Try   HackMD

Part 1: Observing Virus Detection
Step 0: Antivirus check!
Make sure that you have some form of antivirus installed on your machine. (If you don't have one, you can install any free antivirus (except Malwarebytes, it doesn't work for this lab) Just make sure you're downloading from an official website and not a third-party link.)

Windows: ESET
Mac: BitDefender Virus Scanner
For optimization reasons, popular antivirus tool Malwarebytes has chosen to opt-out of detecting EICAR's testfiles. Malwarebytes is still an excellent antivirus, but if it's what you use, you'll want to download an alternative option for this lab.
Step 1: Observe (harmless) virus files
Okay, let's get some (fake) viruses! Fortunately, the European Institute for Computer Antivirus Research (EICAR) has us covered with their Anti Malware Testfile website.

Be sure to read the text on the download page thoroughly, as it contains important information!
Now it's time to get started:

Download each of the 4 harmless antivirus test files to your own computer (not Azure Labs).
There are 4 files for download to facilitate various scenarios:
eicar.com
eicar.com.txt (The same file as eicar.com, but named differently)
eicar_com.zip (A zip containing eicar.com)
eicarcom2.zip (A zip containing a zip containing eicar.com)
🤔 Why do you think EICAR distributes the same file in four different ways?

Click here for an answer!
After you've downloaded the virus files, your antivirus might react automatically.

If nothing pops up, open your antivirus program and run an antivirus scan.
How did your computer respond to the viruses? Compare with others in the lab! Was it the same or different?
🤔 How do you think your antivirus is able to detect the EICAR files as "dangerous"?
🎯 Checkpoint 1: You should have downloaded the four EICAR files and seen your antivirus detect them.

Step 2: Upload these files to Virus Total
In this next step, we'll upload the files to a virus monitoring website to get more information on how they're detected.

Go to VirusTotal web page.
Upload the files that you have created or downloaded from EICAR.
VirusTotal will analyze the file if it's suspicious. It will also automatically share the results with the security community. You can do this any time you have a file you're unsure of!

💡 TIP: If you can't upload the EICAR file, here's a screenshot of our results:
Feel free to play with VirusTotal. Try uploading some other files and see what their results show up as. What happens if you modify the existing file?

🎯 Checkpoint 2: VirusTotal lets you see whether an uploaded file is marked as malware by a particular anti-virus scanner once you upload it.

🎉 You've completed Part 1 of this lab! 🎉 With whatever time you have left, try to go as far as you can with Part 2!
Part 2: Looking Under the Hood
APIs provide a powerful way to access remote data from within a terminal, script, or other computer program. For this lab's stretch features, we'll learn how to use the VirusTotal API to check out a file on our Ubuntu box through the terminal. Along the way, we'll also learn a little more about how files are recognized using file signatures.

Step 3: Get your API key for Virus Total.
In this step, you will obtain your API key from VirusTotal site. Take note of your API key for this will be used in the following steps.

⚠️ Keep your API key secure at all times! Treat it like a password!
Go to the VirusTotal website.
Either sign in or create a free account.
Once signed in, go to the VirusTotal API key page to access your key.
💡 HINT: The screenshot below shows what your VirusTotal API Key page should look like!
An alternative location of your VirusTotal API key can also be found in your account user menu!
🎯 Checkpoint 3: You should have a 🔑 to VirusTotal's API.

Step 4: Configure vt-cli tool with your API key
Great news you already should have the vt-cli installed on your Azure Labs machine.

Configure the vt-cli tool with your API key:

Sign into your Ubuntu machine
Run the following command:
vt init
Paste in your api key when prompted
VirusTotal will save your key for future use. If you're curious, you can find this config in your home directory (~) in a file called .vt.toml.

Help, I'm getting a command not found error for vt!
💡 HINT: Click here for an example of vt-cli configuration!
🎯 Checkpoint 4: If you run the vt version -v command, you should see the following:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Step 5: Get your file's signature
It's time to reveal the trick that most antivirus software uses to recognize viruses file signatures. File signatures work using a cryptographic hashing function, which is a fancy piece of math that assigns every input a distinct but predictable output usually called a hash.

What does that mean?

Distinct means that no two different files will produce the same hash.
Predictable means the same file will always produce the same hash.
We can try it out with a command in Ubuntu: sha1sum.

Try using ls to list the files in your current directory, then use sha1sum <filename> to see the SHA1 hash for that given file.
If you want, try creating some different text files and calculating their hash. Changing even one letter will change the result!
Okay, so now let's get the signature for the EICAR testfiles.

Using the wget command, download the EICAR testfiles to Ubuntu:

cd ~ (Go back to your home directory)
wget https://secure.eicar.org/eicar.com
wget https://secure.eicar.org/eicar.com.txt
wget https://secure.eicar.org/eicar_com.zip
wget https://secure.eicar.org/eicarcom2.zip
(If these commands don't work correctly, you can always RDP and open a web browser, then download from the EICAR website as you did in Part 1 but it's often easier to just use wget for quick file downloads!)

Next, use sha1sum to get the hash of each file.

Which ones are the same? Which are different?
🎯 Checkpoint 5: You should be able to see the hashes for each of the four EICAR testfiles.

💡 HINT: Stuck? Click here to see an example of using sha1sum to get hashes!
Step 6: Check if file is malicious using vt-cli
All right, so now let's see if EICAR recognizes these files. To poll the EICAR database, we have to give it a way to look up the file You guessed it, it's the file's hash.

Use the vt file <File Hash Value> command to check each of your files!
Screenshot on vt-cli results

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Now the picture is coming together VirusTotal doesn't store actual malware files (that would be a bad idea), but instead it stores the hashes of malware files. That allows users to check if their file is a virus by comparing its hash with those in the database. In the future, if you download something you're uncertain of, consider using VirusTotal to check it out!

Last changed by 
tiger-dev-hacker
0
33

Read more

Untitled

Step 1: Track who is tracking you onlineInstall or add a browser add-on Disconnect. This add-on is available for Google Chrome, Mozilla Firefox and Opera browsers.

Nov 17, 2023
Lab-8-Setoolkit

Required FeaturesStep 0: Make sure your hosts file is normal!In Lab 4, we had you adding some lines to your hosts file to mess with Google. This lab needs Google to work, so if you didn’t already, make sure you’ve un-done the changes from Lab 4 to your hosts file.

Nov 2, 2023
Untitled

Lab InstructionsStep 0: What is Shodan?What is Shodan?

Oct 27, 2023
Untitled

Step 0: Set upIn this step, we’ll download the folder of images we’ll use in Cyberchef.

Oct 21, 2023
Read more from tiger-dev-hacker
Published on HackMD