Tuesday, 17 December 2013

Basic analysis of a Malware

Their are primarily two types of analysis techniques:

  • Static Analysis 
  • Dynamic Analysis

Static Analysis

Static analysis is analyzing malware without running, there are several tools and techniques to analyze an malicious file. As their are many types of malwares around here so it is not any hard and fast rule we apply static analysis. Static analysis of a malware includes extracting strings from malware, decode the malware, reverse engineering of malware and so on.

Dynamic Analysis

In dynamic analysis we actually run the malware and observe its behavior. We use debugging, hooking and logging techniques to analyse malware dynamically. In order to analyse a malware dynamically we have to make an envoiremt in which malware not harm us i.e run malware in sandbox environment. Some malware detects sand boxes and they behave accordingly. So when we run them on live system we have to be very careful about malware consequences. 
Posted by at No comments:

Thursday, 12 December 2013

Types of Malwares

Backdoor Malicious code that installs itself onto a computer to allow the attacker access. Backdoors usually let the attacker connect to the computer with little or no authentication and execute commands on the local system.

Botnet Similar to a backdoor, in that it allows the attacker access to the system, but all computers infected with the same botnet receive the same instructions from a single command-and-control server.

 Downloader Malicious code that exists only to download other malicious code. Downloaders are commonly installed by attackers when they first gain access to a system. The downloader program will download and install additional malicious code.

Information-stealing malware Malware that collects information from a victim’s computer and usually sends it to the attacker. Examples include sniffers, password hash grabbers, and keyloggers. This malware is typically used to gain access to online accounts such as email or online banking.

Launcher Malicious program used to launch other malicious programs. Usually, launchers use nontraditional techniques to launch other malicious programs in order to ensure stealth or greater access to a system.

Rootkit Malicious code designed to conceal the existence of other code. Rootkits are usually paired with other malware, such as a backdoor, to allow remote access to the attacker and make the code difficult for the victim to detect.

Scareware Malware designed to frighten an infected user into buying something. It usually has a user interface that makes it look like an anti-virus or other security program. It informs users that there is malicious code on their system and that the only way to get rid of it is to buy their “software,” when in reality, the software it’s selling does nothing more than remove the scareware.

Spam-sending malware Malware that infects a user’s machine and then uses that machine to send spam. This malware generates income for attackers by allowing them to sell spam-sending services.

 Worm or virus
Malicious code that can copy itself and infect additional computers.

Reference Book: Practical Malware Analysis 
Posted by at No comments:

Tuesday, 3 December 2013

Rollback Data If one CI Fails in App Engine Program - PeopleSoft

Scenario: 

       when working with multiple Component Interfaces in Application Engine Program if one fails then it Rollbacks the changes made by other CIs'

Solution: 

    Local ApiObject &SESSION, &STUCI, &EDUCI;        //declaring Objects
    &SESSION= %Session;       //initializing Object
    &STUCI = &SESSION.GetCompIntfc(COMPINTFC.ADD_STUDENT);  /*Where ADD_STUDENT is the Component Interface based on ADD_Stu_Info Component.*/
   
   StartWork();
If &STUCI.Save() Then      
   &EDUCI = &SESSION.GetCompIntfc(COMPINTFC.ADD_EDUCATION);
/*Where ADD_EDUCATION is the Component Interface based on ADD_EDU_Info Component.*/       
   
 // Enter Your Custom Code

       If &EDUCI.Save() Then        
         CommitWork();     
         else         
         SQLExec("ROLLBACK");      
      end-if;   
 else      
   SQLExec("ROLLBACK");   
 end-if;

Methods Used:

  StartWork();
      StartWork function is used to mark the start of a unit of work. Once this function is executed, no updates to the database are allowed until a unit of work is completed. A unit of work is completed by an event completing (such as a FieldChange event) in which case all the Updates are saved. 
           A unit of work can also be completed using the CommitWork built-in function. 
If a SQL failure occurs anytime during the unit of work, after the StartWork function has been called and before the unit of work completes, all updates are rolled back, up to when the StartWork function was executed. 
This function can be used for nested component interface calls, such that if the lower level component interface fails, any database changes made by the calling component interface can be rolled back.
    
  CommitWork();  


Posted by at 1 comment:

Macro Extraction From an Office File

OfficeMalscanner is a tool used to forensics purposes of Microsoft office files including doc, xls, ppt. It is used to extract shell-code,embedded objects,macros etc. Today we are going to extract macros form an MS excel file. First we have to download OfficeMalScanner and extract it and put it in a directory.Now you run it by command line. follow the steps:
1) go to Start Menu
2) Select run from Menu.
3) Type "cmd" and hit Enter
4) Then change the directory via "cd" command wher the OfficeMalscanner.exe is located.
5) Type command "OfficeMalScanner.exe InputFile_with path" and hit Enter.
6) THis command will create a folder and extract macros from input file you can check it via open that files into notepad.
Some snapshorts of macro exrtaction are shown below.

Running OfficeMalScanner

Extracted Macros
Posted by at No comments:

Monday, 2 December 2013

ASP.NET Output Caching

Output Caching
One of the most sure-fire ways to improve a web application's performance is to employ caching. Caching takes some expensive operation and stores its results in a quickly accessible location.
Output Caching - caches the entire rendered markup of an ASP.NET web page or User Control for a specified duration.
Data Caching - a programmatically-accessible, in-memory data cache for storing objects in the web server's memory.


Posted by at No comments:
Labels: ,

ASP.NET OUTPUT

How ASP.NET Web Pages are Processed

The Browser Makes an HTTP Request for an ASP.NET Web Page
The Web Server Receives the HTTP Request

Examining the ASP.NET Engine

The ASP.NET engine is often referred to as the ASP.NET HTTP pipeline, because the incoming request passes through a variable number of HTTP modules on its way to an HTTP handler. HTTP modules are classes that have access to the incoming request.

 Module:
Modules can inspect the incoming request and make decisions that affect the internal flow of the request.
HTTP handler:
     Its job is to generate the output that will be sent back to the requesting browser
Generating the Output
The final step is for the suitable HTTP handler to generate the appropriate output. This output, then, is passed back through the HTTP modules and then back to IIS, which then sends it back to the client that initiated the request.
Posted by at No comments:
Labels: , , , , ,

PeopleSoft Security - Part 1

Understanding Security

      when it comes to security, it addresses the needs of organization that wants to make data & data structures available to different users Like Vendors, Employees, Developer, Customers, Students etc.

4 Security Layers are:
1. Internet Permissions: Responsibility of network administrator to make sure that system is Up and running and user have appropriate permissions to see sign on page and can log-in to PeopleSoft.
2. Database Permissions: Responsibility of database administrator and will create accounts of users like Developer and grant database access to users.
3. Application Permissions: Focuses on navigational aspects of App such as being able to create Permission Lists, Roles and User Profile and maintaining processes.
4. Data Permissions: Controls the access of the application data by the PeopleSoft user and it can be set at Table-Level, Row-Level and Field-Level.

So we will be focusing on Application Permissions
Note: One User Profile can have multiple roles and One Role can have multiple Permission Lists.

     1.   Permission Lists:  Setup specific authorizations to carry out business transactions.

                Creating Permission Lists: 
                             People Tools->Security->Permissions & Roles-> Permission List

         
Posted by at No comments:

Pretty Good Privacy (Encryption Decryption and Digital Signatures)

In 1991 Phil Zimmerman created Pretty Good Privacy or PGP to support privacy in online communication. Pretty Good Privacy (PGP) is most widely used mechanism in public key cryptography. PGP software is used nowadays in accord with OpenPGP standard.OpenPGP signatures certify:

  • files
  • text blocks
  • user IDs

PGP signature is hash of such data using hashing algorithm like SHA-1,encrypted by public key using PK algorithm. OpenPGP allows uses of multiple PK algorithms including:

  • DSA US standard for digital signatures from 1994
  • ElGamal discrete logarithm PK algorithm of Taher ElGamal from 1994
  • RSA Rivest, Shamir and Adelman algorithm from 1978
  • DSA/ElGamal can be termed DH/DSS (Diffie Hellman, DS Standard).

GNUPG is GNU project's implementation of OpenPGP standard.
Use it to generate new key pair as follows:

 user@USER:$gpg --gen-key

Fill all the details for generating key.
Enter pass phrase: Any secret text you want to enter!
Repeat pass phrase: Any secret text you want to enter!


Public key created in this key pair
  • is 2048 bit RSA key
  • never expires
  • has key ID A5A35B36
  • has self-signed user ID Blogger (How to work with PGP.) <Blogger@blogger.com>
  • has fingerprint 6429 7328 8C2C 181D 41CA  9558 0ADF EA9D A5A3 5B36
  • is stored in public keyring ~/.gnupg/pubring.gpg
Private key is encrypted in private keyring ~/.gnupg/secring.gpg.
In case you forget encryption passphrase, create revocation certificate.

user@USER:$ gpg --output revoke.asc --gen-revoke "Blogger"

To list keys on your public keyring

user@USER:$ gpg --list-keys

To export this public key in binary format to "humbert.gpg"

user@USER:$ gpg --output humbert.gpg --export "Blogger"
Add argument "--armor" to output key in Radix-64 (Base64) format

user@USER:$ gpg --armor --export "Blogger"

Public/private key is added/deleted to one's public/private keyring by

user@USER:$ gpg --import harry_lime.gpg
user@USER:$ gpg --delete-secret-and-public-key Harry

Signing another person's public key requires you to
  • import it from public key server to your public keyring
  • verify its fingerprint and ID with him (e.g. by phone)
  • verify ID(s) you are signing designate him
  • verify he can sign message corresponding to that public key
Consider whether to put your reputation on line for him

Keys on your public keyring can be signed as followed:
user@USER:$ gpg --edit-key "Harry Lime"
...
[ unknown] (1). Harry Lime (Cuckoo clocks) <H.Lime@cccp.wien.at>
[ unknown] (2) [jpeg image of size 3100]
Command> sign
Really sign all user IDs? (y/N) y
pub 1024D/D8C0D322 created: 2011-06-08 expires: 2011-09-06 usage: SC
trust: unknown validity: unknown
Primary key fingerprint: 4B31 1C50 4331 2B16 05BC C3E9 EF84 7D38 D8C0 D322
Harry Lime (Cuckoo clocks) <H.Lime@cccp.wien.at>
[jpeg image of size 3100]
This key is due to expire on 2011-09-06.
Are you sure that you want to sign this key with your
key "Blogger (How to work with PGP.) <Blogger@blogger.com>" (A5A35B36)
Really sign? (y/N) y
...
Enter passphrase:
...
Command> quit
Save changes? (y/N) y
Individual IDs can be picked with command "uid n". n=0 deselects all.

Once signed
  • export their public key from your keyring
  • upload updated public key back to public key server
Updated public key will be merged with their public key on server.
Display details of other person's public key including signatures with:

user@USER:$ gpg --list-sigs "Harry Lime"

Verify their signatures with public keys in your public key ring by

user@USER:$ gpg --check-sigs "Harry Lime"

Encryption and Decryption

Encrypt doc.pdf to send to Harry Lime as follows:

user@USER:$ gpg --output doc.gpg --encrypt --recipient "Harry Lime" doc.pdf

Harry Lime decrypts doc.gpg sent to him as follows:

user@USER:$ gpg --output doc.pdf --decrypt doc.gpg

Enter passphrase:
GNUPG also supports symmetric encryption using a passphrase.

user@USER:$ gpg --output doc.gpg --symmetric doc.pdf

Enter passphrase:
Passphrase is hashed into symmetric key of the right size.
Symmetrically encrypted message can be decrypted as follows:

user@USER:$ gpg --output doc.pdf --decrypt doc.gpg

Document doc.pdf can be signed and compressed as follows:

user@USER:$ gpg --output doc.sig --sign doc.pdf

Document is signature checked and decompressed by

user@USER:$ gpg --output doc.pdf --decrypt doc.sig

Documents can be signed without compression by

user@USER:$ gpg --clearsign doc.txt
user@USER:$ gpg --output doc.sig --detach-sig doc.txt

Detached signature doc.sig can be verified over doc.txt

user@USER:$ gpg --verify doc.sig doc.txt

Subkeys and signatures on OpenPGP keys can be individually revoked.
Example shows revocation of subkey and self-signature of photo-id:

user@USER:$ gpg --edit-key "Blogger"

pub 1024D/D8E1C459 created: 2011-06-27 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/933254DE created: 2011-06-27 expires: never usage: E
[ultimate] (1). Blogger (How to work with PGP.) <Blogger@blogger.com>
[ultimate] (2) [jpeg image of size 25817]
Command> key 1
...
Command> revkey
...
Command> uid 2
...
Command> revsig
...
Create a revocation certificate for this signature? (y/N) y
...
pub 1024D/D8E1C459 created: 2011-06-27 expires: never usage: SC
trust: ultimate validity: ultimate
This key was revoked on 2011-06-30 by DSA key D8E1C459
Blogger (How to work with PGP.) <Blogger@blogger.com>
sub 2048g/933254DE created: 2011-06-27 revoked: 2011-06-30 usage: E
[ultimate] (1). Blogger (How to work with PGP.) <Blogger@blogger.com>
[ revoked] (2) [jpeg image of size 25817]
New subkey can be added as follows:
Command> addkey
...
Please select what kind of key you want:
...
(4) Elgamal (encrypt only)
...
Your selection? 4
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
...
pub 1024D/D8E1C459 created: 2011-06-27 expires: never usage: SCtrust: ultimate validity: ultimate
...
sub 4096g/11E26C5B created: 2011-06-30 expires: never usage: E
Revoked components can be trimmed by delkey and deluid.

However, once own key is published on servers, trimming it is inept.
Adjustments can be made in a key's trust level

user@USER:$ gpg --edit-key Harry

pub 1024D/D8C0D322 created: 2011-06-08 expires: 2011-09-06 usage: SC
trust: unknown validity: full
sub 2048g/9EED759F created: 2011-06-08 expires: 2011-09-06 usage: E
[ full ] (1). Harry Lime (Cuckoo clocks) <H.Lime@cccp.wien.at>
[ full ] (2) [jpeg image of size 3100]
Command> trust
...
Please decide how far you trust this user to verify other users' keys
(by looking at passports, checking fingerprints from various sources etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 3
pub 1024D/D8C0D322 created: 2011-06-08 expires: 2011-09-06 usage: SC
trust: marginal validity: full
Web of trust parameters can also be altered in .gnupg/gpg.conf to
  • completes-needed 2
  • marginals-needed 5
  • max-cert-depth 3

GNUPG supports interactive maintenance of trust database

user@USER:$ gpg --update-trustdb

This indicates web of trust is built over two keys
  • one is marginally trusted (Harry Lime's)
  • other is ultimately trusted (own public key)
Query pgp.mit.edu or keyserver.pgp.com for public key.Use key ID to import it into your public keyring

user@USER:$ gpg --keyserver pgp.mit.edu --recv-key 4B2700B9

Check out its 22 signatures with

user@USER:$ gpg --list-sigs Ross

Added signatures to it can be republished back to keyserver with

user@USER:$ gpg --keyserver pgp.mit.edu --send-key rja14@cl.cam.ac.uk


Posted by at No comments:
Subscribe to: Posts (Atom)