Difference between pages "SIMCon" and "Malware"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(HackingTeam)
 
Line 1: Line 1:
{{Wikify}}
+
'''Malware''' is a short version of '''Malicious Software'''.
  
==SIMCon==
+
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
  
[http://www.simcon.no SIMCon] is a program that securely images all files on a [[GSM]] [[SIM Card]] with a standard smart card reader. After imaging, the forensic investigator can then analyze the contents of the card. Specific information regarding stored numbers, call history, and text messages are available.  
+
== Virus ==
 +
A computer program that can automatically copy itself and infect a computer.
  
[http://www.simcon.no SIMCon]'s features:
+
== Worm ==
 +
A self-replicating computer program that can automatically infect computers on a network.
  
* Acquire all available files on a [[SIM Card]] and store in an archive file
+
== Trojan horse ==
* Analyze and interpret content of files
+
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
* Recover deleted text messages stored on the card
+
* Manage PIN and PUK codes
+
* Compatible with [[SIM Cards]] and [[USIM Cards]]
+
* Print reports of evidence
+
* Secure file archive using hashing
+
* Export items to popular spreadsheet programs
+
* Supports international charsets
+
  
 +
== Spyware ==
 +
A computer program that can automatically intercept or take partial control over the user's interaction.
  
All [[GSM]] cell phones today have a subscriber identity module (SIM) to identify the phone onto the network. [http://www.simcon.no SIMCon] is an application to acquire all of the information from the [[SIM Card]].
+
== Exploit Kit ==
 +
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
  
The [[SIM Card]] provides secure storing of the key identifying a mobile phone service subscriber, subscription information, preferences and text messages. Network state information, such as the current location area identity (LAI), is also stored on the card. When a handset is turned off and then back on, it will search for the LAI that it was in, rather than having to search all frequencies that the phone operates in.  This saves time when trying to log on to the network. (Subscriber, 2006, para. 1)
+
=== Drive-by-download ===
 +
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
  
By using [http://www.simcon.no SIMCon] and a smart card reader, all of the above information and more can be pulled off of the card without knowing the PIN or the PUK of the card.  The PIN and the PUK are ways to keep the information on the card secure.  They also can be used as a security feature on the phone, not allowing anyone to use a phone to access the [[SIM Card]] without knowing the codes.
+
== Rootkit ==
 +
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.
  
[http://www.simcon.no SIMCon] is an application developed by Inside Out Forensics in Norway.  It is designed for use by the law enforcement community, and it can be obtained free of charge by emailing [http://www.simcon.no SIMCon] and identifying the officers and unit.  However, for anyone outside the law enforcement community, it is not free. 
+
== See Also ==
 +
* [[Malware analysis]]
  
===Review===
+
== External Links ==
[http://www.simcon.no SIMCon] makes the acquisition of data very easy, simply inserting the SIM Card to the appropriate Sim card reader, and clicking acquire is all that is needed to start analyzing evidence. After the acquisition of the data is complete SimCon will show the user a screen with two halves.
+
* [http://en.wikipedia.org/wiki/Malware Wikipedia: malware]
 +
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia: drive-by-download]
 +
* [http://www.viruslist.com/ Viruslist.com]
 +
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
  
On the left panel is the different data sectors of the [[SIM Card]] that can either be checked on or off depending on what is needed. After choosing what data sectors are needed, the right panel will be populated with the selected data. Some of the most useful pieces of information that are shown are: the International Mobile Subscriber Identity number, every contacts name and number, and all SMS messages sent and received both stored and deleted.
+
=== Analysis ===
 +
* [http://sempersecurus.blogspot.ch/2013/12/a-forensic-overview-of-linux-perlbot.html A Forensic Overview of a Linux perlbot], by Andre M. DiMino, December 17, 2013
 +
* [http://research.zscaler.com/2014/02/probing-into-flash-zero-day-exploit-cve.html Probing into the Flash Zero Day Exploit (CVE-2014-0502)], by Krishnan Subramanian, February 21, 2014
 +
* [http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf Operation Windigo], by Olivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Étienne M.Léveillé, Benjamin Vanheuverzwijn, March, 2014
 +
* [http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx Security Advisory 2953095: recommendation to stay protected and for detections\, by Chengyun Chu, Elia Florio, March 24, 2014
  
[http://www.simcon.no SIMCon] also comes with two more handy features that are key to an investigation and in a court of law.  The first is [http://www.simcon.no SIMCon]s' feature that allows the printing of a report.  [http://www.simcon.no SIMCon] will format and populate a report with the contents of the users’ choosing.  This can list all the key pieces to an investigation and is an excellent piece of evidence to be used in a court of law.  The second feature is the exportation of the acquired data.  [http://www.simcon.no SIMCon] allows the exportation of all SMS messages and also of all contacts.  When these exported files are opened in a program such as Microsoft Excel the data can be read, sorted, and analyzed in a format of the users design. 
+
=== Exploit Kit ===
 +
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
 +
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
 +
* [http://www.kahusecurity.com/2013/kore-exploit-kit/ Kore Exploit Kit], Kahu Security blog, July 18, 2013
  
When SMS messages are exported [http://www.simcon.no SIMCon] automatically adds the following information about every message: file, item, status, service center, message type, number, time stamp, and text.  When the contacts are exported [http://www.simcon.no SIMCon] automatically adds the following information about every contact: file, item, identifier, and number.  For reference a report of an acquired [[SIM card]] is enclosed as well as a document that tells what information is added into an exported file at the end of this document.
+
=== Rootkit ===
 +
* [http://en.wikipedia.org/wiki/Rootkit Wikipedia: Rootkit]
 +
* [http://articles.forensicfocus.com/2013/11/22/understanding-rootkits/ Understanding Rootkits: Using Memory Dump Analysis for Rootkit Detection], by Dmitry Korolev, Yuri Gubanov, Oleg Afonin, November 22, 2013
  
 +
=== HackingTeam ===
 +
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
 +
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
 +
* [http://reverse.put.as/wp-content/uploads/2014/06/ShakaCon6-FuckYouHackingTeam.pdf Fuck you Hacking Team], by fG! at ShakaCon 2014, June 2014
  
===Links===
 
* [http://www.simcon.no SIMCon]
 
  
* [http://en.wikipedia.org/wiki/Subscriber_Identity_Module Subscriber Identity Module]
+
[[Category:Malware]]
 
+
* [http://www.simcon.no/ InsideOut Forensics]
+

Revision as of 03:12, 5 July 2014

Malware is a short version of Malicious Software.

Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.

Virus

A computer program that can automatically copy itself and infect a computer.

Worm

A self-replicating computer program that can automatically infect computers on a network.

Trojan horse

A computer program which appears to perform a certain action, but actually performs many different forms of codes.

Spyware

A computer program that can automatically intercept or take partial control over the user's interaction.

Exploit Kit

A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [1]. Often utilizing a drive-by-download.

Drive-by-download

Any download that happens without a person's knowledge [2].

Rootkit

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.

See Also

External Links

Analysis

Exploit Kit

Rootkit

HackingTeam