Tuesday, 17 December 2013

Basic analysis of a Malware

Their are primarily two types of analysis techniques:

  • Static Analysis 
  • Dynamic Analysis

Static Analysis

Static analysis is analyzing malware without running, there are several tools and techniques to analyze an malicious file. As their are many types of malwares around here so it is not any hard and fast rule we apply static analysis. Static analysis of a malware includes extracting strings from malware, decode the malware, reverse engineering of malware and so on.

Dynamic Analysis

In dynamic analysis we actually run the malware and observe its behavior. We use debugging, hooking and logging techniques to analyse malware dynamically. In order to analyse a malware dynamically we have to make an envoiremt in which malware not harm us i.e run malware in sandbox environment. Some malware detects sand boxes and they behave accordingly. So when we run them on live system we have to be very careful about malware consequences. 

Thursday, 12 December 2013

Types of Malwares

Backdoor Malicious code that installs itself onto a computer to allow the attacker access. Backdoors usually let the attacker connect to the computer with little or no authentication and execute commands on the local system.

Botnet Similar to a backdoor, in that it allows the attacker access to the system, but all computers infected with the same botnet receive the same instructions from a single command-and-control server.

Downloader Malicious code that exists only to download other malicious code. Downloaders are commonly installed by attackers when they first gain access to a system. The downloader program will download and install additional malicious code.

Information-stealing malware Malware that collects information from a victim’s computer and usually sends it to the attacker. Examples include sniffers, password hash grabbers, and keyloggers. This malware is typically used to gain access to online accounts such as email or online banking.

Launcher Malicious program used to launch other malicious programs. Usually, launchers use nontraditional techniques to launch other malicious programs in order to ensure stealth or greater access to a system.

Rootkit Malicious code designed to conceal the existence of other code. Rootkits are usually paired with other malware, such as a backdoor, to allow remote access to the attacker and make the code difficult for the victim to detect.

Scareware Malware designed to frighten an infected user into buying something. It usually has a user interface that makes it look like an anti-virus or other security program. It informs users that there is malicious code on their system and that the only way to get rid of it is to buy their “software,” when in reality, the software it’s selling does nothing more than remove the scareware.

Spam-sending malware Malware that infects a user’s machine and then uses that machine to send spam. This malware generates income for attackers by allowing them to sell spam-sending services.

Worm or virus
Malicious code that can copy itself and infect additional computers.

Reference Book: Practical Malware Analysis 

Tuesday, 3 December 2013

Rollback Data If one CI Fails in App Engine Program - PeopleSoft

Scenario: 

       when working with multiple Component Interfaces in Application Engine Program if one fails then it Rollbacks the changes made by other CIs'

Solution: 

    Local ApiObject &SESSION, &STUCI, &EDUCI;        //declaring Objects
    &SESSION= %Session;       //initializing Object
    &STUCI = &SESSION.GetCompIntfc(COMPINTFC.ADD_STUDENT);  /*Where ADD_STUDENT is the Component Interface based on ADD_Stu_Info Component.*/
   
   StartWork();
If &STUCI.Save() Then      
   &EDUCI = &SESSION.GetCompIntfc(COMPINTFC.ADD_EDUCATION);
/*Where ADD_EDUCATION is the Component Interface based on ADD_EDU_Info Component.*/       
   
 // Enter Your Custom Code

       If &EDUCI.Save() Then        
         CommitWork();     
         else         
         SQLExec("ROLLBACK");      
      end-if;   
 else      
   SQLExec("ROLLBACK");   
 end-if;

Methods Used:

  StartWork();
      StartWork function is used to mark the start of a unit of work. Once this function is executed, no updates to the database are allowed until a unit of work is completed. A unit of work is completed by an event completing (such as a FieldChange event) in which case all the Updates are saved. 
           A unit of work can also be completed using the CommitWork built-in function. 
If a SQL failure occurs anytime during the unit of work, after the StartWork function has been called and before the unit of work completes, all updates are rolled back, up to when the StartWork function was executed. 
This function can be used for nested component interface calls, such that if the lower level component interface fails, any database changes made by the calling component interface can be rolled back.
    
  CommitWork();  


Macro Extraction From an Office File

OfficeMalscanner is a tool used to forensics purposes of Microsoft office files including doc, xls, ppt. It is used to extract shell-code,embedded objects,macros etc. Today we are going to extract macros form an MS excel file. First we have to download OfficeMalScanner and extract it and put it in a directory.Now you run it by command line. follow the steps:
1) go to Start Menu
2) Select run from Menu.
3) Type "cmd" and hit Enter
4) Then change the directory via "cd" command wher the OfficeMalscanner.exe is located.
5) Type command "OfficeMalScanner.exe InputFile_with path" and hit Enter.
6) THis command will create a folder and extract macros from input file you can check it via open that files into notepad.
Some snapshorts of macro exrtaction are shown below.

Running OfficeMalScanner

Extracted Macros

Monday, 2 December 2013

ASP.NET Output Caching

Output Caching
One of the most sure-fire ways to improve a web application's performance is to employ caching. Caching takes some expensive operation and stores its results in a quickly accessible location.
Output Caching - caches the entire rendered markup of an ASP.NET web page or User Control for a specified duration.
Data Caching - a programmatically-accessible, in-memory data cache for storing objects in the web server's memory.


ASP.NET OUTPUT

How ASP.NET Web Pages are Processed

The Browser Makes an HTTP Request for an ASP.NET Web Page
The Web Server Receives the HTTP Request

Examining the ASP.NET Engine

The ASP.NET engine is often referred to as the ASP.NET HTTP pipeline, because the incoming request passes through a variable number of HTTP modules on its way to an HTTP handler. HTTP modules are classes that have access to the incoming request.

Module:
Modules can inspect the incoming request and make decisions that affect the internal flow of the request.
HTTP handler:
     Its job is to generate the output that will be sent back to the requesting browser
Generating the Output
The final step is for the suitable HTTP handler to generate the appropriate output. This output, then, is passed back through the HTTP modules and then back to IIS, which then sends it back to the client that initiated the request.

PeopleSoft Security - Part 1

Understanding Security

      when it comes to security, it addresses the needs of organization that wants to make data & data structures available to different users Like Vendors, Employees, Developer, Customers, Students etc.

4 Security Layers are:
1. Internet Permissions: Responsibility of network administrator to make sure that system is Up and running and user have appropriate permissions to see sign on page and can log-in to PeopleSoft.
2. Database Permissions: Responsibility of database administrator and will create accounts of users like Developer and grant database access to users.
3. Application Permissions: Focuses on navigational aspects of App such as being able to create Permission Lists, Roles and User Profile and maintaining processes.
4. Data Permissions: Controls the access of the application data by the PeopleSoft user and it can be set at Table-Level, Row-Level and Field-Level.

So we will be focusing on Application Permissions
Note: One User Profile can have multiple roles and One Role can have multiple Permission Lists.

     1.   Permission Lists:  Setup specific authorizations to carry out business transactions.

                Creating Permission Lists: 
                             People Tools->Security->Permissions & Roles-> Permission List