Difference between pages "Plaso" and "Malware"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(HackingTeam)
 
Line 1: Line 1:
{{Infobox_Software |
+
'''Malware''' is a short version of '''Malicious Software'''.
  name = plaso |
+
  maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
+
  os = [[Linux]], [[Mac OS X]], [[Windows]] |
+
  genre = {{Analysis}} |
+
  license = {{APL}} |
+
  website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
+
}}
+
  
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
+
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
  
The Plaso project site also provides [[4n6time]], formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
+
== Virus ==
 +
A computer program that can automatically copy itself and infect a computer.
  
== Supported Formats ==
+
== Worm ==
 +
A self-replicating computer program that can automatically infect computers on a network.
  
=== Image File Formats ===
+
== Trojan horse ==
Image File Format support will be moved to [[dfvfs]].
+
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
* [[Raw Image Format]]
+
  
=== Volume System Formats ===
+
== Spyware ==
Volume System Format support will be moved to [[dfvfs]].
+
A computer program that can automatically intercept or take partial control over the user's interaction.
* [[Windows Shadow Volumes]] using [[libvshadow]]
+
  
=== File System Formats ===
+
== Exploit Kit ==
File System Format support will be moved to [[dfvfs]].
+
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
* uses [[sleuthkit]] and [[pytsk]]
+
  
=== File Formats ===
+
=== Drive-by-download ===
* [[Property list (plist)|Binary property list (plist) format]] using [[binplist]]
+
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
* [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
+
* [[Windows Event Log (EVT)]] using [[libevt]]
+
* [[Windows NT Registry File (REGF)]] using [[libregf]]
+
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
+
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
+
* Syslog
+
  
== History ==
+
== Rootkit ==
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [[libyal]] and other projects.
+
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.
  
 
== See Also ==
 
== See Also ==
* [[dfvfs]]
+
* [[Malware analysis]]
* [[log2timeline]]
+
  
 
== External Links ==
 
== External Links ==
* [https://code.google.com/p/plaso/ Project site]
+
* [http://en.wikipedia.org/wiki/Malware Wikipedia: malware]
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
+
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia: drive-by-download]
* [http://blog.kiddaland.net/ Project blog]
+
* [http://www.viruslist.com/ Viruslist.com]
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]
+
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
 +
 
 +
=== Analysis ===
 +
* [http://sempersecurus.blogspot.ch/2013/12/a-forensic-overview-of-linux-perlbot.html A Forensic Overview of a Linux perlbot], by Andre M. DiMino, December 17, 2013
 +
* [http://research.zscaler.com/2014/02/probing-into-flash-zero-day-exploit-cve.html Probing into the Flash Zero Day Exploit (CVE-2014-0502)], by Krishnan Subramanian, February 21, 2014
 +
* [http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf Operation Windigo], by Olivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Étienne M.Léveillé, Benjamin Vanheuverzwijn, March, 2014
 +
* [http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx Security Advisory 2953095: recommendation to stay protected and for detections\, by Chengyun Chu, Elia Florio, March 24, 2014
 +
 
 +
=== Exploit Kit ===
 +
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
 +
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
 +
* [http://www.kahusecurity.com/2013/kore-exploit-kit/ Kore Exploit Kit], Kahu Security blog, July 18, 2013
 +
 
 +
=== Rootkit ===
 +
* [http://en.wikipedia.org/wiki/Rootkit Wikipedia: Rootkit]
 +
* [http://articles.forensicfocus.com/2013/11/22/understanding-rootkits/ Understanding Rootkits: Using Memory Dump Analysis for Rootkit Detection], by Dmitry Korolev, Yuri Gubanov, Oleg Afonin, November 22, 2013
 +
 
 +
=== HackingTeam ===
 +
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
 +
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
 +
* [http://reverse.put.as/wp-content/uploads/2014/06/ShakaCon6-FuckYouHackingTeam.pdf Fuck you Hacking Team], by fG! at ShakaCon 2014, June 2014
 +
 
 +
 
 +
[[Category:Malware]]

Revision as of 03:12, 5 July 2014

Malware is a short version of Malicious Software.

Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.

Virus

A computer program that can automatically copy itself and infect a computer.

Worm

A self-replicating computer program that can automatically infect computers on a network.

Trojan horse

A computer program which appears to perform a certain action, but actually performs many different forms of codes.

Spyware

A computer program that can automatically intercept or take partial control over the user's interaction.

Exploit Kit

A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [1]. Often utilizing a drive-by-download.

Drive-by-download

Any download that happens without a person's knowledge [2].

Rootkit

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.

See Also

External Links

Analysis

Exploit Kit

Rootkit

HackingTeam