Are all “behavioral detection” of malware a form of heuristic detection?

A lot of articles I read seem to lump behavioral detection together with heuristic detection. From what I know, one of the defining features of heuristic detection is that it can be used to detect new malware, but results in more false positives than signature-detection. I can imagine that there are some dynamic or behavioral techniques that have an extremely low false-positive rate like signature-based detection, but can only detect a specific known malware. For example I series of API calls being used like a “signature”. Are some behavior-based or dynamic detection techniques also considered signature-based or are all behavior-based techniques considered to be heuristic?

logic behind virus detection, malware detection,broken registry detection or corrupted file detection in c# windows application

i am just going to create a window based antivirus application in c# which will work just similar to any antivirus program like avast or any. I have designed the UI of form and other stuffs i just wnat to logic behind the scene how to detect malware,croupted file,broken registry and viruses. thats it any help will appreciated guys.

Malware and Captcha Site Certificate Change When Using GSA SER and GSA Captcha Breaker

Dear Sir,
This is to bring to notice that I have been having serious issues making use of your software.
My GSA SER is always complaining of Death by Captcha server being down and whenever I try accessing death by Captcha online through their website I always receive errors like the following:
NET::ERR_CERT_AUTHORITY_INVALID
Subject: 75.126.120.203
Issuer: 75.126.120.203
Expires on: Sep 18, 2019
Current date: Jul 20, 2019
PEM encoded chain:
—–BEGIN CERTIFICATE—–
MIIBwDCCASmgAwIBAgIBADANBgkqhkiG9w0BAQUFADAmMQswCQYDVQQGEwJDWjEX
MBUGA1UEAwwONzUuMTI2LjEyMC4yMDMwHhcNMTkwNzE5MDE1MTM2WhcNMTkwOTE4
MDE1MTM2WjAmMQswCQYDVQQGEwJDWjEXMBUGA1UEAwwONzUuMTI2LjEyMC4yMDMw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALI7fk/xW9Ce1qMhBBsSLkZ65SLX
NH2CfMj+QpKExqqldmHipBfLuwnX8q9IH5UNzrYi5Tto/dPbyu8/i09v1CaDKCLK
vs+9o5XWU+R9oKSzxb8Gute95OBxGfUFgInSONgZBR4ptwgUsj01LE7TeT3WQh4W
OA17CN4GUaIsYBl5AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAnvY7UoKRdUORP89f
5UmmJ3ScDUEbjUDPTiqiooRiTAKw5hpGbsQLZ0W0uefH5J0DxbhoDTfKVzrcy2Y/
4WJQJlTn3ZQ+iHzW3QV1ieooSw+JbYOvR4UragMHVVN8QFd0/PkUgDYzNtoL/N9j
K3chEGMzBH8z3iFFg5JUzjTWp9Y=
—–END CERTIFICATE—–
When Avast complains it always complains of an infection involved in a process in GSA SER all the time as can be seen in the several screenshots attached.
As a result, no captchas are solved by deathbycaptcha as their service cannot be accessed through either GSA SER or even if I ping their server.
However, if GSA SER has not been ran for the day and I access deathbycaptcha.com everything works fine. When I test my credentials everything is fine. When GSA initially starts working it is ok, but within some few minutes the problem comes up.

In the trial version of GSA Captcha Breaker that I am using I keep getting this error message:

“Death By Captcha: Unable to extract CaptchaID (<html> <body> <p>Unable to complete request. Check credential….”

I have dropped a system already thinking I got infected online from somewhere else. However on a fresh install of Windows 10, the same problem persists.
The thing is that any captcha site listed in your software cannot be accessed once this problem start which makes things look very difficult to understand. Why is it attacking my captcha services – all their certificates get changed and I receive the NET::ERR_CERT_AUTHORITY_INVALID error on virtually all of them.
Please I need help on a way forward.

I just want to get this problem solved and get it to work let everyone else, please!!!

Magento cloud hosted M2 EE site compromised and got malware attack

Today i noticed in my client’s magento 2 cloud hosted enterprise edition site is compromised. In footer hacker added some link along with following url:

  <script src="https://write-cdn.com/mysiteurl/"></script> 

As i am maintaining their environment when i saw that link i was curious what is that. When i opened that link it first attempt it showed some JS related encrypted code so i got some doubt about it.

Did perform scan in tools like sucuri and foregenix to verify site is malware infected. Both scanner showed result clean but when i ran http://write-cdn.com/ in sucuri it gave me red alert that domain is blacklisted for malware activities.

I removed that code from mysite and performed Db scan by checking blocks, pages, core_config_data and few other tables. did check code using grep linux command to find out but didn’t find any clue.

I want to know how that code injected in site. I did check admin logs, magento logs, nginx logs. Also created magento support ticket but those guys just useless and giving zero information how someone entered that code. admin access is shared with 2 person and all have secure and 20 character special character password.

Is there any way i can track from where that malware code came?
Is there any tool or way i can quickly scan and monitor for magento?

Is there any way i check who changed into db directly like logging or something?

Any help would be appreciated.

Model suggestion for detection of malware based on multiple api call sequences

I’m trying to build a RNN (LSTM) model for classification of binary as benign/malware. The data structure I’ve presently looks as follows

{     "binary1": {         "label": 1,         "sequences": [             ["api1","api2","api3", ...],             ["api1","api2","api3", ...],             ["api1","api2","api3", ...],             ["api1","api2","api3", ...],             ...         ]     },     "binary2": {         "label": 0,         "sequences": [             ["api1","api2","api3", ...],             ["api1","api2","api3", ...],             ["api1","api2","api3", ...],             ["api1","api2","api3", ...],             ...         ]     },     ... } 

Here each binary have variable number of sequences, and each sequence have variable number of API calls. I can pad the data so that all binaries will have equal number of sequences and each sequence also have equal number of API calls. But my question is how can I use this data for training?

The problem is that, all the sequences of the malicious binary may not be malicious sequences. So, if I use the label and indicate the model that all those sequences are malicious and if some of the sequences are similar in benign files also, the benign binary may be treated as malware.

To better understand the problem, treat each binary as a person on twitter, and each API call sequences as a words in a tweet. A user may tweet so many tweets, but a few of them may be about sports (for eg). And in my training data I know which persons tweets about sports, but I don’t know which tweets are about sports. So, what I’m trying to do is classifying those persons whether they like sports or not based on all the tweets of the person.

In the same way, I know whether the binary is malicious or not, but I don’t know which API call sequences are responsible for maliciousness. And I want the model to identify those sequences from the training data. Is it possible? And what architecture should I use?

Hope I conveyed my question, thanks for reading and waiting for a suggestion.

Build a C2C server to communicate with malware

So, I have an old piece of malware that communicates with a C2C server that is no longer active. I have reverse-engineered the malware and figured the commands that it expects. It uses Http for its communication. I would like to communicate with malware so that I can receive its requests and respond accordingly. I’m new to this and would like some specific pointers. Thanks.

What Tools Do People Use For Hunting Malware?

I would like to hear about some of the tools that people use for hunting malware on a machine. This is not really for analyzing malware but more for detection of malware to see if a machine is infected and if so how to clean it. I don’t really want to hear about specific anti-virus programs but if there are tools provided by an AV company that could be interesting.

Here is a list of some of the tools that I currently use:

  • Process Explorer (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer)
  • Process Monitor (https://docs.microsoft.com/en-us/sysinternals/downloads/procmon)
  • AutoRuns (https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)
  • Power Eraser by Symantec (https://support.symantec.com/us/en/article.tech170752.html)
  • HiJackThis (https://sourceforge.net/projects/hjt/)
  • PowerShell script written to look for malicious indicators in ProcMon logs (https://gallery.technet.microsoft.com/Analyze-Process-Monitor-9eb95f84)
  • WireShark (https://www.wireshark.org/)
  • VirusTotal (https://www.virustotal.com)
  • Hybrid Analysis (https://hybrid-analysis.com)
  • RootkitRevealer (for older machines) (https://docs.microsoft.com/en-us/sysinternals/downloads/rootkit-revealer)

If anyone else tools that they use or methodologies they use when trying to find malware on a machine I would love to hear about them.

How to design a script to remove WindowsFormsApplication5.exe malware?

I have a malware file with me that’s been infecting my dad’s laptops for over a year now. This malware is known popularly as WindowsFormsApplication5.exe malware and I think he has bad security practices and therefore accidentally executes the malware. It is difficult to educate him on this so I figured I’ll write a script that removes this malware every time he inserts a pen drive.

This is how the malware behaves: 1. It hides all the files in the pen drive. 2. It hides folders and creates an executable with the same folder name except with the .exe extension. 3. It does this recursively i.e. even on a subdirectory level.

I want to have the script written as a DOS script i.e. .bat file so that it can be run on windows by double-clicking it. I have copies of the malware which I took as samples in my macOS system and it seems to have some common properties such as the same file size, same weird icon, etc. How would I go about making this script? I want to recursively check the file name, see it’s properties and then remove the /S /H flags on the original files while deleting this malware .exe equivalent and do this recursively so all the pen drive files are disinfected. I figured out most of the commands but what can I use to uniquely identify the malware file? Is there any windows command to identify the icon to match? (coz all the malware files have the same icon).

A also have a few copies of the malware but unable to upload and share it as most file sharing services tend to block me out.

How Norton Internet Security Is Useful for Malware Protection?

Norton is amazing anti-virus software that is made with the sole purpose of protecting your computing device and smartphones from all kinds of possible threats and malicious attack from the viruses and malware. Norton Internet security is useful for protection from malware and this is how it is done:

• Looking for malicious contents and threats from browsing different websites • Analyzing the data that might prove be harmful to the device and blocking it from entering the system beforehand • Working as cloud-based accounting software and analyzing thousands of websites and categorizing them as good or bad • Discovering the presence of virus and malware in files and documents.

The Norton anti-virus works on many different layers. It would be highly recommended that you download and install it in your device and to understand how it is done, just take help from the technical experts at Norton customer care support.know more at:-Antivirus helpline number

How Norton Internet Security Is Useful for Malware Protection?

Norton is amazing anti-virus software that is made with the sole purpose of protecting your computing device and smartphones from all kinds of possible threats and malicious attack from the viruses and malware. Norton Internet security is useful for protection from malware and this is how it is done:

• Looking for malicious contents and threats from browsing different websites • Analyzing the data that might prove be harmful to the device and blocking it from entering the system beforehand • Working as cloud-based accounting software and analyzing thousands of websites and categorizing them as good or bad • Discovering the presence of virus and malware in files and documents.

The Norton anti-virus works on many different layers. It would be highly recommended that you download and install it in your device and to understand how it is done, just take help from the technical experts at Norton customer care support.know more at:-Antivirus helpline number