Bagaimana untuk memulai Analisis Malware

Oke para netter, kali ini saya akan membagi pengalaman saya dalam melakukan analisis seekor malware atau virus. Ada beberapa persiapan yang harus anda miliki agar bisa melakukan analisa seekor malware. Berikut ini beberapa yang harus anda persiapkan :

1. Vmware.

Vmware disini berfungsi sebagai Lab Malware kita. Dimana nanti si malware akan kita jalankan. Dengan ada nya vmware kita bisa dengan leluasa melakukan analisa tanpa harus takut komputer system kita terkena efek dari malware.

2. Tools activity process

Tools ini berguna untuk melihat proses dari si malware itu sendiri. Anda bisa download secara free.

3. DOS

Yups, kenapa dos??? bila anda paham akan dengen beberapa command dos itu sangat berguna sekali dalam melakukan analisa malware.

Attrib

####


C:\>attrib /?
Displays or changes file attributes.

ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [drive:][path][filename]
       [/S [/D]]

  +   Sets an attribute.
  -   Clears an attribute.
  R   Read-only file attribute.
  A   Archive file attribute.
  S   System file attribute.
  H   Hidden file attribute.
  [drive:][path][filename]
      Specifies a file or files for attrib to process.
  /S  Processes matching files in the current folder
      and all subfolders.
  /D  Processes folders as well.

berfungsi untuk menampilkan semua semua file yang tersembunyi. Selain itu dengan command attrib kita bisa merubah atribute dari sebuah file.

 Tasklist

######

C:\>tasklist /?

TASKLIST [/S system [/U username [/P [password]]]]
         [/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]

Description:
    This command line tool displays a list of application(s) and
    associated task(s)/process(es) currently running on either a local or
    remote system.

Parameter List:
   /S     system           Specifies the remote system to connect to.

   /U     [domain\]user    Specifies the user context under which
                           the command should execute.

   /P     [password]       Specifies the password for the given
                           user context. Prompts for input if omitted.

   /M     [module]         Lists all tasks that have DLL modules loaded
                           in them that match the given pattern name.
                           If the module name is not specified,
                           displays all modules loaded by each task.

   /SVC                    Displays services in each process.

   /V                      Specifies that the verbose information
                           is to be displayed.

   /FI    filter           Displays a set of tasks that match a
                           given criteria specified by the filter.

   /FO    format           Specifies the output format.
                           Valid values: "TABLE", "LIST", "CSV".

   /NH                     Specifies that the "Column Header" should
                           not be displayed in the output.
                           Valid only for "TABLE" and "CSV" formats.

   /?                      Displays this help/usage.

Filters:
    Filter Name     Valid Operators           Valid Value(s)
    -----------     ---------------           --------------
    STATUS          eq, ne                    RUNNING | NOT RESPONDING
    IMAGENAME       eq, ne                    Image name
    PID             eq, ne, gt, lt, ge, le    PID value
    SESSION         eq, ne, gt, lt, ge, le    Session number
    SESSIONNAME     eq, ne                    Session name
    CPUTIME         eq, ne, gt, lt, ge, le    CPU time in the format
                                              of hh:mm:ss.
                                              hh - hours,
                                              mm - minutes, ss - seconds
    MEMUSAGE        eq, ne, gt, lt, ge, le    Memory usage in KB
    USERNAME        eq, ne                    User name in [domain\]user
                                              format
    SERVICES        eq, ne                    Service name
    WINDOWTITLE     eq, ne                    Window title
    MODULES         eq, ne                    DLL name

Examples:
    TASKLIST
    TASKLIST /M
    TASKLIST /V
    TASKLIST /SVC
    TASKLIST /M wbem*
    TASKLIST /S system /FO LIST
    TASKLIST /S system /U domain\username /FO CSV /NH
    TASKLIST /S system /U username /P password /FO TABLE /NH
    TASKLIST /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running"

 Tasklist sama fungsinya dengan taskmanager. Kita bisa melakukan end proses dengan service tasklist.

Dan banyak lagi service dos yang lain yang bisa kita gunakan.

4. Debugger tools (advanced only)

Tools ini diperuntukkan untuk melihat source code dari si malware dan semua aktivitynya. Banyak tools yang anda bisa gunakan. IDA pro, Ollydbg, .... etc.

5. Pemahaman registry tools, System configuration utility, Group policy.

Ketiga service ini sangat berperan penting sekali dalam melakukan analisa malware. 

Oke sekian dulu .... maaf bila ada yang ingin ditanyakan silahkan di diskusikan dengan saya langsung.




How to know genuine or fake photos / edits using the system properties windows xp / windows 7

Today many fake photos circulating on the internet. How is the easiest way to detect that the photo is genuine or has been edited or image may be fake. Before proceeding with this post should be made a deal with my friends about the term visitor image that I would use in this post. There are 3 categories of pictures that will be used in support of this discussion:1. The original photo, is photo absolutely right shots pocket camera / digital camera or camera phone. (This picture can be detected directly using properties file system windows xp / windows seven).2. The original photo but already edited (edited photos), the object in the image is genuine but probably in crop / cut a few parts so different from the original image size.3. Fake photos is a modification / manipulation of the original image using graphics processing software like Adobe Photoshop, Paintshop, Corel or other images processing software.
In general, by using the properties file system windows 7/XP we can only distinguish two categories: original image (as meta data is still incomplete), and photo editing (because the meta data is not complete anymore). Photo edits can be our reference to determine whether the photo is genuine or fake. To determine the photo is the original photo that has been edited or 100% fake photo still need to do some analysis of visual and digital analysis using advanced processing software images.
In this post just described just how the track / check the photo may be circulating on the internet is purely 100% original, or the original image is possible / likely fake please see the following figure.
1. If you are presented with photos Nudity, my friends used to check the validity of the image is not immediately believe:
For Windows XP users 

2. Open Windows Explorer, find the image file that will check the authenticity3. In the Properties dialog box select the Summary tabClick the Advanced button4. Will appear as below Because the image is genuine then it will be listed attributes: Width, Height, Equipment make: Nokia Camera Model N70-1, complete with Color representation, Shutter Speed, Aperture Lens, Flash Mode, date of shooting and various other attribute data.It is certain that three and a modem card image above was photographed using a camera on the Nokia N70 as listed (if the date might be wrong because I tereset hp at the default due date bateray power off, before making snap the picture).5. For users of Windows 7, the same steps as above,a.Open windows explorer Next right click on one of the images that will check the authenticity of the photoIn the File Properties dialog box, select the Details tab, the results are as shown below:
Note:This photo was taken of a digital camera Samsung Digimax A503. Images are guaranteed 100% authentic. Date 9/10/2008 shooting.

6. What if the photo has been experiencing edited or modified, then in the system properties file would look like this
Properties images that have been edited / modified the data only Width, Height, horizontal resolution, vertical resolution, frame count. Figure dwngan propertiesseperti over 50% of the original suspect or 50% false. To test should be 100% false visual analysis or analysis of advanced digital.
By using the system properties file windows 7/XP at least we can know early photo circulating is 1000% authentic or have been edited, without the need to use software detection authenticity confused picture.
One of the main free software whose function is similar to the system properties windows are JPEG Snoop, the download link can be found belowhttp://www.impulseadventure.com/photo/jpeg-snoop.html

Ref :  http://artikelkomputerku.blogspot.com