- File infectors: These viruses infect executable files and are spread when the infected file is executed. When an infected file is run, the virus code is activated and can spread to other files on the system. Examples include the Cascade virus and the Jerusalem virus.
- Boot sector viruses: These viruses infect the boot sector of a disk, usually a floppy disk, and are activated when the computer is booted from the infected disk. The virus then spreads to other disks that are accessed by the infected system. Examples include the Stoned virus and the Michelangelo virus.
- Macro viruses: These viruses infect documents that contain macro code, such as Microsoft Word or Excel documents. When the infected document is opened, the virus code is executed and can infect other documents on the system. Examples include the Melissa virus and the ILOVEYOU virus.
- Stealth viruses: These viruses are designed to hide their presence from antivirus software and other detection methods. They do this by intercepting system calls and modifying the results, or by hooking into the operating system and altering its behavior. Examples include the Whale virus and the Meve virus.
- Multipartite viruses: These viruses infect both files and boot sectors, making them harder to detect and remove. They typically spread through infected files and then infect the boot sector of the system, allowing them to survive a system reboot. Examples include the Flip virus and the Invader virus.
- Polymorphic viruses: These viruses use encryption or other techniques to change their code each time they infect a new system, making them difficult to detect and remove. Examples include the W95/CIH virus and the Satanbug virus
- Worms: While not technically viruses, worms are self-replicating malware that spread through networks or the internet. They typically exploit vulnerabilities in software or operating systems to spread, and can cause significant damage to systems and networks. Examples include the Morris worm and the WannaCry worm.
Import tables and how this works, how to do it.
Are there packers for macOS? Is there are process for restoring import table there?
https://2018.offzone.moscow/report/secrets-windows-dpapi/ https://2018.offzone.moscow/report/hunting-for-privilege-escalation-in-windows-environment/ youtube.com/watch?v=NqCqfBCV_18 https://www.apriorit.com/dev-blog/727-win-guide-to-hooking-windows-apis-with-python
Malware Unicorn - https://malwareunicorn.org/#/. Labs to check out. The Art of Mac Malware - read and try samples on the OneEye or something. Incident response stuff - https://www.youtube.com/c/TaggartTech
Check out Blue Jupyter tool. Could be very useful for IR as well.
- theZoo: https://github.com/ytisf/theZoo
- VXUnderground GitHub repo: https://github.com/vxunderground/MalwareSourceCode
- Zeltser Resources: https://zeltser.com/malware-sample-sources/
Go Merlin - https://github.com/Ne0nd0g/merlin
https://glances.readthedocs.io/en/latest/ https://www.hybrid-analysis.com/sample/9fe55c51af6230c8640e140104645b32ba83ac868bf0f1571733f14761701247 https://www.f-secure.com/v-descs/trojan-spy_w32_finspy_a.shtml https://malshare.com/
Malicious websites: https://zeltser.com/lookup-malicious-websites/
My own is maintained in Notion for now. Planning to turn this into a SQL DB + CLI.
macOS - In a report on a recent Lazarus APT Group macOS implant, I noted that the group’s capabilities continue to evolve, as evidenced in “a new sample with the ability to remotely download and execute payloads directly from memory,” thus thwarting various file-based security tools.”13 In “FinFisher Filleted,” yet another write-up on a piece of sophisticated macOS malware, I discussed the use of a kernel-level rootkit component. I noted that the rootkit “contains the logic to remove the target process of interest, by unlinking it from the (process) list. Once removed, the process is now hidden.” (Patrick Wardle, “FinFisher Filleted: a triage of the FinSpy (macOS) malware,” Objective-See, September 26, 2020, https://objective-see.com/blog/blog_Ox4F.html and Patrick Wardle, “Lazarus Group Goes ‘Fileless’,” Objective-See, December 3,2019, https://objective-see.com/blog/blog_0x51.html.)In a detailed report, “All Your Macs Are Belong To Us,” on a vulnerability now patched as CVE-2021-30657, I wrote about how malware was exploiting this flaw to run unsigned and unnotarized code, “bypassing all File Quarantine, Gatekeeper, and Notarization requirements.”
Mami, Dacls, FinSpy, IPStorm, and GravityRAT, like Kitm, NetWire, and WindTail.
Persists both as a login item and a lauch agent (see the persistence artefacts for more information).
Launch item. Has a
run.sh in the
Prefers being run as a Launch Daemon. But if it finds itself only running with user privileges, it instead creates a user launch agent.
Persists a python script as a cron job. https://malpedia.caad.fkie.fraunhofer.de/details/osx.janicab
Wardle, Patrick. The Art of Mac Malware (p. 31). No Starch Press. Kindle Edition.