As an example, one of the most basic malware to inject into a process to get a C2 beacon goes like this:
Get Handle of a process -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
Now writing this in C/C++ is quite native as it can easily communicate with WinAPI. Are there any benefits in writing this in another programming language such as Golang or Rust to fight against EDR, not just an AV with static analysis checks? More specifically EDRs that are hooking and calling
JMP to those WinAPI calls?
My question comes from the rise of .NET and C# with a lot of use cases such as using LOLBAS csc.exe to compile on machine or
execute-assembly to load .NET assemblies in unmanaged codespace or process. However, this still use WinAPI by using P/Invoke (and now D/Invoke).
- Are there any benefits in using other programming language to call WinAPI function to fight against EDR?
- Are there any other ways of creating malware (e.g. dropper) besides calling WinAPI?
- Like with .NET and C#, will there be a new rise in existing (other) languages such as Go or Rust.
I tried to download malware pcap on ubuntu VM in microsoft azure from the putty but it is not allowing me to do so .It gives following output: 2016-12-17-traffic-analysis-exercise.pcap.zip: Permission denied Cannot write to ‘2016-12-17-traffic-analysis-exercise.pcap.zip’
can someone please tell me how can we download malware pcap in ubuntu VM in microsoft azure?
Is there any chance of local PC getting infected when you analyse PCAP malware file in cloud server through putty?I want to run pcap malware to test snort in my cloud server.I want to know on doing so if it will affect my local machine.
What checks should I perform to ensure my router is malware free? This is for a home network
I have a small network of several Windows 10 machines (all protected by BitDefender 2020 Total Security), one of which acts as server with Firebird database.
For some time the database is deteriorating – in some random records some fields have altered values. I completly changed the server machine for a brand new with fresh Windows 10 installation and antivirus, on which the database was recreated from GBK archive. The primary machine was carefully check for RAM errors (with MemTest86) and SSD errors (CrystalDiskInfo and ADATA SSD ToolBox) – everything was in 100% fine.
I don’t have no suspicions other than that the server was hacked, but it looks like an alleged malware / virus must move inside database (even packed GBK archive), because only GBK file was moved to new machine (on verified pendrive).
Is it even possible that the virus is stored inside the database (e.g. in the form of stored procedures, etc.) and it transfers with GBK archive? If so, how to detect and remove it from database?
(Firebird database is stored in the form of single FDB file, which was scanned by BitDefender without any results)
I’ve talked with a new friend who is fairly bright and who can do some interesting things programming Office applications, but whose technical abilities omit infosec. And he got bitten by nasty malware.
I’m wondering what options might be most productive to offer to him. I’m not sure it’s realistic to repel all dedicated assault, but cybercriminals often look for someone who would be an easy kill, and (perhaps showing my ignorance here), I think it could be realistic to make a system that’s hardened enough not to be an easy kill.
Possibilities I’ve thought of include:
Windows 10 with screws turned down (how, if that is possible?).
Mint or another Linux host OS for what can be done under Linux, and a VMware or VirtualBox VM that is used for compatibility and may be restorable if the machine is trashed.
Migrating to a used or new Mac, possibly with a Windows Virtual Machine, but most people using Macs don’t complain they are missing things.
Perhaps with one of the technical situation, point my friend to user education saying things like "Don’t download software that you hadn’t set out to get. The price of Marine Aquarium of $ 20 up front is dwarfed by the hidden price tags of adware and spyware offering a free aquarium screensaver.
This is not an exhaustive list, although it’s what I can think of now. I’ve had a pretty good track record for not engaging malicious software, and I think it can be learned (and that documentation for online safety would be taken very, very seriously).
What can I suggest to my friend for online safety?
Malware on the firmware level can potentially mess with data on the storage device. There is no point in doing that for encrypted data except maybe corruption. But what about a smartphone or other device with dm-verity where the system partition is not encrypted. Could this kind of malware break dm-verity?
With enormous amounts of fighting with Windows/Microsoft Defender, I finally managed to download the "test virus" file from https://www.ikarussecurity.com/en/private-customers/download-test-viruses/ onto my desktop.
However, Defender (on the command line) still just says:
Scanning C:\Users\John Doe\Desktop\eicar_com.zip found no threats.
No threats? You just had me work for 30 minutes straight to make you not remove the file before it ever even landed on my desktop, and now you consider it to not contain any threats? Is this just because I have "allowed" it?
My entire point of downloading this file was to check if Windows/Microsoft Defender returns a "1" code instead of "0" when it detects a virus (and what it says as text output), but now I can’t even test that because it thinks that the file is not "harmful" just because I allowed it to exist temporarily on my system for the purpose of testing this?
Bottom line: I can’t see any way to test Defender’s output/return code for an actual malware-detected file because it doesn’t even allow me to have the file on my desktop without "allowing" it, which apparently makes it believe me blindly as an authority.
I have been using a passive tap for my home network for years now, until recently I had to be more careful in order to try and find or better say investigate a possible infection.
Now I did not find any anomaly on the traffic of the said machines after hours of monitoring (I did not try VPN on those machines to prevent the malware being able to avoid detection) but I am facing a serious dilemma,
I was wondering,
Is it technically possible for a malware, or a sophisticated attacker to detect the presence of a listening/monitoring passive network tap?
Is it possible for a malware, a backdoor, a privacy infringing or spying product like Intel management engine (the OS on the many Intel CPUs) to wait for a VPN connection, Tor, or presence of a secure proxy or tunnel to establish their connection, hence making passive taps practically fruitless?
I am grateful for this community and trying to help keep the world a little bit safer. Thank you everyone.
I have an old computer and I am sure it has Trojan or malicious code but after that i bought new one the problem is i did not change my old headphone that used in my old computer and i plugged it in the new computer so are there any problem to use my old headphone ? and thank you