Difference between pages "Malware" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Analysis)
 
(MEMO file)
 
Line 1: Line 1:
'''Malware''' is a short version of '''Malicious Software'''.
+
{{expand}}
  
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
+
== MEMO file ==
 +
Th MEMO file consists of:
 +
* file header
 +
* compressed blocks
  
== Virus ==
+
=== File header ===
A computer program that can automatically copy itself and infect a computer.
+
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO")
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
  
== Worm ==
+
=== Compressed blocks ===
A self-replicating computer program that can automatically infect computers on a network.
+
The file header is followed by compressed blocks:
 
+
{| class="wikitable"
== Trojan horse ==
+
|-
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
+
! Offset
 
+
! Size
== Spyware ==
+
! Value
A computer program that can automatically intercept or take partial control over the user's interaction.
+
! Description
 
+
|-
== Exploit Kit ==
+
| 0
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
+
| 4
 
+
|
=== Drive-by-download ===
+
| Compressed data size
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
+
|-
 
+
| 4
== Rootkit ==
+
| ...
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.
+
|
 +
| Compressed data
 +
|-
 +
|}
  
 
== See Also ==
 
== See Also ==
* [[Malware analysis]]
+
* [[SuperFetch]]
  
 
== External Links ==
 
== External Links ==
* [http://en.wikipedia.org/wiki/Malware Wikipedia: malware]
+
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification]
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia: drive-by-download]
+
* [http://www.viruslist.com/ Viruslist.com]
+
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
+
 
+
=== Analysis ===
+
* [http://sempersecurus.blogspot.ch/2013/12/a-forensic-overview-of-linux-perlbot.html A Forensic Overview of a Linux perlbot], by Andre M. DiMino, December 17, 2013
+
* [http://research.zscaler.com/2014/02/probing-into-flash-zero-day-exploit-cve.html Probing into the Flash Zero Day Exploit (CVE-2014-0502)], by Krishnan Subramanian, February 21, 2014
+
* [http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf Operation Windigo], by Olivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Étienne M.Léveillé, Benjamin Vanheuverzwijn, March, 2014
+
 
+
=== Exploit Kit ===
+
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
+
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
+
* [http://www.kahusecurity.com/2013/kore-exploit-kit/ Kore Exploit Kit], Kahu Security blog, July 18, 2013
+
 
+
=== Rootkit ===
+
* [http://en.wikipedia.org/wiki/Rootkit Wikipedia: Rootkit]
+
* [http://articles.forensicfocus.com/2013/11/22/understanding-rootkits/ Understanding Rootkits: Using Memory Dump Analysis for Rootkit Detection], by Dmitry Korolev, Yuri Gubanov, Oleg Afonin, November 22, 2013
+
  
[[Category:Malware]]
+
[[Category:File Formats]]

Revision as of 12:37, 14 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

MEMO file

Th MEMO file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO") Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

See Also

External Links