Logo
RSS Feed

👈🏼 Back to
⚔️ Attacks DB

Binary Attacks

MA Backlog

Add new items here: https://malpedia.caad.fkie.fraunhofer.de/login and see also here https://objective-see.org/.

Types

From ChatGPT

  1. File infectors: These viruses infect executable files and are spread when the infected file is executed. When an infected file is run, the virus code is activated and can spread to other files on the system. Examples include the Cascade virus and the Jerusalem virus.
  2. Boot sector viruses: These viruses infect the boot sector of a disk, usually a floppy disk, and are activated when the computer is booted from the infected disk. The virus then spreads to other disks that are accessed by the infected system. Examples include the Stoned virus and the Michelangelo virus.
  3. Macro viruses: These viruses infect documents that contain macro code, such as Microsoft Word or Excel documents. When the infected document is opened, the virus code is executed and can infect other documents on the system. Examples include the Melissa virus and the ILOVEYOU virus.
  4. Stealth viruses: These viruses are designed to hide their presence from antivirus software and other detection methods. They do this by intercepting system calls and modifying the results, or by hooking into the operating system and altering its behavior. Examples include the Whale virus and the Meve virus.
  5. Multipartite viruses: These viruses infect both files and boot sectors, making them harder to detect and remove. They typically spread through infected files and then infect the boot sector of the system, allowing them to survive a system reboot. Examples include the Flip virus and the Invader virus.
  6. Polymorphic viruses: These viruses use encryption or other techniques to change their code each time they infect a new system, making them difficult to detect and remove. Examples include the W95/CIH virus and the Satanbug virus
  7. Worms: While not technically viruses, worms are self-replicating malware that spread through networks or the internet. They typically exploit vulnerabilities in software or operating systems to spread, and can cause significant damage to systems and networks. Examples include the Morris worm and the WannaCry worm.

PE

Import tables and how this works, how to do it.

Process Injections

Windows

Most information is taken from here, but more visualisation is added. The screenshots from IDA Pro are also copied from that blog post.

Classic

This one is one of the simplest to explain and not that simple to actually use in a real attack (see Caveats). A malicious DLL’s path is copied in the memory space of a legitimate running process to be loaded in runtime.

classic-1

Below is the anatomy of this function call.

⚙️ Exploits

This section is the collection of jailbreak exploits digested by me and described. There is a difference between the terms jailbreak and exploit. For example, checkm8 is not a jailbreak, it’s an exploit that can be used to leverage a jailbreak (semi-tethered). This exploit can be run over USB only (since it uses DFU mode and this one can only be activated via USB). That suggests that unc0ver jb that I’ve been using so far is not utilizing this exploit.

IPC Analysis

In order to detect and response to the incidents in a short time, there are playbooks which are basically guidelines. Some IR frameworks have these included in order to ease the process.