Difference between pages "Mobile malware" and "Windows XML Event Log (EVTX)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(SMS)
 
(File Format)
 
Line 1: Line 1:
Mobile malware is software created to infect or gain access to mobile devices such as [[cell phones]], [[tablets]], and [[PDAs]].
+
{{expand}}
  
== History ==
+
The Windows XML Event Log (EVTX) format was introduces in [[Windows|Windows Vista]] as a replacement for the [[Windows Event Log (EVT)]] format.
Mobile malware was initially considered to be a hoax until it became obvious that malicious software existed and functioned on mobile devices. The earliest recorded mobile malware was called Cabir. It was released in 2004 and was designed to infect [[Symbian]] OS platforms via a Bluetooth connection. It was essentially harmless, but nonetheless proved to the public that worms could be found on mobile devices.
+
  
== Recent Trends==
+
Windows EventViewer can represent the EVTX files in both "formatted view" and "XML view". Note that the formatted view can hide significant event data that is stored in the event and can be seen in the XML view.
Since mobile devices usually contain private and valuable information, mobile malware has recently began moving toward having a specific purpose (usually exploiting information) as opposed to viruses created solely for bragging rights.
+
  
== Attack Types ==
+
== See Also ==
=== Bluetooth ===
+
* [[Windows Event Log (EVT)]]
Attacks via [[Bluetooth]] have the ability to infect any phone with Bluetooth capabilities and can even exploit feature phones. These proximity-based attacks use the local Bluetooth network, usually in a crowded area, to send unwarranted requests to phones. Since Bluetooth can be used to transmit files, malicious executables can be sent across the network to everybody that accepts the request and installs the software. Some of these attacks, such as the Cabir, are worms which send out the request from an infected phone without the user knowing, thus quickly spreading it from phone to phone. Protection from these attacks is simple - cell phone users should not leave Bluetooth on, and it if is left on, users should not accept requests from unknown connections.
+
* [[Windows]]
  
=== Application Marketplace ===
+
== External Links ==
Malicious software can be installed via application marketplaces. For example, according to webroot.com, applications disguised as Angry Birds level unlockers were available in the Android Market. Once installed, the creator had access to precious information such as browsing history, bookmarks, etc. The application also contacted a remote server that gave the phone instructions for downloading additional malware.
+
=== File Format ===
 +
* [http://msdn.microsoft.com/en-us/library/cc231282(v=prot.10).aspx EventLog Remoting Protocol Version 6.0 Specification]
 +
* [http://msdn.microsoft.com/en-us/library/cc231354.aspx Simple BinXml Example]
 +
* [http://computer.forensikblog.de/mt/mt-search.cgi?IncludeBlogs=3&tag=Evtx&limit=20 int for(ensic){blog;} - results tagged Evtx], by [[Andreas Schuster]]
 +
* [http://www.dfrws.org/2007/proceedings/p65-schuster_pres.pdf Introducing the Microsoft Vista Event Log File Format], by [[Andreas Schuster]] in 2007
 +
* [http://computer.forensikblog.de/en/2010/10/linking-event-messages-and-resource-dlls.html Linking Event Messages and Resource DLLs], by [[Andreas Schuster]] in 2010
 +
* [http://code.google.com/p/libevtx/downloads/detail?name=Windows%20XML%20Event%20Log%20%28EVTX%29.pdf Windows XML Event Log (EVTX) format], by the [[libevtx|libevtx project]]
  
To protect against this kind of attack, users can judge the legitimacy of the application with a few simple guidelines. Applications that require a lot of permissions for no apparent reason should be avoided. Also, the credibility of a publisher can easily be researched if the user is unsure.
+
=== Event Identifiers ===
 +
* [http://eventid.net/ EventID.net]
  
=== WiFi ===
+
=== Windows Vista/2008 ===
Information can be stolen from devices when they are connected to public [[WiFi]] hotspots. Users should not do banking, shopping, or other tasks that expose personal information while connected to unsecured networks. This is not an issue unique to mobile devices, but because of the nature of mobile devices, they are more likely to be used in public places on these networks.
+
* [http://support.microsoft.com/kb/947226 Description of security events in Windows Vista and in Windows Server 2008]
  
=== SMS ===
+
=== Windows 7 ===
[[SMS]] attacks are generally similar to each other. Malicious software is installed on the phone by some means which continually sends unnoticed text messages from the user's phone to premium numbers which creates charges on the user's account. According to Kaspersky Labs, the SMS-Trojan was first discovered for the Android operating system in early 2011. The news report says, "The Trojan-SMS category is currently the most widespread class of malware for mobile phones, but Trojan-SMS.AndroidOS.FakePlayer.a is the first to specifically target the Android platform." To protect against these attacks, users should be cautious of what applications are installed on their devices and who the creators of the applications are.
+
* [http://msdn.microsoft.com/en-us/magazine/ee412263.aspx Core OS Events in Windows 7, Part 1]
 +
* [http://msdn.microsoft.com/en-us/magazine/ee358703.aspx Core Instrumentation Events in Windows 7, Part 2]
  
SMS attacks can also simply be spam messages with links to malicious sites. The problem with this type of attack is that it must target specific phones in order to execute scripts that are compatible.
+
== Tools ==
 +
* [http://computer.forensikblog.de/files/evtx/Parse-Evtx-current.zip Evtx Parser]
 +
* [[libevtx]]
 +
* [[log2timeline]]
 +
* [http://technet.microsoft.com/en-us/library/cc749339.aspx wevtutil]
 +
* [http://www.microsoft.com/en-us/download/details.aspx?id=24659 LogParser]
  
=== QR Codes ===
+
[[Category:File Formats]]
Because [[QR Codes]] are completely obfuscated by nature, they provide the means of taking curious smartphone users to malicious web sites. If there is a QR code standing by itself, some people will get curious and scan it. Another means of getting people to scan the code is to place a malicious stamp over an existing one so that it is disguised as a valid QR code. A third way of presenting malicious codes to the public would be digitally through email.
+
 
+
QR Code attacks work by taking the person that scans it to a website that perform malicious activities. For example, according to darkreading.com, a QR code that is distributed to target iOS devices might navigate the web browser to a site that will jailbreak the phone and then install malware on it once the built in security can be altered.
+
 
+
To protect against these attacks, smartphone users should only scan QR codes with software that allow them to confirm the action the code elicits.
+
 
+
== External Links and Resources==
+
[http://safeandsavvy.f-secure.com/2011/06/14/a-quick-guide-to-mobile-malware-part-1-2/ A Quick Guide To Mobile Malware]
+
 
+
[http://www.cs.berkeley.edu/~afelt/mobilemalware.pdf A Survey of Mobile Malware in the Wild]
+
 
+
[http://www.readwriteweb.com/archives/6_mobile_malware_predictions_for_2012.php 6 Mobile Malware Trends for 2012]
+
 
+
[http://en.wikipedia.org/wiki/Mobile_virus Wikipedia entry regarding mobile malware]
+
 
+
[http://www.darkreading.com/mobile-security/167901113/security/news/232301147/qr-code-malware-picks-up-steam.html QR Code Malware Picks Up Steam]
+
 
+
[http://www.kaspersky.com/about/news/virus/2010/First_SMS_Trojan_detected_for_smartphones_running_Android First SMS Trojan Detected for Smartphones Running Android]
+
 
+
[http://blog.webroot.com/2011/06/10/android-plankton-angry-birds-cheating-malware-contains-bot-like-code/ Android Malware Contains Bot Like Code]
+
 
+
== Mailinglists ==
+
 
+
* [http://groups.google.com/group/mobilemalware mobile.malware Google Group]
+

Revision as of 02:13, 9 February 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

The Windows XML Event Log (EVTX) format was introduces in Windows Vista as a replacement for the Windows Event Log (EVT) format.

Windows EventViewer can represent the EVTX files in both "formatted view" and "XML view". Note that the formatted view can hide significant event data that is stored in the event and can be seen in the XML view.

See Also

External Links

File Format

Event Identifiers

Windows Vista/2008

Windows 7

Tools