Difference between pages "Internet Explorer" and "Malware"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (External Links)
 
(HackingTeam)
 
Line 1: Line 1:
{{Expand}}
+
'''Malware''' is a short version of '''Malicious Software'''.
  
Microsoft Internet Explorer (MSIE) is the default [[Web Browser]] included with [[Microsoft Windows]].
+
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
  
== MSIE 4 to 9 ==
+
== Virus ==
MSIE 4 to 9 uses the [[Internet Explorer History File Format]] (or MSIE 4-9 Cache File format). The Cache Files commonly named index.dat are used to store both cache and historical information.
+
A computer program that can automatically copy itself and infect a computer.
  
== MSIE 10 ==
+
== Worm ==
<pre>
+
A self-replicating computer program that can automatically infect computers on a network.
C:\Users\%USER%\AppData\Local\Microsoft\Windows\WebCache\
+
</pre>
+
  
The WebCacheV01.dat and WebCacheV24.dat files are in the [[Extensible Storage Engine (ESE) Database File (EDB) format]]
+
== Trojan horse ==
 +
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
  
== Configuration ==
+
== Spyware ==
Internet Explorer will apply its setting in the following order, where the lower the order overrides settings in the higer order.
+
A computer program that can automatically intercept or take partial control over the user's interaction.
# Settings in Machine policy key
+
# Settings in User policy key
+
# Settings in User preference key
+
# Settings in Machine preference key
+
  
Machine policy key
+
== Exploit Kit ==
<pre>
+
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
HKET_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
+
</pre>
+
  
Machine preference key
+
=== Drive-by-download ===
<pre>
+
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
HKET_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
+
</pre>
+
  
User policy key
+
== Rootkit ==
<pre>
+
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
+
</pre>
+
  
User preference key
+
== See Also ==
<pre>
+
* [[Malware analysis]]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
+
</pre>
+
  
=== Security Zones ===
+
== External Links ==
0 - My Computer
+
* [http://en.wikipedia.org/wiki/Malware Wikipedia: malware]
 +
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia: drive-by-download]
 +
* [http://www.viruslist.com/ Viruslist.com]
 +
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
  
1 - Local Intranet Zone
+
=== Analysis ===
 +
* [http://sempersecurus.blogspot.ch/2013/12/a-forensic-overview-of-linux-perlbot.html A Forensic Overview of a Linux perlbot], by Andre M. DiMino, December 17, 2013
 +
* [http://research.zscaler.com/2014/02/probing-into-flash-zero-day-exploit-cve.html Probing into the Flash Zero Day Exploit (CVE-2014-0502)], by Krishnan Subramanian, February 21, 2014
 +
* [http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf Operation Windigo], by Olivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Étienne M.Léveillé, Benjamin Vanheuverzwijn, March, 2014
 +
* [http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx Security Advisory 2953095: recommendation to stay protected and for detections\, by Chengyun Chu, Elia Florio, March 24, 2014
  
2 - Trusted Sites Zone
+
=== Exploit Kit ===
 
+
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
3 - Internet Zone
+
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
 
+
* [http://www.kahusecurity.com/2013/kore-exploit-kit/ Kore Exploit Kit], Kahu Security blog, July 18, 2013
4 - Restricted Sites Zone
+
 
+
5 - Custom
+
 
+
=== WPAD ===
+
<b>TODO add some text</b>
+
 
+
== Artifacts ==
+
=== Recovery store ===
+
<b>TODO add some text</b>
+
 
+
On Windows Vista and later:
+
<pre>
+
C:\Users\%USER%\AppData\Local\Microsoft\Internet Explorer\Recovery
+
</pre>
+
 
+
=== Typed URLs ===
+
Internet Explorer stores the cached History (or Address box) entries in the following Windows Registry key [http://support.microsoft.com/kb/157729].
+
<pre>
+
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
+
</pre>
+
 
+
== See Also ==
+
* [[Extensible Storage Engine (ESE) Database File (EDB) format]]
+
* [[Internet Explorer History File Format|Internet Explorer 4-9 Cache File Format]]
+
 
+
== External Links ==
+
* [http://kb.digital-detective.co.uk/display/NetAnalysis1/Internet+Explorer+Cache Internet Explorer Cache]
+
* [http://support.microsoft.com/kb/182569 Internet Explorer security zones registry entries for advanced users], by [[Microsoft]]
+
* [http://technet.microsoft.com/en-us/library/cc302643.aspx Troubleshooting Automatic Detection], by [[Microsoft]]
+
* [http://www.microsoft.com/en-us/download/details.aspx?id=11575 Windows Virtual PC VHDs for testing websites with different Internet Explorer versions], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/ie/hh826025(v=vs.85).aspx IE Command-Line Options], by [[Microsoft]], January, 2011
+
* [http://windowssecrets.com/top-story/little-known-browser-commands-and-functions/ Little-known browser commands and functions], by Fred Langa, June 21, 2012
+
* [http://tojoswalls.blogspot.com/2013/05/java-web-vulnerability-mitigation-on.html Java Web Vulnerability Mitigation on Windows], by Tim Johnson, May 23, 2013
+
  
=== Recovery store ===
+
=== Rootkit ===
* [http://www.swiftforensics.com/2011/09/internet-explorer-recoverystore-aka.html Internet Explorer RecoveryStore (aka Travelog) as evidence of Internet Browsing activity], by [[Yogesh Khatri]], September 29, 2011
+
* [http://en.wikipedia.org/wiki/Rootkit Wikipedia: Rootkit]
 +
* [http://articles.forensicfocus.com/2013/11/22/understanding-rootkits/ Understanding Rootkits: Using Memory Dump Analysis for Rootkit Detection], by Dmitry Korolev, Yuri Gubanov, Oleg Afonin, November 22, 2013
  
=== Typed URLS ===
+
=== HackingTeam ===
* [http://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/ TypedURLs (Part 1)], by Paul Nichols, March 14, 2011
+
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
* [http://crucialsecurityblog.harris.com/2011/03/23/typedurls-part-2/ TypedURLs (Part 2)], by Paul Nichols, March 23, 2011
+
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
* [http://randomthoughtsofforensics.blogspot.co.uk/2012/07/trouble-with-typedurlstime.html The Trouble with TypedUrlsTime], by Ken Johnson, July 4, 2012
+
* [http://reverse.put.as/wp-content/uploads/2014/06/ShakaCon6-FuckYouHackingTeam.pdf Fuck you Hacking Team], by fG! at ShakaCon 2014, June 2014  
* [http://sketchymoose.blogspot.ch/2014/02/typedurls-registry-key.html TypedURLs Registry Key], Sketchymoose's Blog, February 18, 2014
+
  
=== Internet Explorer 10 ===
 
* [http://cyberarms.wordpress.com/2012/08/21/windows-8-forensics-internet-cache-history/ Windows 8 Forensics: Internet History Cache], by Ethan Fleisher, August 21, 2012
 
* [http://hh.diva-portal.org/smash/get/diva2:635743/FULLTEXT02.pdf Forensic Analysis of ESE databases in Internet Explorer 10], by Bonnie Malmström & Philip Teveldal, June 2013
 
  
[[Category:Applications]]
+
[[Category:Malware]]
[[Category:Web Browsers]]
+

Revision as of 03:12, 5 July 2014

Malware is a short version of Malicious Software.

Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.

Virus

A computer program that can automatically copy itself and infect a computer.

Worm

A self-replicating computer program that can automatically infect computers on a network.

Trojan horse

A computer program which appears to perform a certain action, but actually performs many different forms of codes.

Spyware

A computer program that can automatically intercept or take partial control over the user's interaction.

Exploit Kit

A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [1]. Often utilizing a drive-by-download.

Drive-by-download

Any download that happens without a person's knowledge [2].

Rootkit

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.

See Also

External Links

Analysis

Exploit Kit

Rootkit

HackingTeam