Difference between pages "Malware" and "SuperFetch"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Analysis)
 
(External Links)
 
Line 1: Line 1:
'''Malware''' is a short version of '''Malicious Software'''.
+
{{Expand}}
  
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
+
SuperFetch is a performance enhancement introduced in [[Microsoft]] [[Windows|Windows Vista]] to reduce the time necessary to launch applications. An expanded version of the [[Prefetch]] files found in Windows XP, they record usage scenarios and load resources into memory before they are needed. Those resources can be loaded into physical memory and extra memory provided by [[ReadyBoost]].
  
== Virus ==
+
== Configuration ==
A computer program that can automatically copy itself and infect a computer.
+
  
== Worm ==
+
Because SuperFetch appears to leave a system with no available memory, some users turn it off to create the appearance of having more free memory. The feature can be configured by changing the <tt>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnableSuperfetch</tt> [[Registry]] key [http://www.codinghorror.com/blog/archives/000688.html]. A value of zero disables SuperFetch, one enables it for booting only, two for applications, and three for both applications and boot. This setting can also be changed using the Services console, <tt>services.msc</tt> [http://tiredblogger.wordpress.com/2007/03/27/superfetch-not-so-super-for-gaming/].
A self-replicating computer program that can automatically infect computers on a network.
+
  
== Trojan horse ==
+
== File Formats ==
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
+
  
== Spyware ==
+
Data for SuperFetch is gathered by the <tt>%SystemRoot%\System32\Sysmain.dll</tt>, part of the Service Host process, <tt>%SystemRoot%\System32\Svchost.exe</tt>, and stored in a series of files in the <tt>%SystemRoot%\Prefetch</tt> directory [http://www.microsoft.com/technet/technetmag/issues/2007/03/VistaKernel/]. These files appear to start with the prefix <tt>Ag</tt> and have a <tt>.db</tt> extension. The format of these files is not fully known, there is available unofficial partial specification [http://blog.rewolf.pl/blog/?p=214] and open source (GPL) dumper for .db files [http://code.google.com/p/rewolf-superfetch-dumper/]. Some information can be gleaned from these files by searching for [[Unicode]] [[strings]] in them.
A computer program that can automatically intercept or take partial control over the user's interaction.
+
  
== Exploit Kit ==
+
The SuperFetch feature is seeded with some basic usage patterns when the operating system is installed [http://channel9.msdn.com/showpost.aspx?postid=242429].
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
+
 
+
=== Drive-by-download ===
+
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
+
 
+
== Rootkit ==
+
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.
+
  
 
== See Also ==
 
== See Also ==
* [[Malware analysis]]
+
* [[Prefetch]]
 +
* [[Windows SuperFetch Format|SuperFetch Format]]
 +
* [[Windows]]
  
 
== External Links ==
 
== External Links ==
* [http://en.wikipedia.org/wiki/Malware Wikipedia: malware]
+
* [http://en.wikipedia.org/wiki/Windows_Vista_I/O_technologies#SuperFetch Wikipedia: Windows Vista I/O technologies - SuperFetch]
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia: drive-by-download]
+
* [http://channel9.msdn.com/showpost.aspx?postid=242429 Channel 9 Interview with Michael Fortin of Microsoft on SuperFetch]
* [http://www.viruslist.com/ Viruslist.com]
+
* [http://www.informationweek.com/news/showArticle.jhtml?articleID=196902178 Microsoft Predicts The Future With Vista's SuperFetch] from Information Week
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
+
* [http://jessekornblum.com/presentations/dodcc08-2.pdf DC3 Presentation: My You Look SuperFetching]
 
+
* [http://code.google.com/p/rewolf-superfetch-dumper/ Open source Ag*.db files dumper]
=== Analysis ===
+
* [http://sempersecurus.blogspot.ch/2013/12/a-forensic-overview-of-linux-perlbot.html A Forensic Overview of a Linux perlbot], by Andre M. DiMino, December 17, 2013
+
* [http://research.zscaler.com/2014/02/probing-into-flash-zero-day-exploit-cve.html Probing into the Flash Zero Day Exploit (CVE-2014-0502)], by Krishnan Subramanian, February 21, 2014
+
* [http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf Operation Windigo], by Olivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Étienne M.Léveillé, Benjamin Vanheuverzwijn, March, 2014
+
 
+
=== Exploit Kit ===
+
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
+
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
+
* [http://www.kahusecurity.com/2013/kore-exploit-kit/ Kore Exploit Kit], Kahu Security blog, July 18, 2013
+
 
+
=== Rootkit ===
+
* [http://en.wikipedia.org/wiki/Rootkit Wikipedia: Rootkit]
+
* [http://articles.forensicfocus.com/2013/11/22/understanding-rootkits/ Understanding Rootkits: Using Memory Dump Analysis for Rootkit Detection], by Dmitry Korolev, Yuri Gubanov, Oleg Afonin, November 22, 2013
+
  
[[Category:Malware]]
+
== Tools ==
 +
* [https://code.google.com/p/rewolf-superfetch-dumper/ rewolf-superfetch-dumper]

Revision as of 12:32, 14 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SuperFetch is a performance enhancement introduced in Microsoft Windows Vista to reduce the time necessary to launch applications. An expanded version of the Prefetch files found in Windows XP, they record usage scenarios and load resources into memory before they are needed. Those resources can be loaded into physical memory and extra memory provided by ReadyBoost.

Contents

Configuration

Because SuperFetch appears to leave a system with no available memory, some users turn it off to create the appearance of having more free memory. The feature can be configured by changing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnableSuperfetch Registry key [1]. A value of zero disables SuperFetch, one enables it for booting only, two for applications, and three for both applications and boot. This setting can also be changed using the Services console, services.msc [2].

File Formats

Data for SuperFetch is gathered by the %SystemRoot%\System32\Sysmain.dll, part of the Service Host process, %SystemRoot%\System32\Svchost.exe, and stored in a series of files in the %SystemRoot%\Prefetch directory [3]. These files appear to start with the prefix Ag and have a .db extension. The format of these files is not fully known, there is available unofficial partial specification [4] and open source (GPL) dumper for .db files [5]. Some information can be gleaned from these files by searching for Unicode strings in them.

The SuperFetch feature is seeded with some basic usage patterns when the operating system is installed [6].

See Also

External Links

Tools