Useful Firefox Add-ons

                                                                

If you are using Mozilla Firefox as your web browser then you must have following Add-ons to secure your computer :

Web Of Trust (WOT)

If you want to keep yourself free from malware trouble, WOT (Web Of Trust) is what you want. Most of the times we are responsible for malware attacks as we don't know the reputation of every site on the Internet. This is where WOT helps us. It shows you which websites you can trust for safe surfing, shopping and searching on the web before you visit it.

 

Green means safe

Yellow means caution

Red means stop.

  

NoScript

This Add-on secures Firefox by blocking automatic execution of script for non-trusted sites, protection against clickjacking, xss attacks. It might annoy users during the early stages since most websites might appear broken without script. However, the security offered by this addon is worth the initial learning curve.

Firefox Sync

This Add-on helps in Backup Information like All your settings, passwords, bookmarks, and other customizations and save in a more universal way so that i can be accessed from any computer, no matter where you log in. More over Your information is encrypted so only you can access it when you enter a Secret Phrase. Firefox puts security as a top priority and syncing is no exception.

Protect USB Flash Drive (Pen Drive)

                                  

As you know, the most common use of USB drives (Pen Drives) is to transport and store personal files such as documents, pictures, videos and Data. But sometimes if you attach your USB drive to the infected computer the malware is transferred to the USB drive in no time infecting all the important data in USB drive, depending on the nature of the virus you may loose important data from the USB drive and never recover them back and also the infected USB drives can again infect other computers and so on.

This is one of the method through which malware spreads. Autorun commands are generally stored in Autorun.inf files. These commands enable applications to start, start installation programs, or start other routines. This is used to execute the malware which is hidden in USB drives. When you insert USB drive or Double click on that drive this Autorun.inf executes the malware immediately. There are several malwares which uses this techniques.

 

For Example

• Trojan.Win32.AutoIt
• Trojan win32.Autorun
• Worm.Win32.AutoIt

Instead of relying completely on Anti-Virus to detect infected USB drives, we can protect it by following ways :

     1. Disable Autorun
     2. Avoid Double Clicks
     3. Using Autorun.inf

Disable Autorun 

My best advice is to disable autorun facility given by the operating system. This can be done using  two ways 

    1. Group Policy settings
    2. Registry Changes

Group Policy settings 

    1. Click Start --> Run or Press "Windows Key" + R, Type Gpedit.msc and then press ENTER.
    2. Under "Computer Configuration", expand "Administrative Templates" and then click "System".
    3. In the Details pane, double-click "Turn off Autoplay".
    4. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
    5. Restart the computer.

Registry Changes 

    1. Click Start --> Run or Press "Windows Key" + R, Type Regedit and then press ENTER.
    2. Locate and then click the following entry in the registry:
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutorun
    3. Right-click NoDriveTypeAutoRun, and then click Modify.
    4. In the Value data box, type FF to disable all types of drives.
    5. Click OK, and then exit Registry Editor.
    6. Restart the computer.

Avoid Double Clicks

    1. Avoid using "Double Click" to open Usb Drive.
    2. To open Usb Drive Right Click on Usb Drive and select Explore

Using Autorun.inf

As we know windows cannot have a file and folder of same name in a particular Drive or Folder, hence we can create a folder or File with name "autorun.inf" in USB drive, which will protects USB drive from getting infected with autorun.inf which helps in executing malware.

Some malware delete autorun.inf folder or File and place its autorun.inf in USB drive. To avoid this we should make our folder or file hidden in USB drive by changing its attributes.
 
    1. Click Start --> Run or Press "Windows Key" + R, Type Cmd and then press ENTER.
    2. Type attrib +h +s +r [Drive Letter]:\autorun.inf 

The malware present in USB drives would have set system attribute and  wont be visible in default settings of window. One should always keep an eye on suspicious file which are hidden as system files. To view such system files following settings must be changed :

UnHide extensions for known file types

Some malware create has name Clip.avi.exe, which will be displayed as Clip.avi  in default settings where "Hide extensions for known file types" option is Enabled. Following shows us how to disable "Hide extensions for known file types" :

    1. Open My Computer or any Folder
    2. Then Click on Tools Menu --> Folder Options
    3. Click on View Tab.
    4. Then Uncheck "Hide extensions for known file types"

Unhide Hidden Files & System Files


Some malware hide themselves as Hidden or System Files which wont be visible in default settings where “do not show hidden files and folders" option and "Hide Protected Operating System Files" option is Enabled. Following shows us how to disable these options :

    1. Open My Computer or any Folder
    2. Then Click on Tools Menu --> Folder Options
    3. Click on View Tab.
    4. Enable "Show hidden files and folders"

    5. Then Uncheck "Hide Protected Operating System Files"

 

Introduction to Malware Analysis

Since the malware growth is increasing with time its better to be an analyst instead of completely depending upon Anti-Virus products. Many malwares uses techniques which bypasses anti-virus and infect your PC, Hence this post will surely help you defending against malwares yourself :-)

To Analyse a malware, following systematic methodology should be followed :

•  Tools for Analyzing

• Preparing a controlled environment

• Collecting Informations

• Analyzing Informations

• Conclusion
  

 Tools for Analyzing

Tools are required to analyse the behaviour of malware. These tools help us locating  in file changes, Registriy changes, network and process changes etc..

Virtualization Software - Vmware Workstation

Vmware is powerful virtual machine software which can run multiple operating system on single system.Once operating system is installed in Vmware, Malwares can be executed in non-persistent disk with out infecting the host.

Regshot

Regshot is an registry & file system compare utility that allows you to quickly take a snapshot of your registry & file system and then compare it with a second one - done after doing system changes or installing a new software product. This helps in locating the files & registry changes  done after execution of  malware.

Process Explorer

Process Explorer shows a list of the currently active processes. It shows you information about which handles and DLLs processes have opened or loaded.

TCPView

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.

Autorun

This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them.

Caution:

Do NOT delete or disable the entry named Userinit. Doing so will result in your inability to logon to any user account in the system.

HexEdit

Hex Edit is a binary file editor or hex editor. A great tool that allows you to edit and analysis the contents for either the data or resource of any type of file.It can also compare two files & shows all the differences in two files which helps in case of malware like virus.It can also find strings in hex, octal, and ASCII.

FileAlyzer

FileAlyzer is a tool to analyse files. FileAlyzer allows a basic analysis of files (showing file properties and file contents in hex dump form) and is able to interpret common file contents like resources structures (like text, graphics, HTML, media and PE).

BinText

A small, very fast and powerful text extractor that will be of particular interest to programmers. It can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings, providing useful information for each item in the optional "advanced" view mode. Its comprehensive filtering helps prevent unwanted text being listed. The gathered list can be searched and saved to a separate file as either a plain text file or in informative tabular format.

PEiD

PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.

PEiD is special in some aspects like

1. Shell integration, Command line support, Always on top and Drag'n'Drop capabilities.
2. Multiple file and directory scanning with recursion.
3. Plugin Interface with plugins like Generic OEP Finder and Krypto ANALyzer.
4. Heuristic Scanning options.
5. New PE details, Imports, Exports and TLS viewers
6. New built in quick disassembler.
7. New built in hex viewer.
8. External signature interface which can be updated by the user.

OllyDbg

OllyDbg is a 32-bit assembler-level analyzing Degugger with intuitive interface.It provides contents of registers, recognizes procedures, API calls, switches, tables, constants and strings. It can also write patches back to executable file.

 It has four divisions in it, the upper left shows the assembly code of the file, the upper right division shows register values and the flag values in it. The lower left division shows the hexadecimal dump of the file and the lower right shows the stack values. Any change in the value after the execution of an instruction in the file is shown in red color.

 It also provides facilities like break points, there are different types of break points available, like breakpoints on memory read or memory write.

IDA

IDA is an interactive disassembler. It means that the user takes active participation in the disassembly process. IDA is not an automatic analyzer of programs. IDA will give you hints of suspicious instructions, unsolved problems etc. It is your job to inform IDA how to proceed.IDA performs much automatic code analysis, using cross-references between code sections, knowledge of parameters of API calls, and other information.

Preparing safe and controlled environment

Before analyzing a malware you should create a safe and controlled environment for analysis. This is cause if you accidentally execute a malware it should not damage your system.

Following instructions to be followed before analyzing malwares :

1. Virtualization - Use Vmware Workstation for analyzing malware
2. Isolate Network - Make sure your network is isolated
3. Tools - Transfer all analyzing tools to Vmware Workstation
4. Non-Persistent - Use non-persistent disks

Collecting Informations

Now that we have prepared the lab , we will need to load the files associated with the malware specimen onto our lab systems.Now that malware is placed in its cage, we can start our analysis. To determine the purpose and capabilities of this piece of code, we can utilize two different analytical approaches: static and dynamic analysis. Static analysis involves looking at the file associated with the malware to determine its attributes, whereas dynamic analysis involves actually running the program and watching what happens.

With static malware analysis, we might be able to get a general idea of the characteristics and purpose of the code. However, with dynamic analysis, we'll actually activate the code on a controlled laboratory system. That way, we can more quickly get an idea of its behavior while running on an actual system.Lets see Dynamic analysis first.

Dynamic Analysis

    In Dynamic Analysis, we actually execute the binary and observe its interaction with the environment. All monitoring tools are activated. Different experiments are done to test the response of the running Malware process to our tools. Attempts to communicate with other machines are recorded. In this analysis phase a new snapshot of the environment is created like in the baselining the environment stage.

    After taking a snapshot of all the changes the Malware performs in the system, the Malware process is terminated. Now, the differences between the new snapshot and the baseline snapshot are determined using tools like AutoRuns, Regshot, Process Explorer, Tcp View which can be used for monitoring the file system, registry, Network & process information.

    Normally Malware gets executed within a flash of time, hence it is difficult to understand what has actually happened.We can also execute malware  in slow motion using OllyDbg , where we can execute instruction step by step and record the information using monitoring tools.

Static Analysis

    In static analysis, we collect as much information about the binary as possible, without executing it. Resources that are embedded in the binary are extracted and recorded. A program like Resource Hacker can be used for this purpose. The resources that can be discovered through this process include GUI elements, scripts, HTML, graphics, icons, and more. Human-readable strings are extracted from the Malware and these strings are recorded. A program like Binary Text Scan can be used for this purpose.Searching malware files for strings could reveal huge amounts of useful information, such as the following:

The malware specimen's name
Sometimes, malware developers are so proud of their work, they include the name of their creation inside their code. If the strings command reveals a specimen's name, I conduct more detailed research using the Web sites described earlier in this section.

Help or command-line options
Some programs include a list of command-line options to help a user sort out all of the different features. This list is quite useful to a malware analyst.

User dialog
Many programs, including malware, spit out error or confirmation messages to users. By looking over this dialog embedded inside the malware specimen, we might be able to glean its purpose.

Passwords for backdoors
If the malware stores a backdoor password in clear text, it will likely show up as a string in an executable.

URLs associated with the malware
On occasion, a malware author inserts a reference to a Web site in the code. I use these references to surf to the author's site to determine if more information about the code is available there.

E-mail addresses of the attacker or malware's author
Some malware specimens send e-mail to the attacker when they are installed or activated. An attacker's e-mail address can be quite useful to us in this investigation.

Libraries, function calls, and other executables used by the malware
Many malware programs include strings that reference various libraries and functions used by the code. On Windows machines, the malware might reference various Windows API functions, DLLs, or EXEs. On UNIX, I might find evidence of various libraries or other applications associated with the malware.

Other useful information
The strings present in malware could include other useful tips as well. In essence, we're performing detective work, pure and simple, looking for useful clues. During one investigation, I found the phone number of the software developer embedded in the code for a backdoor. I personally think it's insane for a developer to put a phone number in malware code. However, the malware developer wasn't the attacker who broke into my machine. The developer merely released the code on his Web site, where my attacker had anonymously downloaded it. In fact, this insane developer was incredibly friendly and useful in providing insight into how the backdoor worked. Besides phone numbers, many other useful tidbits could show up in the strings embedded in the code.

The tool used for analysis of executable code is a disassembler and debugger, which converts a raw binary executable into assembly language instructions that I can analyze in more detail. My favorite tool in this category is OllyDbg. This process of stepping through the reverse-compiled code, element by element, can be very painstaking, requiring many hours or even days of work. Therefore, it's often completely reasonable to move to dynamic analysis and put off the detailed static code look until later, or skip the detailed code review altogether.

Analyzing Informations

This is the stage where we can finally reverse engineer the binary based on all the information collected during the previous stages. Each part of the information is analyzed over and over and the "jigsaw puzzle" is completed. Then the big picture automatically begins to appear and the reverse engineering process is finished. However, before this is achieved, we may have to repeat the previous stages several times.

Using these information once can adapt following techniques :

Internet searches
A search engine can be used for searching for more information on the binary. Keywords for the search engine can be drawn from the information generated during the "Static Analysis" step during the previous stage. Things like filenames, registry entries, commands, etc. often reveal a lot of information about the malware. Some good sources of information on the internet include Online Virus Databases (mostly maintained by Antivirus Vendors), News Groups and Mailing Lists. Many times, internet searches reveal almost all there is to know about the malware and   no further research is needed. One can also use  automated threat analysis system  like http://www.threatexpert.com to get all information about malware.

Startup methods
Every malware needs a way to ensure that it is executed when a system reboots. This is the most vulnerable aspect of the malware. There are only a limited number of ways in all operating systems that a program can use to restart automatically when a machine reboots. The information collected during the previous stage can be analyzed to identify the startup method of the malware. A very good source for Startup Methods related information on the Internet is the Paul Collins' Startup List.

Communication protocol
A network protocol analyzer like Ethereal in many cases can identify the communication protocol used by the binary. When this is not the case, the protocol has to be reverse engineered. This is beyond the scope of this document.

Spreading mechanism
If the malware under scrutiny is a self-spreading worm or virus, the collected network traffic data will easily reveal its spreading mechanism. In most cases, a cursory glance is enough.

Conclusion

We have seen that a basic behavioral analysis of a Malware can be easily performed by an administrator, or indeed by a power user. While this approach does not give the same level of detail as code analysis or reverse engineering would, still it is sufficient for most people's needs when figuring out what a potentially malicious binary is capable of and also how to go ahead with the removal and disinfection process.

Documenting the results of the malware analysis and reverse engineering exercise is essential. One of the main advantages is that the knowledge incorporated into the documentation can be used for later analysis exercises.