used by malware to detect virtual machines and strategies to prevent such detection. It outlines several techniques malware uses to detect virtual machines, including hardware fingerprinting, registry checks, process/file checks, memory checks, timing analysis, and communication channel checks. It then discusses approaches used by popular virtual machines like VMware, VirtualBox, and VirtualPC. The document proposes developing a tool called VMDetectGuard that would monitor for calls and instructions used in detection and mask the virtual machine's identity by providing false information to tricks malware.
Indicators of compromise: From malware analysis to eradication
This document discusses detecting and analyzing indicators of compromise from a malware infection. It describes collecting data from firewalls, IDS/IPS, proxies, DNS logs, and system logs to detect suspicious activity. Once a potential malware sample is acquired, static and dynamic analysis techniques are used to analyze its behavior and identify indicators that can be used to detect infected machines, like created files, registry keys, and network traffic. These indicators are expressed using tools like Yara rules and Snort signatures to enable detection of the compromise across an environment.
Hunting malware via memory forensics
This presentation at a broad level covers steal techniques adopted by malware authors to push malicious code to the victim without detection.
Building HMI with VB Tutorial [1998]
"Building HMI with Visual Basic Technologies - 1998". Though they are old slides but still worth having a look especially for those who are new to HMI and SCADA technologies.
Malware analysis - What to learn from your invaders
This document outlines a presentation on malware analysis. It discusses analyzing samples of phishing emails to learn about malware behavior. The speaker will demonstrate using tools like VirtualBox, Remnux, Regshot and Wireshark to perform static and behavioral analysis of malware samples. Network and host-based analysis will be used to observe a sample's network activity and changes it makes to the system. Resources for continuing malware research are also provided.
Kheirkhabarov24052017_phdays7
The document discusses various methods attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes techniques like copying files over SMB, using WMI, WinRM, PowerShell remoting, scheduled tasks, and others. For each technique, it outlines the required network access and system privileges, and provides the most relevant event log entries that could be used for detection. The goal is to help analysts understand lateral movement techniques and know what to look for when hunting for suspicious remote executions in Windows logs and environments.
Living off the land and fileless attack techniques
Living off the land tactics involve attackers using only pre-installed software and tools on a system to carry out an attack without installing additional binaries. This allows attacks to be harder to detect and trace since it does not involve new files being placed on a system. Attackers make use of techniques like memory-only attacks, scripts hidden in locations like the registry rather than files, and abusing legitimate dual-use tools to blend in and carry out lateral movement, credential theft, and other objectives. Defending against these tactics requires advanced detection methods that can analyze behaviors rather than just files to identify potentially malicious activity and abuse of system tools.
Shusei tomonaga pac_sec_20171026
Remove unnecessary data
Remove ping commands
Remove IP addresses
Remove drive letters
40
Data Cleansing
Copyright ©2017 JPCERT/CC All rights reserved.
Collection of training data
Data cleansing
Data analysis with Machine Learning
Evaluate and select the best
algorithm
41
Flow of Algorithm Selection for Machine Learning
Data analysis with Machine Learning algorithms:
- Decision Tree
- Naive Bayes
- k-Nearest Neighbors
- Logistic Regression
- Support Vector Machine
Evaluate based on:
- Accuracy
- Recall
- Precision
- F1 Score
Select algorithm with best performance
Basic malware analysis
The document discusses Monnappa, a security investigator at Cisco who focuses on threat intelligence and malware analysis. It provides an overview of static analysis, dynamic analysis, and memory analysis techniques for analyzing malware. It includes steps for each technique and screenshots demonstrating running analysis on a Zeus bot sample, including using tools like PEiD, Dependency Walker, Volatility, and VirusTotal. The analysis uncovered the malware creating registry runs keys for persistence and injecting itself into the explorer.exe process.
Ch0 1
This document provides an overview of basic static malware analysis techniques. It discusses using antivirus scanners, hashing files, and analyzing strings to identify malware without executing it. It also covers examining the Portable Executable (PE) file format used in Windows executables, including analyzing the PE header, imported and exported functions, linked libraries, and important sections like .text and .rsrc. Detecting packed files and analyzing the PE dynamically at runtime is also mentioned. The goal is to gain an initial understanding of unknown files through static inspection before dynamic analysis.
Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...
HOME LAND alert for a probable attack
"A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence."
A walk through Windows firewall and Netsh commands
Presentation slides explores various options of windows firewall and Netsh command line utility.
It explains about enabling logging feature for allowed/blocked logs, understanding different options for inbound and outbound connection and interpretation of logs for detecting anomalies in Windows O.S.
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
Malware analysis
- Malware analysis involves both static and dynamic analysis techniques to understand malware behavior and assess potential damage. Static analysis involves disassembling and reviewing malware code and structure without executing it. Dynamic analysis observes malware behavior when executed in an isolated virtual environment.
- Tools for static analysis include file hashing, string extraction, and PE header examination. Dynamic analysis tools monitor the registry, file system, processes, and network traffic created by malware runtime behavior. These include Process Monitor, Wireshark, Process Explorer, and network sniffers.
- To safely conduct malware analysis, one should create an isolated virtual lab separated from production networks, and install behavioral monitoring and code analysis tools like OllyDbg, Process Monitor, and Wiresh
Атаки на платформу Java Card с использованием вредоносных апплетов
Докладчик расскажет об атаках на защищенные контейнеры смарт-карт на базе Java, позволяющих злоумышленнику украсть криптографические ключи и PIN-коды других установленных на карте апплетов.
Горизонтальные перемещения в инфраструктуре Windows
Язык докладаРусскийЗанимается «бумажной» и практической информационной безопасностью более 6 лет. Аналитик SOC в «Лаборатории Касперского». В прошлом руководитель подразделения ИБ на одном из промышленных предприятий. Закончил специалитет и магистратуру СибГАУ им. академика М. Ф. Решетнева (в котором в дальнейшем читал курсы по ИБ). Участник ряда CTF. Выступал на ZeroNights.Теймур Хеирхабаров Теймур Хеирхабаров Управление рисками: как перестать верить в иллюзииFast Track
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesCysinfo Cyber Security Community
The document provides information about an advanced malware analysis training program. It begins with disclaimers about the content being provided as-is without warranty. It then acknowledges those who supported and contributed to the training. It states that the presentation is part of an advanced malware analysis training program currently only delivered locally for free. It introduces the speaker, Swapnil Pathak, and provides an outline of the topics to be covered, including anti-reversing techniques, anti-debugging, anti-VM, and anti-anti-reversing, followed by a question and answer section.Top 10 Latest Viruses
This document summarizes the top 10 latest viruses as of November 2013, including Exploit.CVE-2011-3402.Gen, Trojan.Ransom.IcePol, Trojan.Flame.A, Trojan.OlympicGames, Trojan.Startpage.AABI, Trojan.FakeAV, Rootkit.MBR.TDSS, Rootkit.Sirefef.Gen, PDF:Exploit.CVE-2013-5065.A, and Exploit.CVE-2013-5065.A. Each virus is briefly described, and its spreading ability and potential damage are rated.
How to drive a malware analyst crazy
This document discusses techniques that malware authors use to frustrate malware analysts, including inserting breakpoints, manipulating timing functions, exploiting Windows internals like debug flags and objects, anti-dumping methods, VM detection, and debugger-specific tricks. The author also announces a public malware repository and API called VXCage for sharing samples.
Assingment 5 - ENSA
ENISA is the EU's cybersecurity agency that works with EU members, private sector, and citizens to develop cybersecurity best practices. It assists EU members in implementing legislation and improving critical infrastructure resilience. ENISA seeks to enhance member state expertise by supporting cross-border cybersecurity communities throughout Europe.
What's hot (20)
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machines
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invaders
Living off the land and fileless attack techniques
Living off the land and fileless attack techniques
Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...
Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...
A walk through Windows firewall and Netsh commands
A walk through Windows firewall and Netsh commands
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Атаки на платформу Java Card с использованием вредоносных апплетов
Атаки на платформу Java Card с использованием вредоносных апплетов
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniques
Similar to Introduction to malwares
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
Stuxnet is analyzed in detail, including its architecture, functionality, and propagation methods. It is described as a highly advanced persistent threat that targeted Iran's nuclear facilities. The document outlines how Stuxnet used zero-day exploits and a digital certificate to inject code into industrial control systems and spread via removable drives and network shares. Stuxnet's command and control infrastructure and ability to infect project files for industrial software are also summarized.
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
The document summarizes a seminar on the Stuxnet cyber attack. It discusses Stuxnet as a sophisticated cyber weapon targeting Iranian nuclear facilities. It provides an overview of Stuxnet's architecture and propagation methods, describing how it exploited Windows vulnerabilities to infect industrial control systems and spread via removable drives. The document analyzes Stuxnet's command-and-control infrastructure and rootkit functionality used to hide its files and remain undetected on systems.
Stuxnet dc9723
The document summarizes a presentation given by Tomer Teller about the Stuxnet malware. It describes how Stuxnet infected industrial control systems by exploiting Windows vulnerabilities, spreading on removable drives, and ultimately reprogramming PLCs to sabotage Iran's nuclear program. Key infection techniques discussed include exploiting LNK and Print Spooler vulnerabilities, using autorun.inf files and rootkit techniques to propagate, and replacing DLL files to monitor and inject commands to PLCs.
Strategies to design FUD malware
.Today, criminals are using novel tecnhiques to bypass AV detecions. Manual debugging must be used to unpack malware (a hard work that is needed to reveal the original malware code). Dissecting malware allows us to understand criminals’ modus operandi, and manual analysis is always required to reveal FUD malware.
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
Solve the colocation conundrum: Performance and density at scale with Kubernetes
Solve the colocation conundrum: Performance and density at scale with KubernetesNiklas Quarfot Nielsen
As we move from monolithic applications to microservices, the ability to colocate workloads offers a tremendous opportunity to realize greater development velocity, robustness, and resource utilization. But workload colocation can also introduce performance variability and affect service levels. Google describes the problem as the “tail at scale”—the amplification of negative results observed at the tail of the latency curve when many systems are involved.
With its latest tooling capabilities, Intel has an experiments framework to calculate the trade-offs between low latency and higher density. Niklas Nielsen discusses the challenges and complexities of workload colocation, why solving these challenges matters to your business no matter the size, and how Intel intends to help smarter resource allocations with its latest tooling capabilities and Kubernetes.MKAD_black_V2
The document provides steps for crafting payloads to hack traffic light systems for physical attacks with catastrophic consequences. It introduces the authors and their backgrounds in embedded security and cyber-physical exploitation. It then outlines the stages of control, access, discovery, control and damage when attacking a traffic light system, and provides demonstrations of exploiting the CybatiWorks traffic light kit to force light states, conduct stale data attacks, modify timers to speed up lights, and modify control logic. It stresses the need for cleanup to blind operators of the real system state using man-in-the-middle techniques.
Assessing cybersecurity_Anto Veldre
This document provides an overview of assessing cybersecurity in Estonia's modern digital era. It discusses CERT-EE's role in responding to cyber incidents, inventorying systems and objects under their purview. It also covers philosophies around balancing technical monitoring with freedom of information and partnerships between CERT, law enforcement, and other organizations. Key considerations discussed include distinguishing between technical and content controls as well as protecting private data like IP addresses.
Hacking and Computer Forensics
The document summarizes hacking techniques used by hackers:
1) Hackers perform reconnaissance like scanning public information, networks, and systems to find vulnerabilities.
2) This allows them to gain initial access, often by exploiting configuration or software errors.
3) They then use this initial access to get further system privileges or access additional machines.
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
Work-in-Progress!
IoT Cyber+Physical+Social Security
An encyclopedic compendium of tools, techniques, and practices to defend systems that sit at the intersection of the cyber and physical domains; chiefly building automation systems and the Internet of Things.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
The document discusses methods for identifying and investigating lateral movement by attackers during security incidents. It describes common tools and techniques used by attackers during different stages of an advanced persistent threat (APT) incident, including initial investigation, internal reconnaissance, spreading infection, and deleting evidence. The document analyzes logs and commands from past APT attacks to identify patterns in attacker behavior that can help with incident response. It notes that default system logs often do not provide enough information, so additional logging of events, processes, and network connections may be needed to fully trace attacker activities within a target network.
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
Presentation for Industrial Control Systems Joint Working Group (ICSJWG).
This presentation will lend insight to IEEE 1711-2010, a standard for securing substation serial-based SCADA assets, and its applicability across industry sectors: electric, oil, gas, water, and chemical. Also addressed are the benefits of its implementation on legacy retrofits, SCADA link management, and integrating legacy systems and Ethernet IP SCADA networks.
An overview of unix rootkits
This document provides an overview of Unix rootkits, including their functionality, types, usage trends, and case studies of captured rootkits. Rootkits aim to maintain access, attack other systems, and conceal evidence. They are implemented through binary, kernel, and library techniques. Case studies examine the SA binary kit, the W00tkit kernel kit, and the RK library kit to illustrate rootkit techniques and evolution over time. The document concludes that rootkits combine tools to establish hidden, persistent access and attack other machines while avoiding detection.
D do s
The document summarizes distributed denial of service (DDoS) attacks and defenses against them. It provides an overview of DDoS attacks, describes several common DDoS tools (Trinoo, TFN, TFN2K, Stacheldraht), and discusses challenges in defending against them. It also presents a case study of a DDoS attack against the website GRC.com and the difficulties they faced in getting help stopping the attacks. The document advocates for coordinated technical solutions and consistent incentive structures to defend against DDoS attacks.
A client-side vulnerability under the microscope!
Understanding reverse engineer using MS08-078. This presentation is an updated version of a previous series of presentations, which shows a practical methodology to perform a reverse engineering... The approach can be broader applied to any/most of the vulnerabilities targeting client-side applications.
For further details and informations, please, refer to:
- http://www.vimeo.com/nbrito
- https://www.slideshare.net/nbrito01/inception-support-slides
Infrastructure Attacks - The Next generation, ESET LLC
The document discusses the Stuxnet malware attack and its implications. It analyzes how Stuxnet used multiple zero-day vulnerabilities to target Siemens industrial control systems. While initially semi-targeted, its promiscuous spreading demonstrated how infrastructure attacks could be conceived on a massive scale. The attack highlighted vulnerabilities in critical systems and their connections to other networks. It established a template for sophisticated cyberattacks against infrastructure that governments and security professionals must address.
Contiki introduction II-from what to how
The document discusses the Contiki operating system framework, including how it uses processes and events for scheduling work, inter-process communication using event posting, and how modules like Rime and the TDMA MAC layer separate protocol logic from header construction and buffer management for flexible networking implementations. Key data structures include a process list and event queue that the kernel uses to schedule work across asynchronous processes.
Nullbyte 6ed. 2019
Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.
DPDK & Layer 4 Packet Processing
Learn about Transport Layer Development Kit and let us accelerate beyond the Layer 2/Layer 3.
Author: Muthurajan (M Jay) Jayakumar
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
Presentation of paper "LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis" for the course of Advanced Topics in Computer Security of prof. Stefano Zanero.
Source and further information: https://github.com/pietrodn/lo-phi
Similar to Introduction to malwares (20)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Solve the colocation conundrum: Performance and density at scale with Kubernetes
Solve the colocation conundrum: Performance and density at scale with Kubernetes
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLC
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
Recently uploaded
Astute Business Solutions | Oracle Cloud Partner |
Your goto partner for Oracle Cloud, PeopleSoft, E-Business Suite, and Ellucian Banner. We are a firm specialized in managed services and consulting.
AppSec PNW: Android and iOS Application Security with MobSF
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Choosing The Best AWS Service For Your Website + API.pptx
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Tomaz Bratanic
Graph ML and GenAI Expert - Neo4j
HCL Notes and Domino License Cost Reduction in the World of DLAU
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Introduction of Cybersecurity with OSS at Code Europe 2024
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Mutation Testing for Task-Oriented Chatbots
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
Main news related to the CCS TSI 2023 (2023/1695)
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Apps Break Data
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Fueling AI with Great Data with Airbyte Webinar
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
June Patch Tuesday
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Recently uploaded (20)
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Introduction to malwares
- 2. AbdessabourAROUSCritical InfrastructionsMonitoring Team -tunCERT abdessabour.arous[x40]ansi.tn
- 5. CERT DEPT TECHNICAL DEPT AUDIT DEPT
- 6. Detect attacks Investigate Notify / Alert Help / Assist
- 7. Monday Analyst 1 Tech 1 Tech 2 Tuesday Wednesday 8 -10 10 -12 12 -14 14 -16 16 -18 18 -20 Shift system
- 8. Prime ministerwebsite: http://www.pm.gov.tn Central Bank: http://www.bct.gov.tn Justice minister: http://www.e-justice.tn 193.X.X.X 196.X.X.X Domain Name System: DNS Mailing:SMTP and POP/IMAP
- 20. 0x004FF3FE Original PE PE afterinfection Injectedcode _IMAGE_OPTIONAL_HEADER 0x0040A0FE 0x0040A0FE 0x004FF3FE _main _main _IMAGE_NT_HEADERS AddressOfEntryPoint EntryPoint EntryPoint PE Header
- 21. .textsection Section Table NT Header DOS Header othersections .data section .relocsection .relocsection UnmappedData .textsection Section Table NT Header DOS Header .data section Othersections HigherOffets HigherOffets PE File In memory
- 22. 0x004FF3FE Gentleman Destructive 0x0040A0FE _main _main Code Code Injectedcode Injectedcode Vs
- 40. Name/ Year Propagation CodeRed(2001) 14 Heures Slammer(2003) 30 minutes P-o-C(2005-2007) 1 seconde
- 41. 36% 32% 10% 4% 18% Product / Exploit by Kaspersky 2011 Adobe Reader JAVA Android Flash Others
- 45.
- 56. Object Manager Process/ Thread Memory Manager Hardware Abstraction Layer Ke(Scheduler) Security Ref Driver … OS / 2 I/O Manager POSIX WIN 32 Application Application Application Application Application Application Application Services NTDLL ConfManager Cache Manager
- 57. Call ReadFile(…,…, …) Call NtReadFile(…,…, ...) Return to the caller int2E or SYSENTER or SYSCALL Call NtReadFile(…, …, ...) Dismiss interrupt Execute the operation Return to the caller
- 65. Estonia Russia * From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, Scott J. Shackelford
- 66. GeorgiaRussia * From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, Scott J. Shackelford
- 67. United States of America Iran * From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, Scott J. Shackelford
- 73. S7otbxdx.dll M117: L LW0 L 164 <= SPBN M101 M117: L LW0 L 164 Injected STEP 7 Code Original Instructions New DLL