Recently I have had a few people as me to do tutorials and the main point they were making was that they had absolutely no idea about the content I was posting but found it really interesting. So this post will aim to provide a lot of information about malware,cybercrime,hacking,carding and a couple of other things.

Malware

The word malware is a generic term encompassing a bunch of malicious software. Some specific terms and types of malware are Keyloggers, RAT, Stealer, Bank Bot, Loader, EK.

Keyloggers

Keyloggers record all input from your keyboard and save it to a file then ex filtrate it from your pc via SMTP(email) ,FTP or HTTP.

Example of commercial keylogger http://www.ardamax.com/keylogger/

The above keylogger might be used somewhere like a workplace to monitor employees under their consent.

Example of malware

http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html

RAT

RAT stands for remote administration tool, it is a tool very similar to teamviewer,remote desktop and ammy admin at least in function. It does the same thing as the above tools but does it without prompting the user through an installation process. Along with the ability of remote viewing RATS usually have many more capabilities such as viewing the registry, running processes, keylogger, ddos, open cd tray, disable mouse input, open link in browser etc.

Examples

http://www.fbi.gov/news/stories/2014/may/international-blackshades-malware-takedown/international-blackshades-malware-takedown

http://darkcomet-rat.com

Stealer

A stealer is similar to a keylogger but it doesn’t record your keyboard buffer, what it does is steal cached passwords so any passwords you have saved in your browser will be stolen, any passwords saved in any application that the stealer is programmed to steal will be stolen. Most your cached passwords will be located in AppData/Roaming or AppData/Local then it will be sent out via SMTP, FTP or http.

Bank Bot

These are usually the heavy hitting malware because they are coded so well and cost a lot to buy. Bank bots steal bank logins and credit card information and tend to be pretty advanced in terms of malware. They usually come with something called Injects. Injects are extra html to be injected into a page when you visit it. So say you visit your banks website and they normally just ask for Username and Password but when you are infected and you visit your bank it has an extra input box which asks for your mothers maiden name or full card number and cvv.

Loader

A loader is a type of malware that is extremely stable and its main purpose is to allow you to amass a large amount of zombies(computers) They usually come with the ability to ddos also. A loader is used as a temporary infection most of the time just so the criminal can load a small exe onto your computer and then decide later what to do by making the loader download and execute a different piece of malware.

Example

http://www.indetectables.net/viewtopic.php?f=7&t=24506

EK

An EK is an exploit kit, they work by exploiting browser vulnerabilities and plugin vulnerabilities which allows them to force your browser to download and execute an executable file of their choosing. This will all happen without you even noticing at most your browser might crash or you will be redirected somewhere like google after the attack.

Example

http://malware.dontneedcoffee.com/2013/10/Magnitude.html

An extremely famous EK is blackhole, the author was arrested late last year, his name is Paunch

http://krebsonsecurity.com/tag/blackhole-exploit-kit/

There is a bunch of other types of malware but I am not going to discuss them.

Now you may be asking yourself “But I have anti-virus I am safe! how do all these people get infected?” well the simple answer is that your anti-virus won’t always catch an infection and this is due to a tool called a crypter in the scene.

Crypter

A crypter encrypts an executable file so it looks nothing like its original self, now you need to know al little about av’s to know how this work. In the early days anti-virus was just signature based which means when they discovered a virus they would look through the code and compare all the variants of the virus and find a line or two of code that is common in all the samples and generate a signature for their anti-virus client this way. So when the virus is scanned if it matches the signature then it is flagged as malicious. So if you encrypt the file it will no longer match the signature. Most modern day anti-virus have proactive defences which means it scans memory actively looking for threats and if it a threat is executed it will catch it as it it is executing and not the next time you scan.The same principle applies to proactive as to signature based detection, proactive is much more effective and more complex and doesn’t only use signatures but it can also be bypassed by using a Crypter. It will only be detected when your av company updates their database of detections.

How do I learn to reverse malware?

I get asked this question a lot and there is no easy answer but there is an answer multiple ones. There is a bunch of tools you can use to help you but if you don’t understand what the hell you are looking at there is no point. I would say definitely learn the basic of assembly language (ASM) , learn about the windows API, and learn about networking.

Here are some links to help out

http://www.tutorialspoint.com/assembly_programming/

http://www.winprog.org/tutorial/

This book will have you flying.

http://www.amazon.com/Practical-Malware-Analysis-Dissecting-Malicious/dp/1593272901

Tools

For debugging I would recommend

http://www.ollydbg.de/

For dissembling I would recommend

https://www.hex-rays.com/products/ida/

Network analysis

http://www.wireshark.org/ or http://www.tcpdump.org/

Web page analysis

http://malzilla.sourceforge.net/

Make sure you test any malware inside a virtual machine.

ISO’s for malware analysis

http://zeltser.com/remnux/

Web Hacking

The most common method of hacking is SQL Injection, sql injection occurs when input to the database is not sanitized correctly so it will execute anything it is supplied. Actually pretty much every security flaw occurs from incorrect or lack of sanitation. So a website is vulnerable to sql injection it is like having admin access to the DB, you can read any value you want.

Another commom vulnerability is cross site scripting or xss, what it does is allows execution of arbitrary code in the browser. There are two types reflected and persistent, reflected xss happens when something like a search box returns results without sanitizing them and it shows you the search term you used. Reflected usually isn’t that dangerous as you would have to send someone the exact link with the javascript code in the url to trigger the xss. Persistent xss is much much more dangerous, it happens when values in the database are echoed on the page without being sanitized so the code is actually embedded into the page. Anyone who visits the page will execute the code.

If you want to learn about web hacking here are some links

http://mdsec.net/wahh/

https://www.owasp.org/index.php/Web_Application_Penetration_Testing

https://www.pentesterlab.com/

Purposely vulnerable web apps to test on

http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

https://www.owasp.org/index.php/OWASP_Security_Shepherd

Cracking

Cracking is the term given to the process of bruteforcing a page login for valid credentials and the people who do it are called crackers. It works by sending a web login form a request including a user name and password and monitoring the response of the page. Say we have a login form and the title of he page is “Mylogin form” and when you are authenticated the title changes to “Members Portal” well then that is the key we will use to verify a successful login. The logic would go Try login, check source of page for <title>Members Portal</portal> if exists log username and password used and continue through the list. The reason brute forcing works is because you can make thousands of requests/tries a second you just need a huge list of usernames and passwords and a proxy list if the page limits login attempts per IP. This is why we need those annoying Capatcha forms 😉

Carding

Carding is the term given to the act of stealing credit card info, carding is a massive industry. There are a couple of ways credit card information and other financial information can be obtained. One of the most common is using your card on a comprimised ATM, the criminals fit the ATM with a skimming device and spy hole camera pointing at the pin pad. The skimmer slips over the original card reader so when you put your card into the machine the fake card reader gets a copy of the data on the card but the real atm also reads the card so you think nothing is wrong, then the pinhole camera records your pin. Armed with this information a carder could rewrite the info from your card onto another blank card and go into a shop and go on a spending spree.

Another way is through being infected with malware or getting hit with a phishing page, a phishing page is a website that pretends to be your bank asking for details. There is a lot of lingo and tools in the carding scene of which I am not going to go into because I am trying to just inform you of the dangers and what people do not educate you so you can go out and do it yourself 😛 Credit card details are sold on forums for as cheap as 4$ per card.

I am going to end this post here I hope you learned something, I did leave out a lot of details but I also specified a lot of topic and there is way too much of a vast amount of information to go into in just one post and it is 7am here and I haven’t been to sleep 🙂

Some more links I forgot to add in

http://www.enigmagroup.org/forums/news3/things-that-can-go-wrong-when-doing-missions!/

http://securityoverride.org/challenges/index.php