Malware and its Classification

Malware

Malicious Software (Malware) is a software designed to damage or do other unwanted actions on a computer system. The term 'Mal' refers to Bad and hence its a bad software. Previously Malwares were just pranks, but these days they are completely "Profit Oriented".

The types of malwares can be broadly classified into, 

1. Infectious malware (viruses and worms)
2. Concealment malware (Trojan horses, backdoors, and rootkits)
3. Profit Oriented malware (adware & spyware and botnets)
4. Exploits

VIRUS

Virus is a program designed to spread its code to all system files. Virus may have payload which performs malicious activities.

Examples : 

• Virus.Win32.Sality
• Virus.Win32.Virut

WORM

Worm is a self-propagating malicious code which transmits itself over a network to infect other computers. Unlike virus worms do not infect a file or program, but rather stand on their own. Worm too may have payload which performs malicious activities. Worm can be again classified into :

• Email Worms - It spreads via E-Mail messages. It can be a link or an attachment in an E-Mail Message

• Instant Messaging Worms - It spreads via Instant Messagin messages.

• Internet Worms - It will scan all the network resources of the local machine to attack and gain full access through internet.

• IRC Worms - It spreads via chat channels.

• Networks Worms - It copies itself to all shared folders in the network.

Examples : 

• Net-Worm.Win32.Allaple

• Worm.Win32.AutoRun

• IM-Worm.Win32.Sumom

TROJAN HORSE

This is the most dangerous malware. By the name, It hides its malicious code inside a software which appears as an useful or harmless software like the astute Greeks in their attack on Troy. Trojan horses can be again classified into :

•  Trojan Clicker - It silently runs in the background and connects to a predetermined website to increase the vote counter.

• Trojan Downloader - It connects a remote server in order to download additional malware onto a users computer without their knowledge.

• Trojan Dropper - It drops malicious file and run it on the compromised computer.

• Trojan IM - It relies on instant messenger client application to do Malicious activity.

• Trojan Notifier - It is capable to notify remote client with the details of its installation on the current system.

• Trojan Proxy - It sets the local computer as a proxy server, allowing others to connect to the computer.

• Trojan PSW - It Steals passwords, login details and other information.

• Trojan Spy - It attempts to monitor keyboard stroke activities made by users of the affected system in hopes to gain essential personal information.

• Trojan Dialer - It used to dial a high-cost international phone number using a modem without the users permission or knowledge.

Examples : 

• Trojan-Clicker.Win32.Stixo

• Trojan-Dropper.Win32.Drooptroop

• Trojan-Downloader.Win32.Mufanom

Backdoor

Backdoor by name is a method of opening backdoors for unauthorised attackers to get complete access of the system.This method bypasses usual authentication for remote access to victim PC.

Examples : 

• Backdoor.Win32.IRCBot

• Backdoor.Win32.Rbot

• Backdoor.Win32.Hupigon

Rootkits
It is the hardest of all malwares to detect and remove. It camouflage itself in a system's core processes so as to go undetected. Rootkits are basically meant to help hackers. It hides resources such as processes, files, registry keys, and open ports that are being used by the malicious purpose.

Examples :

• Rootkit.Win32.TDSS

• Rootkit.win32.bubnix

Adware & Spyware
Its a software which automatically displays, plays or download Advertisements to the computer where it is installed. Spyware are also type of adwares which collects bits of information without their knowledge. Spyware such as keyloggers are also used by corporates in order to secretly monitor other users.

Examples :

• AdWare.Win32.Mirar

• Adware.Win32.Ardamax

Botnets

Botnets are becoming a major tool for cybercrimeDOS attack. Botnets, or “Bot Networks,” are made up of vast numbers of compromised computers (Zombies) that have been infected with malicious code, and can be remotely-controlled through commands sent via the Internet. Then the spammer purchases this service of the botnet and provide spam messages to Zombies. In some cases botnets are used for DDOS attack.

Examples :

• Conficker

• Kraken

Exploits

Exploit is a piece of software or commands that take advantage of a bug or vulnerability to perform malicious activity. These exploits are due to Buffer Overflows.

Buffer Overflows - If a programmer wants to put ten bytes of data into a buffer that had only been allocated eight bytes of space, that type of action is allowed, even though it will most likely cause the program to crash. This is known as a buffer overrun or buffer overflow.

Examples :

• Exploit.Win32.MS04-028

• Exploit.Win32.Pidief

Windows Startup - A Weapon for Malwares

Hey guys have you ever thought that why “Msn Messenger” or “Yahoo Messenger” or any other software open as your Windows starts?????

This is due to “Windows Startups”

Even malwares uses this facility to run every time Windows starts.It's a good practice to frequently inspect the startup entries for security.Now lets see how it works......

Startup using Windows Registry

Before saying about “Windows Startups” will give you a brief introduction to “Windows Registry”

Every OS needs place to store settings and options. Windows Registry is a database where Windows OS stores all configuration settings and user preferences. It contains information and settings for all the hardware, software, users, and preferences of the PC. It stores different kinds of data in a hierarchical manner. You cannot edit this database directly, you must use "Registry Editor" to make any changes.

To open "Registry Editor" type “regedit” in Run command.

You will notice five subtrees(HIVE), which appear as follows:

• HKEY_LOCAL_MACHINE
• HKEY_CURRENT_USER
• HKEY_CURRENT_CONFIG
• HKEY_USERS
• HKEY_CLASSES_ROOT

Following registry entry are used for Windows Startup  :

HKCU - HKEY_CURRENT_USER
HKLM - HKEY_LOCAL_MACHINE

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows :"Load" [VALUE]
  
  
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
• HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  
  
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  
  
• HKLM\Software\Microsoft\Active Setup\Installed Components
• HKCU\Software\Microsoft\Internet Explorer\Main, Start Page [VALUE]
• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
• HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs [VALUE]
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, UserInit [VALUE]
• HKLM\SYSTEM\CurrentControlSet\Control\Session Manager, BootExecute [VALUE]

Here is an example for "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"

      1. Type “regedit” in Run command.

     2. Click [+]HKEY_CURRENT_USER

      3. Click [+]Software then [+]Microsoft then [+]Windows then [+]CurrentVersion

     4. Finally Click on Run.

Malwares can use such facility and start next time windows reboot...There are third party softwares available which shows all startups entries and ease your work.One of them is"Autoruns for Windows v10.01"

Autoruns :

This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them.

Caution:

Do NOT delete or disable the entry named Userinit. Doing so will result in your inability to logon to any user account in the system.

Common Security Tips

Common Security Tips to Keep You Safe :-)

Use an Anti-virus software

Be sure to keep your anti-virus software up-to-date. Many anti-virus packages support automatic updates of virus definitions. We recommend the use of these automatic updates when available.

Use a firewall

I strongly recommend the use of some type of firewall product, such as a network appliance or a personal firewall software package. Intruders are constantly scanning home user systems for known vulnerabilities. Network firewalls (whether software or hardware-based) can provide some degree of protection against these attacks. However, no firewall can detect or stop all attacks, so it’s not sufficient to install a firewall and then ignore all other security measures.

Avoid phishing

Always trust only yourself. It’s not too hard to type the address of online banking site on the address bar. Please DO NOT access online banking site via the link in your email or some untrusted sources.

Unknown email attachments

Before opening any email attachments, be sure you know the source of the attachment & also scan the file using your anti virus software.For additional protection, you can disconnect your computer's network connection before opening the file.

Unknown programs

Never run a program unless you know it to be authored by a person or company that you trust. Also, don't send programs of unknown origin to your friends or coworkers simply because they are amusing -- they might contain a Trojan horse program.

Disable hidden file name extensions

Windows operating systems contain an option to "Hide file extensions for known file types". The option is enabled by default, but you can disable this option in order to have file extensions displayed by Windows.
To disable hidden file name extensions follow these steps:

1. Click Start > Control Panel.
2. Double-click Folder Options.
3. Select the View tab.
4. Scroll down in the list and uncheck "Hide Protected operating system files" and check "show hidden files and folder".
5. Click OK.

Password tips

DO NOT use the same password in ALL your online accounts. If you do and one of your accounts got hacked, hacker will be able to access all your other accounts.
Try to avoid using dictionary words like “prettygirl”, “imagination” etc or any other stuff that’s easy to guess (like your birth date, your car plate number)
Password is case sensitive, choosing passwords that are composed by different case will add more strength to the security (for example, StRonG_pAss).
DO NOT disclose your password to anyone, even if the person claimed he/she is working for the bank or is the site admin.

Beware of Social Media Sites

Do not click on links in social media sites such as Twitter, Facebook or MySpace that don't look right.
Patch all applications, including your operating system
Keeping your OS updated is very important in keeping it secured from exploitation, and so should never be overlooked.Vendors will usually release patches for their software when a vulnerability has been discovered. Most product documentation offers a method to get updates and patches. You should be able to obtain updates from the vendor's web site.

Disable Simple File Sharing

Simple File Sharing allows users to share folders without a password and may allow malicious attackers to read or write files from your shared folders.Windows XP allows you to disable Simple File Sharing and require a user id and password for shared folder access.
To disable Simple File Sharing follow these steps:

1. Click Start > Control Panel.
2. Double-click Folder Options.
3. Select the View tab.
4. Scroll down in the list and uncheck "Use simple file sharing".
5. Click OK.

Secure Your Accounts and Passwords

You must establish effective passwords for all active accounts. Existing accounts with weak or nonexistent passwords are an invitation for malicious attackers to compromise your system.To disable any unused accounts such as "Guest" and to verify that an effective password is set for the Administrator account, follow these steps:

1. Click Start > Control Panel.
2. Double-click User Accounts.The User Accounts dialog box appears.
3. Select the User Account you want to set a password for (e.g., Administrator).
4. Click Change the password and enter your old and new password.
5. To disable a Guest account, select it in the dialog box and click Turn off the guest account.
   

Anti-Virus

What is Anti-Virus?

"Anti-virus" is protective software designed to defend your computer against malicious software.

Malicious software, or "malware" includes: viruses, Trojans, keyloggers, Backdoors,hijackers, dialers, and other code that vandalizes or steals your computer contents. In order to be an effective defense, your anti-virus software needs to run in the background at all times, and should be kept updated so it recognizes new versions of malicious software.

Once these viruses have been identified, your anti-virus program will then either neutralize (often by putting in "Quarantine") or delete the virus so that it cannot harm your computer.

Identification methods

There are several methods which anti virus software can use to identify malware.

Signature based detection is the most common method. To identify viruses and other malware, anti virus software compares the contents of a file to a dictionary of virus signatures. Because viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces.

Heuristic-based detection, like malicious activity detection, can be used to identify unknown viruses.

File emulation is another heuristic approach. File emulation involves executing a program in a virtual environment and logging what actions the program performs. Depending on the actions logged, the anti virus software can determine if the program is malicious or not and then carry out the appropriate disinfection actions.

Firewall

What is a firewall?

A firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks.

Basically, a firewall is a barrier to keep destructive forces away from your property. A firewall is simply a program or hardware device that filters the information coming through the Internet connection into your private network or computer system. If an incoming packet of information is flagged by the filters, it is not allowed through.

Firewalls use one or more of three methods to control traffic flowing in and out of the network:

• Packet filtering - Packets (small chunks of data) are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded.
• Proxy service - Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa.
• Stateful inspection - A newer method that doesn't examine the contents of each packet but instead compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.

Firewall Configuration

Firewalls are customizable. This means that you can add or remove filters based on several conditions. Some of these are:

• IP addresses - Each machine on the Internet is assigned a unique address called an IP address. IP addresses are 32-bit numbers, normally expressed as four "octets" in a "dotted decimal number." A typical IP address looks like this: 216.27.61.137. For example, if a certain IP address outside the company is reading too many files from a server, the firewall can block all traffic to or from that IP address.
• Domain names - Because it is hard to remember the string of numbers that make up an IP address, and because IP addresses sometimes need to change, all servers on the Internet also have human-readable names, called domain names. For example, it is easier for most of us to remember www.howstuffworks.com than it is to remember 216.27.61.137. A company might block all access to certain domain names, or allow access only to specific domain names.
• Protocols - The protocol is the pre-defined way that someone who wants to use a service talks with that service. The "someone" could be a person, but more often it is a computer program like a Web browser. Protocols are often text, and simply describe how the client and server will have their conversation. The http in the Web's protocol. Some common protocols that you can set firewall filters for include:
  
  
  
  
  
  • IP (Internet Protocol) - the main delivery system for information over the Internet
  • TCP (Transmission Control Protocol) - used to break apart and rebuild information that travels over the Internet
  • HTTP (Hyper Text Transfer Protocol) - used for Web pages
  • FTP (File Transfer Protocol) - used to download and upload files
  • UDP (User Datagram Protocol) - used for information that requires no response, such as streaming audio and video
  • ICMP (Internet Control Message Protocol) - used by a router to exchange the information with other routers
  • SMTP (Simple Mail Transport Protocol) - used to send text-based information (e-mail)
  • SNMP (Simple Network Management Protocol) - used to collect system information from a remote computer
  • Telnet - used to perform commands on a remote computer
  A company might set up only one or two machines to handle a specific protocol and ban that protocol on all other machines.
  
• Ports - Any server machine makes its services available to the Internet using numbered ports, one for each service that is available on the server (see How Web Servers Work for details). For example, if a server machine is running a Web (HTTP) server and an FTP server, the Web server would typically be available on port 80, and the FTP server would be available on port 21. A company might block port 21 access on all machines but one inside the company.
• Specific words and phrases - This can be anything. The firewall will sniff (search through) each packet of information for an exact match of the text listed in the filter. For example, you could instruct the firewall to block any packet with the word "X-rated" in it. The key here is that it has to be an exact match. The "X-rated" filter would not catch "X rated" (no hyphen). But you can include as many words, phrases and variations of them as you need.

Computer Security

What is computer security?

Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop unauthorized users (also known as "intruders") from accessing any part of your computer system. Detection helps you to determine whether or not someone attempted to break into your system, if they were successful, and what they may have done.

A personal computer connected to the Internet without a firewall can be hijacked in just a few minutes by automated hacker ''Bots''. The only way to make your computer 100% secure is to turn it off or disconnect it from the Internet. The real issue is how to make your computer 99% secure when it is connected. Not having protection is like leaving your car running with the doors unlocked and the keys in it which a thief might interpret as "please steal me".

Why should I care about computer security?

We use computers for everything from banking and investing to shopping and communicating with others through email or chat programs. Although you may not consider your communications "top secret," you probably do not want strangers reading your email, using your computer to attack other systems, sending forged email from your computer, or examining personal information stored on your computer (such as financial statements).

Who would want to break into my computer at home?

Intruders (also referred to as hackers, attackers, or crackers) may not care about your identity. Often they want to gain control of your computer so they can use it to launch attacks on other computer systems.

Having control of your computer gives them the ability to hide their true location as they launch attacks, often against high-profile computer systems such as government or financial systems. Even if you have a computer connected to the Internet only to play the latest games or to send email to friends and family, your computer may be a target.

Intruders may be able to watch all your actions on the computer, or cause damage to your computer by reformatting your hard drive or changing your data.

How easy is it to break into my computer?

Unfortunately, intruders are always discovering new vulnerabilities (informally called "holes") to exploit in computer software. The complexity of software makes it increasingly difficult to thoroughly test the security of computer systems.

When holes are discovered, computer vendors will usually develop patches to address the problem(s). However, it is up to you, the user, to obtain and install the patches, or correctly configure the software to operate more securely.

Also, some software applications have default settings that allow other users to access your computer unless you change the settings to be more secure. Examples include chat programs that let outsiders execute commands on your computer or web browsers that could allow someone to place harmful programs on your computer that run when you click on them.

Welcome to My Blog!!!!

Hey buddies, I have started this blog to spread my knowledge regarding computer security...I would like to share knowledge about following stuffs....

• Security Tips
• Types and Purpose of Malwares
• New and Latest Malwares
• Reverse Engineering (Static and Dynamic analysis)
• File Packers (Eg: Upx, Aspack, PeCompact....)
• File Crypters and Protectors
• Malwares Removal Techniques
• Analyst Tools

This is all I have in my mind...It wont End here...If u feel i have missed something let me know by comments...Lets be doctors of computers and remove all virus and malwares our self...