WetStone Technologies maintains a malware repository for each of the following program categories:
Anti-forensic software is used by suspects to thwart digital forensic investigations. Common capabilities of software in this category include: drive wiping, cache and history erasers, file property and time alterations, VPNs, and e-mail and chat log erasers. Modern versions of these applications can run on a schedule allowing automatic, unattended operation. In addition, execution can be triggered by an event such as system shutdown or start-up.
Botnets are software programs that are designed to execute autonomously as “software robots.” They can be used to remotely control computing resources where the botnet has been installed or infected. Botnets can be orchestrated to launch distributed denial of service attacks, wreak havoc within networks, or simply combine the resources of thousands of computers for a nefarious goal. Investigators that discover botnets during an investigation should determine when the botnet was installed, when it was last accessed, and look for evidence of infection on other networked computers. One important determination is whether the infected computer is the victim or the suspect that is orchestrating the botnet.
Cryptomining programs are applications that are used for mining cryptocurrency. Crytpomining programs are installed by the user with the express understanding that the purpose of the program is to use the resources of the machine to mine for cryptocurrency. The identification of cryptomining programs in a forensic investigation could be important if, for example, an employee was using corporate resources for personal financial gain.
- Denial of service
Denial of Service Denial of Service (DoS) and Distributed Denial of Service (DDoS) software are used to overwhelm and disrupt computer and network operations. These cyber-weapons are typically used by hackers to crash websites and internet-based operations. They can also be used to create large volumes of traffic in order to overwhelm network intrusion detection systems.
Encryption software certainly has legitimate and important purposes in protecting personal and proprietary data. Uncovering its use as part of an investigation can provide important information to the investigator regarding both the sophistication of the suspect, as well as the measures put in place to protect potentially incriminating data. In addition, knowing exactly what type of encryption is being employed by a suspect is necessary to potentially recover (through cracking or other means) the encrypted data.
- Exploit Kit
Exploit kits are programs that are designed in order to exploit a known vulnerability in a piece of software or online resource. These tools are often distributed as a package, which will enable attackers with limited sophistication, such as script kiddies, to launch a sophisticated attack.
- Exploit scanner
Exploit scanners are applications which allow users to identify potential security vulnerabilities in a target system. These applications actively seek out, report upon, and even instruct the user as to how to exploit discovered vulnerabilities. Once vulnerabilities have been discovered, the target machine is open to attack from a wide range of malicious software.
- Fraud tools
Fraud tools are used to generate fake credit card, ATM, and calling card numbers. Another use of these applications is to validate stolen or forged credit card numbers; many of these programs provide mathematical validation of card numbers. When the investigation involves financial crimes, the discovery of such card fraud applications may provide critical information to the investigator as to the modus-operandi of the suspect.
Keyloggers are applications designed to covertly monitor key strokes on an unsuspecting machine. They have the ability to be installed locally or remotely. Both facets pose a risk,since once a machine has been compromised, all key strokes can be monitored. Most keyloggers leave some type of remnant on the file system being monitored; however, there are a few that run in memory and do not write to the file system. Keyloggers are generally installed nefariously; however, some organizations install the application to monitor employee activities.
OSINT tools are used to gather intelligence on users or organizations for the purposes of social engineering or reconnaissance. These tools may be used to gather information in order to launch a more targeted, sophisticated attack, such as spear-phishing, on the target.
- Password cracking
Password cracking tools are designed to break password-protected files and accounts. There are legitimate reasons to have such a tool, particularly a commercial version, from a system administration perspective; however, most of the freeware tools in this category are not designed for system administration. Passwords are a secure way to protect private information. These tools allow for a way to obtain this private information. This may be a user login to a secure server that runs a company’s entire trading website, or simply an accountant’s personal login to her laptop. Password cracking tools not only try to crack user account passwords, but they also crack specific application-based files. This will allow people without the proper permission to see proprietary or incriminating data.
Peer-to-Peer (P2P) applications are designed to allow for the sharing of files over the Internet. This is a concern because people can anonymously share worms, trojans, and malicious software. They can also be used to covertly smuggle proprietary data outside a network. People associated with child pornography can use this type of tool to share pictures and website locations with others interested in this crime. Sometimes these applications are associated with network vulnerabilities and copyright infringement.
Piracy applications allow users to bypass copyright protection in various forms of media. The user then has the ability to make an illegal copy of the media and save it to a storage medium. Piracy programs are designed to work with a variety of types of media, including video, audio, and software.
Ransomware programs are malicious software applications designed to encrypt a user’s files for the purpose of the user paying a ransom to have their files decrypted. Often, the malicious program’s author does not actually decrypt the user’s files, even if they pay the ransom. Ransomware programs have become increasingly popular in recent years. A ransomware outbreak can render an organization’s computer systems useless if the machines are encrypted.
- Remote access
Remote access programs are designed to give users complete control over a particular system from a remote location. This includes everything from viewing files to executing applications remotely. This type of program is especially dangerous as the intruder needs no physical access to the target machine to control it. Thus, any type of data available on the target computer can compromised.
Rootkits are malicious applications designed primarily to help potential attackers gain root access to a particular computer system. This is accomplished through the masking of various malicious actions occurring on a target machine. These masked actions include things such as running processes, files, and open ports. The two primary modes of operation for rootkits are either direct kernel object manipulation or API hooking.
Scareware encompasses several classes of software, often with no benefit, that are sold to consumers by certain unethical marketing practices. The selling approach is designed to cause shock, anxiety, or perception of a threat, generally directed at an unsuspecting user. Some forms of spyware and adware use scareware tactics. A frequently-used tactic is to convince users that their computer is infected with malware and then suggest that they download, and pay for, anti-virus software to remove it. Usually the malware “threat” is entirely fictional and the downloaded software is non-functional or malware.
Packet sniffing programs are used to capture and analyze network traffic. Most corporations have policies restricting the use of these applications to authorized personnel. Many protocols, including FTP and chat, are not encrypted. In addition to obtaining cleartext information, collected packets can be used to crack network passwords and find protected files, servers, and user accounts. Investigators need to look for the targets of the attacks and determine what other actions the suspect has performed. It is likely that password cracking tools and binary editors will also be found in addition to packet sniffers.
Spyware applications are expanding in use today from the traditional spousal spying to industrial espionage, unauthorized monitoring, and collection of proprietary data. Discovering the presence of these apps during an investigation can be vital and may reveal information about co-conspirators, along with the sources of data leaks.
Toolkits enable unsophisticated users to construct new malware applications which may not be detectable by standard signature-based virus scanning engines or hash-based malware scanners. Several generations of tools could be created by changing a couple lines of code. Toolkits provide a wealth of low-level utilities to allow systematic hacking of a computer or network. Users of these tools are often just “playing” with the available functions to see if they can write a virus. However, a more experienced or skilled user could use toolkit features to assist with the deployment and distribution of more malicious applications. Investigators need to assess the sophistication of the suspect to determine their capabilities, and then look for the application created with the toolkit. Hashes of the application installers and executable files should be obtained and made publicly available to other investigators in situations where the malware may have been released.
Trojans are planted on a system to cause damage or open backdoors. A backdoor describes code that is used to give its creator covert and unauthorized access to computers on which the code is running. Usually, a trojan gets installed based on the actions of a user—e.g., clicking on an email attachment. When investigating an identified trojan, the method of infection must be determined as well as the actions and possible backdoors enabled by the program. Suspects have been known to use the “Trojan Defense” to argue that a Trojan somehow was installed and opened a backdoor to allow other activities, such as downloading child pornography, to occur.
- Web threats
Web threat applications consist of malicious server-side or other web-related scripts (PHP, ASP, JSP, etc.). Web threat scripts are uploaded to a web server in order to be used as a backdoor. This category also includes malicious payload exploits used against the browser.
- Wireless tools
Wireless surveillance applications are used to monitor, map and potentially exploit wireless networks and their vulnerabilities. Corporate IT personnel may use some of these tools to verify wireless coverage areas or look for rogue access points. After collecting wireless information, cracking tools can be used to gain access to protected networks. During an investigation, the purpose the suspect had for using the wireless tools needs to be identified. Scans for additional malware categories will provide direction toward the intent of the suspect after obtaining network access.
The datasets in this repository are utilized by tools in the WetStone Gargoyle Investigator
family to detect and identify known malware and potentially unwanted applications. Additionally, a Steganography
dataset is provided to WetStone StegoHunt
users to detect and identify known Steganography programs.
The Gargoyle datasets contain signatures for malware as well as for tools that cybercriminals frequently use to perform network reconnaissance, exploit vulnerabilities, track users, and compromise systems. Some of these tools may also have legitimate purposes when used lawfully and in compliance with company policy by authorized individuals, and, thus, are considered potentially unwanted applications or dual-use programs. By using Gargoyle to scan for malicious applications, a digital investigator can glean significant insight into the activities, motives and intent of a suspect.
There are two types of Malware Datasets available from WetStone - Factory and Supplementals
When WetStone has obtained a sample of an application or tool, and after WetStone’s malware research team has determined that it is a legitimate candidate for one of our malware categories, signatures will be added to the Factory Datasets. Our analysts investigate thousands of samples every day. To ensure we are providing accurate Indicators of Compromise (IOCs) and to reduce false positives, WetStone’s malware analysts leverage in-house sandbox technology and filter against extensive whitelists.
Due to the sheer number of new malware programs that are identified every day, WetStone provides an additional type of Gargoyle dataset. This Supplemental Dataset consists of IOCs for malicious programs for which we have not yet obtained a sample that can be subjected to in-house analysis. To populate the Supplemental Datasets our malware team leverages input from over three hundred malware research and threat intelligence sources on a daily basis. Our analysts verify the accuracy of these IOCs using multiple trusted threat intelligence portals and repositories, and by filtering against extensive white lists. When a sample corresponding to a supplemental dataset signature is obtained, it is subjected to in-house analysis. It is then added to the Factory Datasets and removed from the Supplementals Datasets.
In addition to scanning target systems and disk images using the WetStone-provided Factory and Supplemental datasets, Gargoyle Investigator MP can be utilized to discover any file residing on any machine. This is accomplished using custom datasets. Custom datasets are created within Gargoyle MP’s user interface and can be the contents of any folder the user chooses. This allows a user to discover files that may be unique to the user’s investigation, such as proprietary corporate documents, sensitive media files, or custom applications. One may also create a custom dataset as a comma-delimited file. An example of where this may be useful is to support scanning for newly discovered malware signatures or signatures that are available to the user under restricted distribution. The information contained in this file would follow the format: “MD5 hash”, “name assigned by user”, “category assigned by user”.
DATASET RELEASE SCHEDULE
Factory and Supplemental Datasets are scheduled to be released on the 15th of each month, or the next business day when the 15th falls on a weekend or on a WetStone-observed holiday. Access to these releases is an entitlement for customers with an active support agreement or an active term license for the product to which the datasets correspond.